windows 2016 防火墙命令

对比:

查看所有防火墙入站策略
netsh advfirewall firewall show rule name=all dir=in

查看所有防火墙入站策略中包含ICMP字符串
netsh advfirewall firewall show rule name=all dir=in| find "ICMP"

修改防火墙规则
name：规则名称
dir:方向,in为入站，out为出站
localport:指定端口号
action:操作，allow允许连接，block阻止连接
enable:是否启用规则： yes启用， no禁用
protocol:协议类型

netsh advfirewall firewall set rule name="文件和打印机共享(回显请求 - ICMPv4-In)" dir=in new enable=yes

案例1: 允许一个程序
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain

netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private

案例2: 允许一个端口
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

案例3: 删除一条规则
netsh advfirewall firewall delete rule name=rule nameprogram="C:\MyApp\MyApp.exe
netsh advfirewall firewall delete rule name=rule nameprotocol=udp localport=500

案例4: 设置ICMP
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow

netsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block

案例5: 设置logging
netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log

netsh advfirewall set currentprofile logging maxfilesize 4096
netsh advfirewall set currentprofile logging droppedconnections enable
netsh advfirewall set currentprofile logging allowedconnections enable

案例6: 开启防火墙
netsh advfirewall set currentprofile state on
netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound

案例7: 重置防火墙
netsh advfirewall reset

案例8: 允许某个服务
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private

// ===============================================================

恢复到默认设置

Netsh advfirewall reset

导出防火墙配置

netsh advfirewall export “c:\advfirewall.wfw”

导入防火墙配置

Netsh advfirewall import “c:\advfirewall.wfw”

增加一个针对messenger.exe的入站规则

　　netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe” action=allow

删除针对本地21端口的所有入站规则：

　　netsh advfirewall firewall delete name rule name=all protocol=tcp localport=21

让防火墙关闭所有配置文件：

netsh advfirewall set allprofiles state off

在所有配置文件中设置默认阻挡入站并允许出站通信：

netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound

在所有配置文件中打开远程管理：

netsh advfirewall set allprofiles settings remotemanagement enable

在所有配置文件中记录被断开的连接：

netsh advfirewall set allprofiles logging droppedconnections enable

（1）启用桌面防火墙
netsh advfirewall set allprofiles state on
（2）设置默认输入和输出策略
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
以上是设置为允许，如果设置为拒绝使用blockinbound,blockoutbound

（3）关闭tcp协议的139端口

netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block

（4）关闭udp协议的139端口

netsh advfirewall firewall add rule name="deny udp 139" dir=in protocol=udp localport=139 action=block

（5）关闭tcp协议的445端口

netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block

（6）关闭udp协议的445端口

netsh advfirewall firewall add rule name="deny udp 445" dir=in protocol=udp localport=445 action=block

（7）使用相同的方法，依次关闭TCP协议的21、22、23、137、138、3389、5800、5900端口。

netsh advfirewall firewall add rule name= "deny tcp 21" dir=in protocol=tcp localport=21 action=block

netsh advfirewall firewall add rule name= "deny tcp 22" dir=in protocol=tcp localport=22 action=block

netsh advfirewall firewall add rule name= "deny tcp 23" dir=in protocol=tcp localport=23 action=block

netsh advfirewall firewall add rule name= "deny tcp 3389" dir=in protocol=tcp localport=3389 action=block

netsh advfirewall firewall add rule name= "deny tcp 5800" dir=in protocol=tcp localport=5800 action=block

netsh advfirewall firewall add rule name= "deny tcp 5900" dir=in protocol=tcp localport=5900 action=block

netsh advfirewall firewall add rule name= "deny tcp 137" dir=in protocol=tcp localport=137 action=block

netsh advfirewall firewall add rule name= "deny tcp 138" dir=in protocol=tcp localport=138 action=block

（8）执行完毕后暂停

pause

echo 按任意键退出

恢复初始配置

（1）恢复初始防火墙设置

netsh advfirewall reset

（2）关闭防火墙

netsh advfirewall set allprofiles state off

补充:

1. 优先性

GPEDIT.MSC中的策略作用大于FIREWALL高级设置中的设置,比如:

windows 防火墙:允许入站远程桌面例外中 不圈定访问ip,那么在firewall的高级设置中,即便限制了3389端口的IP范围也没用.

2.封对外访问

netsh advfirewall firewall add rule name ="PhaseACL" dir=out remoteip=3.3.3.3 action=block