Appendix B: Netsh Command Syntax for the Netsh Firewall Context

11 out of 19 rated this helpful - Rate this topic
Published: December 17, 2004

The following Netsh commands can be used in scripts or at the command line to configure Windows Firewall for IPv4 and IPv6 traffic when executed from the netsh firewall context:

  • add allowedprogram

  • set allowedprogram

  • delete allowedprogram

  • set icmpsetting

  • set multicastbroadcastresponse

  • set notifications

  • set logging

  • set opmode

  • add portopening

  • set portopening

  • delete portopening

  • set service

  • show commands

  • reset

The following sections describe each command and its syntax.

Bb490617.3squares(en-us,TechNet.10).gif

On This Page

add allowedprogram
set allowedprogram
delete allowedprogram
set icmpsetting
set multicastbroadcastresponse
set notifications
set logging
set opmode
add portopening
set portopening
delete portopening
set service
show commands
reset

add allowedprogram

Used to add a program-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

add allowedprogram
    [ program = ] path
    [ name = ] name
    [ [ mode = ] ENABLE|DISABLE
      [ scope = ] ALL|SUBNET|CUSTOM
      [ addresses = ] addresses
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
 Adds firewall allowed program configuration.
 Parameters:
 program - Program path and file name.
 name - Program name.
 mode - Program mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 scope - Program scope (optional).
    ALL    - Allow all traffic through firewall 
    (default).
    SUBNET - Allow only local network (subnet) 
    traffic through firewall.
    CUSTOM - Allow only specified traffic through 
    firewall.
 addresses - Custom scope addresses (optional).
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 Remarks: 'scope' must be 'CUSTOM' to specify 
 'addresses'.
 Examples:
    add allowedprogram C:\MyApp\MyApp.exe MyApp
    ENABLE
    add allowedprogram C:\MyApp\MyApp.exe MyApp 
    DISABLE
    add allowedprogram C:\MyApp\MyApp.exe MyApp 
    ENABLE CUSTOM
        157.60.0.1,172.16.0.0/16,10.0.0.0/255.
        0.0.0,LocalSubnet
    add allowedprogram program = C:\MyApp
    \MyApp.exe name = MyApp mode = ENABLE
    add allowedprogram program = C:\MyApp
    \MyApp.exe name = MyApp mode = DISABLE
    add allowedprogram program = C:\MyApp
    \MyApp.exe name = MyApp mode = ENABLE
        scope = CUSTOM 157.60.0.1,172.16.0.
        0/16,10.0.0.0/255.0.0.0,LocalSubnet

set allowedprogram

Used to modify the settings of an existing program-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set allowedprogram
   [ program = ] path
   [ [ name = ] name
     [ mode = ] ENABLE|DISABLE
     [ scope = ] ALL|SUBNET|CUSTOM
     [ addresses = ] addresses
     [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
 Sets firewall allowed program configuration.
 Parameters:
 program - Program path and file name.
 name - Program name (optional).
 mode - Program mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 scope - Program scope (optional).
    ALL    - Allow all traffic through firewall 
    (default).
    SUBNET - Allow only local network (subnet) 
    traffic through firewall.
    CUSTOM - Allow only specified traffic through
    firewall.
 addresses - Custom scope addresses (optional).
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 Remarks: 'scope' must be 'CUSTOM' to specify 
 'addresses'.
 Examples:
    set allowedprogram C:\MyApp\MyApp.exe MyApp
    ENABLE
    set allowedprogram C:\MyApp\MyApp.exe MyApp 
    DISABLE
    set allowedprogram C:\MyApp\MyApp.exe MyApp 
    ENABLE CUSTOM
        157.60.0.1,172.16.0.0/16,10.0.0.0
        /255.0.0.0,LocalSubnet
    set allowedprogram program = C:\MyApp
    \MyApp.exe name = MyApp mode = ENABLE
    set allowedprogram program = C:\MyApp
    \MyApp.exe name = MyApp mode = DISABLE
    set allowedprogram program = C:\MyApp
     \MyApp.exe name = MyApp mode = ENABLE
        scope = CUSTOM 157.60.0.1,172.16.
        0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

delete allowedprogram

Used to delete an existing program-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

delete allowedprogram
    [ program = ] path
    [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
  Deletes firewall allowed program configuration.
  Parameters:
  program - Program path and file name.
  profile - Configuration profile (optional).
     CURRENT  - Current profile (default).
     DOMAIN   - Domain profile.
     STANDARD - Standard profile.
     ALL      - All profiles.
  Examples:
     delete allowedprogram C:\MyApp\MyApp.exe
     delete allowedprogram program = C:\MyApp
     \MyApp.exe

set icmpsetting

Used to specify excepted ICMP traffic.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set icmpsetting
    [ type = ] 2-5|8-9|11-13|17|ALL
    [ [ mode = ] ENABLE|DISABLE
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
      [ interface = ] name ]
 Sets firewall ICMP configuration.
 Parameters:
 type - ICMP type.
    2   - Allow outbound packet too big.
    3   - Allow outbound destination unreachable.
    4   - Allow outbound source quench.
    5   - Allow redirect.
    8   - Allow inbound echo request.
    9   - Allow inbound router request.
    11  - Allow outbound time exceeded.
    12  - Allow outbound parameter problem.
    13  - Allow inbound timestamp request.
    17  - Allow inbound mask request.
    ALL - All types.
 mode - ICMP mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 interface - Interface name (optional).
 Remarks: 'profile' and 'interface' may not be 
           specified together.
          'type' 2 and 'interface' may not
           be specified together.
 Examples:
    set icmpsetting 8
    set icmpsetting 8 ENABLE
    set icmpsetting ALL DISABLE
    set icmpsetting type = 8
    set icmpsetting type = 8 mode = ENABLE
    set icmpsetting type = ALL mode = DISABLE

set multicastbroadcastresponse

Used to specify the unicast response to a multicast or broadcast request behavior.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set multicastbroadcastresponse
    [ mode = ] ENABLE|DISABLE
    [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
 Sets firewall multicast/broadcast response 
 configuration.
 Parameters:
 mode - Multicast/broadcast response mode.
    ENABLE  - Allow responses to multicast/broadcast 
              traffic through the firewall.
    DISABLE - Do not allow responses to multicast
              /broadcast traffic through the firewall.
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 Examples:
    set multicastbroadcastresponse ENABLE
    set multicastbroadcastresponse DISABLE
    set multicastbroadcastresponse mode = ENABLE
    set multicastbroadcastresponse mode = DISABLE

set notifications

Used to specify the notification behavior.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set notifications
    [ mode = ] ENABLE|DISABLE
    [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
 Sets firewall notification configuration.
 Parameters:
 mode - Notification mode.
    ENABLE  - Allow pop-up notifications from 
    firewall.
    DISABLE - Do not allow pop-up notifications 
    from firewall.
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 Examples:
    set notifications ENABLE
    set notifications DISABLE
    set notifications mode = ENABLE
    set notifications mode = DISABLE

set logging

Used to specify logging options.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set logging
    [ [ filelocation = ] path
      [ maxfilesize = ] 1-32767
      [ droppedpackets = ] ENABLE|DISABLE
      [ connections = ] ENABLE|DISABLE ]
 Sets firewall logging configuration.
 Parameters:
 filelocation - Log path and file name (optional).
 maxfilesize - Maximum log file size in kilobytes 
 (optional).
 droppedpackets - Dropped packet log mode (optional).
    ENABLE  - Log in firewall.
    DISABLE - Do not log in firewall.
 connections - Successful connection log mode 
 (optional).
    ENABLE  - Log in firewall.
    DISABLE - Do not log in firewall.
 Remarks: At least one parameter must be specified.
 Examples:
    set logging %windir%\pfirewall.log 4096
    set logging %windir%\pfirewall.log 4096 ENABLE
    set logging filelocation = %windir%\pfirewall.
    log maxfilesize = 4096
    set logging filelocation = %windir%\pfirewall.
    log maxfilesize = 4096
        droppedpackets = ENABLE

set opmode

Used to specify the operating mode of Windows Firewall either globally or for a specific connection (interface).

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set opmode
    [ mode = ] ENABLE|DISABLE
    [ [ exceptions = ] ENABLE|DISABLE
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
      [ interface = ] name ]
 Sets firewall operational configuration.
 Parameters:
 mode - Operational mode.
    ENABLE  - Enable firewall.
    DISABLE - Disable firewall.
 exceptions - Exception mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 interface - Interface name (optional).
 Remarks: 'profile' and 'interface' may not be 
           specified together.
          'exceptions' and 'interface' 
           may not be specified together.
 Examples:
    set opmode ENABLE
    set opmode ENABLE DISABLE
    set opmode mode = ENABLE
    set opmode mode = ENABLE exceptions = DISABLE

add portopening

Used to create a port-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

add portopening
    [ protocol = ] TCP|UDP|ALL
    [ port = ] 1-65535
    [ name = ] name
    [ [ mode = ] ENABLE|DISABLE
      [ scope = ] ALL|SUBNET|CUSTOM
      [ addresses = ] addresses
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
      [ interface = ] name ]
 Adds firewall port configuration.
 Parameters:
 protocol - Port protocol.
    TCP - Transmission Control Protocol (TCP).
    UDP - User Datagram Protocol (UDP).
    ALL - All protocols.
 port - Port number.
 name - Port name.
 mode - Port mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 scope - Port scope (optional).
    ALL    - Allow all traffic through firewall 
    (default).
    SUBNET - Allow only local network (subnet) 
    traffic through firewall.
    CUSTOM - Allow only specified traffic through 
    firewall.
 addresses - Custom scope addresses (optional).
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 interface - Interface name (optional).
 Remarks: 'profile' and 'interface' may not
            be specified together.
           'scope' and 'interface' may
            not be specified together.
           'scope' must be 'CUSTOM' to 
            specify 'addresses'.
 Examples:
    add portopening TCP 80 MyWebPort
    add portopening UDP 500 IKE ENABLE ALL
    add portopening ALL 53 DNS ENABLE CUSTOM
        157.60.0.1,172.16.0.0/16,10.0.0.0/255.
        0.0.0,LocalSubnet
    add portopening protocol = TCP port = 80 name = 
    MyWebPort
    add portopening protocol = UDP port = 500 name = 
    IKE mode = ENABLE scope =  ALL
    add portopening protocol = ALL port = 53 name =
    DNS mode = ENABLE
      scope = CUSTOM addresses = 157.60.0.1,172.16.
      0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set portopening

Used to modify the settings of an existing port-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set portopening
    [ protocol = ] TCP|UDP|ALL
    [ port = ] 1-65535
    [ [ name = ] name
      [ mode = ] ENABLE|DISABLE
      [ scope = ] ALL|SUBNET|CUSTOM
      [ addresses = ] addresses
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
      [ interface = ] name ]
 Sets firewall port configuration.
 Parameters:
 protocol - Port protocol.
    TCP - Transmission Control Protocol (TCP).
    UDP - User Datagram Protocol (UDP).
    ALL - All protocols.
 port - Port number.
 name - Port name (optional).
 mode - Port mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 scope - Port scope (optional).
    ALL    - Allow all traffic through firewall 
    (default).
    SUBNET - Allow only local network (subnet) 
    traffic through firewall.
    CUSTOM - Allow only specified traffic through 
    firewall.
 addresses - Custom scope addresses (optional).
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 interface - Interface name (optional).
 Remarks: 'profile' and 'interface' may not 
 be specified together.
        'scope' and 'interface' may not
         be specified together.
        'scope' must be 'CUSTOM' to specify 
         'addresses'.
 Examples:
    set portopening TCP 80 MyWebPort
    set portopening UDP 500 IKE ENABLE ALL
    set portopening ALL 53 DNS ENABLE CUSTOM
      157.60.0.1,172.16.0.0/16,10.0.0.0/255.
      0.0.0,LocalSubnet
    set portopening protocol = TCP port = 80 
    name = MyWebPort
    set portopening protocol = UDP port = 500 
    name = IKE mode = ENABLE scope = ALL
    set portopening protocol = ALL port = 53 
    name = DNS mode = ENABLE
      scope = CUSTOM addresses = 157.60.0.1,
      172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

delete portopening

Used to delete an existing port-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

delete portopening
    [ protocol = ] TCP|UDP|ALL
    [ port = ] 1-65535
    [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
      [ interface = ] name ]
 Deletes firewall port configuration.
 Parameters:
 protocol - Port protocol.
    TCP - Transmission Control Protocol (TCP).
    UDP - User Datagram Protocol (UDP).
    ALL - All protocols.
 port - Port number.
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 interface - Interface name (optional).
 Remarks: 'profile' and 'interface' may not 
 be specified together.
 Examples:
    delete portopening TCP 80
    delete portopening UDP 500
    delete portopening protocol = TCP port = 80
    delete portopening protocol = UDP port = 500

set service

Used to enable or disable the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

set service
    [ type = ] FILEANDPRINT|REMOTEADMIN|
    REMOTEDESKTOP|UPNP|ALL
    [ [ mode = ] ENABLE|DISABLE
      [ scope = ] ALL|SUBNET|CUSTOM
      [ addresses = ] addresses
      [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
 Sets firewall service configuration.
 Parameters:
 type - Service type.
    FILEANDPRINT  - File and printer sharing.
    REMOTEADMIN   - Remote administration.
    REMOTEDESKTOP - Remote assistance and remote 
    desktop.
    UPNP          - UPnP framework.
    ALL           - All types.
 mode - Service mode (optional).
    ENABLE  - Allow through firewall (default).
    DISABLE - Do not allow through firewall.
 scope - Service scope (optional).
    ALL    - Allow all traffic through firewall 
    (default).
    SUBNET - Allow only local network (subnet) traffic 
    through firewall.
    CUSTOM - Allow only specified traffic through 
    firewall.
 addresses - Custom scope addresses (optional).
 profile - Configuration profile (optional).
    CURRENT  - Current profile (default).
    DOMAIN   - Domain profile.
    STANDARD - Standard profile.
    ALL      - All profiles.
 Remarks: 'scope' ignored if 'mode' is DISABLE.
         'scope' must be 'CUSTOM' to specify 
        'addresses'.
 Examples:
    set service FILEANDPRINT
    set service REMOTEADMIN ENABLE SUBNET
    set service REMOTEDESKTOP ENABLE CUSTOM
        157.60.0.1,172.16.0.0/16,10.0.0.0/255.
        0.0.0,LocalSubnet
    set service type = FILEANDPRINT
    set service type = REMOTEADMIN mode = ENABLE 
    scope = SUBNET
    set service type = REMOTEDESKTOP mode = ENABLE
    scope = CUSTOM
        addresses = 157.60.0.1,172.16.0.0/16,10.
        0.0.0/255.0.0.0,LocalSubnet

show commands

The following show commands are used to display the current configuration:

  • show allowedprogram  Displays the excepted programs.

  • show config   Displays the local configuration information.

  • show currentprofile  Displays the current profile.

  • show icmpsetting  Displays the ICMP settings.

  • show logging   Displays the logging settings.

  • show multicastbroadcastresponse  Displays multicast/broadcast response settings.

  • show notifications Displays the current settings for notifications.

  • show opmode  Displays the operational mode.

  • show portopening  Displays the excepted ports.

  • show service  Displays the services.

  • show state  Displays the current state information.

For additional information about the show config and show state commands, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2.

https://technet.microsoft.com/en-us/library/bb490617.aspx

posted @ 2015-10-10 14:29  seasonzone  阅读(223)  评论(0编辑  收藏  举报