Configure advanced firewall in Windows 2008 using NETSH CLI

In the previous article, I introduced how to configure the advanced firewall in Windows Server 2008 using the MMC snap-in. In this article, I will show you how to configure the same Windows 2008 Server Advanced Firewall using the command line interface (CLI) using the netsh utility. There are many reasons you want to do this, let's find out .

Definition of netsh utility for firewall

In Windows 2008 Server, you see a high-end firewall for the base server. Here are some of the new features that I mentioned in the article Configuring Advanced Firewall in Windows Server 2008 using the MMC snap-in:

1. New GUI interface - The MMC snap-in is available to configure the firewall.
2. Bi-directional - Filters traffic in and out.
3. Works better with IPSEC - The rules of firewalls and IPSec encryption configurations have been integrated together.
4. Advanced Rules configuration - You can set rules for Windows Active Directory (AD) accounts, groups, and destinations for dynamic IP addresses, protocol numbers, sources, and destinations for TCP / port UDP, ICMP, IPv6, and Windows Server interfaces.

Netsh advfirewall is a command line used for the Advanced Firewall Windows 2008 Server configuration. Is CLI used for configuring Windows firewall?

While some people like to use the MMC snap-in interface to configure a firewall, others prefer to use CLI for the following reasons:

1. Faster - Know how to use the netsh advfirewall commands, making access to the screen interface faster.
2. Editing - You can edit the main commands with this tool.
3. Working when the screen interface is not displayed - Like the CLI tool, you can use netsh advfirewall when the screen is not displayed, for example: Window Server 2008 Core.

Which command is used with netsh advfirewall?

Here are the 9 most important commands you need to know when using the netsh advfirewall command.

Help (?)

This is the most used statement. Whenever you type the command, this command will allow you to see all the options available in the corresponding command (see Figure 1).

Configure advanced firewall in Windows 2008 using NETSH CLI Picture 1
Figure 1: The help option in netsh advfirewall

Consec command (securely connect to the required profile)

The connection information will allow you to create IPSEC VPNs between the two systems. In other words, the consec statement allows to ensure that the traffic through the firewall is limited or filtered.

This option will create a safe connection configuration as follows:

netsh advfirewall> consec
netsh advfirewall consec>

Here, if you type the command? You will see 6 different situations in netsh advfirewall consec (see Figure 2).

If typing? Here, you can change the security information with the following commands:

1. Add : Added the new connection security rule
2. Delete : Delete a connection security rule.
3. Dump : This command does not work in this context.
4. Help : Display all commands.
5. Set : Set a new value for an existing rule.

Configure advanced firewall in Windows 2008 using NETSH CLI Picture 2
Figure 2: The netsh option advfirewall consec

Show command

You use the Show command to list what the firewall will do next. There are 3 options for this command:

1. Show alias will list aliases.
2. Show helper lists high-level helpers.
3. Show mode notifies the firewall is active or inactive.

Export

You should export all current firewall configurations to a file. This command will be very useful because you can back up all file settings and restore them when you don't like the new profiles you have created.

Firewall command

With this command you can add new internal and external rules for the firewall. This command also allows changing rules on the firewall.

Configure advanced firewall in Windows 2008 using NETSH CLI Picture 3
Figure 3: The netsh command advfirewall firewall

In the firewall command there are four important commands:

1. Add : Add firewall rules in and out.
2. Delete : Delete a rule.
3. Set : Set a new value for the established rules.
4. Show : Displays a specified firewall rule.

The following is an example of the Add and Delete commands:

Add a rule for messenger.exe

netsh advfirewall firewall add rule name = "allow messenger"
dir = in program = "c: programfilesmessengermsmsgs.exe 'action = allow

Delete all the rules in port 21

netsh advfirewall firewall delete name rule name = all protocol = tcp localport = 21

Import

The import command allows importing firewall profiles from a file. With this command you can load into a file that you exported. For example:

netsh advfirewall import 'c: advfirewall.wfw'

Reset

This command will reset the firewall permissions back to default. Be careful with this command because as soon as you type this command it will reset the terms without asking if you agree. Here is an example:

netsh advfirewall reset

Set

The Set command changes the firewall state to various information. There are 6 types of content for this command:

Configure advanced firewall in Windows 2008 using NETSH CLI Picture 4
Figure 4: netsh advfirewall set

1. Set allprofiles : Change the setting of all profiles.
2. Set currentprofile : Change the settings for the current profile.
3. Set domainprofile : Change the settings for profiledomain
4. Set global : The general setting of the firewall.
5. Set privateprofile : Change the setting of personal information.
6. Set publicprofile : Change the setting of general information.

Example command set:

1. Turn off the firewall for all profiles:
   netsh advfirewall set allprofiles state off
   
2. Set the default for locking connections and allow outbound connections on all profiles:
   netsh advfirewall set allprofiles firewallpolicy blockinbound, allowoutbound
3. Enable remote management mode on all profiles:
   netsh advfirewall set allprofiles settings remotemanagement enable
4. Login connections on all profiles:
   netsh advfirewall set allprofiles logging droppedconnections enable

Show

The show command displays all the settings you have made for all other profiles.

Conclude

In this article, we identified the main commands needed to configure the Windows 2008 firewall with the netsh advfirewall command. Now you need to decide whether to use the user interface or the commands to configure the firewall. Both methods have the same options. The command line interface will not be much different from the Windows 2008 firewall when you already know the commands.