Windows防火墙管理（xp系统）

适用于旧版 windows

通过netsh设置

netsh firewall show config  查看设置和状态
net stop sharedaccess       停用防火墙相关
net start sharedaccess      启动防火墙

命令行修改防火墙明细

1. 开放端口
   

   netsh firewall
   add portopening
         [ protocol = ] TCP|UDP|ALL
         [ port = ] 1-65535
         [ name = ] name                  # 防火墙规则名称
         [ [ mode = ] ENABLE|DISABLE      # 允许和不允许通过
           [ scope = ] ALL|SUBNET|CUSTOM  # 允许 所有流量/本地子网流量/指定流量 通过防火墙
           [ addresses = ] addresses      # scope为custom时指定ip范围
           [ profile = ] CURRENT|DOMAIN|STANDARD|ALL  # 配置文件类型
           [ interface = ] name ]         # 设置接口名称
   
   netsh firewall add portopening 
       protocol=ALL port=54 name=DNS mode=ENABLE scope=CUSTOM 
       addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0
   
   netsh firewall set portopening protocol=tcp port=8080 name=MyWebPort
   
   netsh firewall show portopening
   

2. 删除开放端口
   

   netsh firewall
   delete portopening
         [ protocol = ] TCP|UDP|ALL
         [ port = ] 1-65535
         [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
           [ interface = ] name ]
           
   netsh firewall delete portopening protocol=tcp port=54
   
   netsh firewall delete portopening protocol=all port=22 profile=domain

3. 添加放行程序
   

   netsh firewall set allowedprogram
         [ program = ] path               # 程序路径
         [ [ name = ] name                # 自定义规则
           [ mode = ] ENABLE|DISABLE      # 是否允许通过
           [ scope = ] ALL|SUBNET|CUSTOM  # 允许 所有流量/本地流量/自定义流量 通过防火墙
           [ addresses = ] addresses      # 自定义流量时指定地址范围
           [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]  # 使用 当前/域/标准/所有 配置文件
   
   netsh firewall set allowedprogram program=c:\dir\exe.exe name=ProgName mode=ENABLE scope=subnet profile=current
   

4. 删除放行程序
   

   netsh firewall delete allowedprogram
         [ program = ] path
         [ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]
   
   netsh firewall delete allowedprogram program=c:\dir\exe.exe profile=current

5. 设置防火墙日志配置
   

   netsh firewall set logging
         [ [ filelocation = ] path
           [ maxfilesize = ] 1-32767
           [ droppedpackets = ] ENABLE|DISABLE # 记录丢包
           [ connections = ] ENABLE|DISABLE ]  # 记录成功连接
   
   netsh firewall set logging filelocation=c:\dir\xx.log maxfilesize=4096 droppedpackets=ENABLE
   
   netsh firewall show logging

6. 设置ICMP配置
   

   netsh firewall set icmpsetting
         [ type = ] 2-5|8-9|11-13|17|ALL
         [ [ mode = ] ENABLE|DISABLE
           [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
           [ interface = ] name ]
   
   # 所有icmp连接类型都不许通过防火墙
   netsh firewall set icmpsetting type=ALL mode=disable
   
   # 查看icmp配置
   netsh firewall show icmpsetting

7. 设置防火墙服务配置
   

   # 启用远程协助和远程桌面服务，只允许 157.60.0.1 的主机通过防火墙使用此服务
   netsh firewall set service type=remotedesktop mode=enable scope=custom address=157.60.0.1 profile=all
   
   # 将所有配置文件中远程协助和远程桌面服务关闭
   netsh firewall set service type=remotedesktop mode=disable profile=all
   
   netsh firewall show service

8. 设置防火墙通知配置
   

   # 让所有防火墙配置都不弹出通知消息
   netsh firewall set notifications mode=DISABLE profile=all

9. 恢复防火墙默认配置
   

   netsh firewall reset