Netsh AdvFirewall Firewall Commands

Updated: August 6, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Typing the command firewall at the netsh advfirewall context changes to the Netsh AdvFirewall Firewall context, where
you can view, create, and modify firewall rules. This context is the commandline equivalent to the Inbound Rules and
Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snapin.

Note
This context is different from the netsh firewall context. You can only run the command netsh advfirewall firewall, or
apply policies created with that command on computers that are running WindowsVista or Windows Server2008.
The netsh firewall context is backwards compatible with WindowsXP and WindowsServer2003, but only enables you to
configure a subset of what the advfirewall firewall context supports. For more information about the netsh firewall
context, see Netsh Commands for Windows Firewall.

Important
The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on
a computer that is running WindowsVista or a later version of Windows, because by using it you can create and modify
firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard
profile. On WindowsVista and later, the standard profile maps to the private profile and domain continues to map to the
domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public
network and the command is run against the "current" profile.
Starting in Windows7 and Windows Server2008R2, running any command in the firewall context produces the
following message:
IMPORTANT: netsh firewall is deprecated; use netsh advfirewall firewall instead. For more information on
using netsh advfirewall firewall commands instead of netsh firewall, see KB article 947709 at
http://go.microsoft.com/fwlink?linkid=121488.

To view the syntax of commands available in the Firewall context, click a command:
add
delete
set
show

add
In the netsh advfirewall firewall context, the add command only has one variation, the add rule command.

add rule
Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the
specified criteria.

Syntax
add rule
name=RuleName
dir={in| out}
action={allow| block| bypass}
[program=ProgramPath\FileName]
[service={ServiceShortName| any}]
[description=RuleDescription]
[enable={yes|no}]
[profile={public| private| domain| any| [,...]}]
[localip={Addresses}]
[remoteip={Addresses}]
[localport={any| Integer| rpc| rpcepmap| iphttps| teredo| [,...]}]
[remoteport={any| Integer| [,...]}]
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
[interfacetype={any| wireless| lan| ras}]
[rmtcomputergrp=SDDLString]
[rmtusrgrp=SDDLString]
[edge={yes| deferapp| deferuser| no}]
[security={authenticate| authenc| authdynenc| authnoencap| notrequired}]

Parameters
name=RuleName
Required. Specifies the name of this firewall rule. The name should be unique, and must not be "all".
dir={in| out}
Required. Specifies whether this rule matches inbound or outbound network traffic.
dir can be any of the following values:

in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the
Windows Firewall with Advanced Security MMC snapin under Inbound Rules.
out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the
Windows Firewall with Advanced Security MMC snapin under Outbound Rules.
action={allow| block| bypass}
Required. Specifies what Windows Firewall with Advanced Security does to filter network packets that match the
criteria specified in this rule.
action can be one of the following:
allow. Network packets that match all criteria specified in this rule are permitted through the firewall.
block. Network packets that match all criteria specified in this rule are dropped by the firewall.
bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in
rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are
successfully authenticated against a computer account specified in rmtcomputergrp and against a user
account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you
cannot set security=notrequired. This option is the equivalent to the Override block rules checkbox in
the Windows Firewall with Advanced Security MMC snapin.
For computers that are running Windows7 or Windows Server2008R2, action=bypass is permitted on
an outbound rule. Selecting this option on an outbound rule causes matching traffic to be permitted
though this rule even if other matching rules would block the traffic. No accounts are required in
rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or excepted
computers are listed in those groups they will be enforced.
The action=bypass option on an outbound rule is not valid on computers that are running earlier
versions of Windows.
[program=ProgramPath\FileName]
Specifies that network traffic generated by the identified executable program matches this rule.

Caution
Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in
Windows Firewall with Advanced Security. Starting in WindowsVista, the security of Windows network
services was increased by using predefined, builtin firewall rules. Creating new rules referencing services that
are already protected by the builtin rules might result in conflicts or undesired sideeffects.

If program is not specified, then network traffic generated by any program matches this rule.
[service={ServiceShortName| any}]
Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can
be found in Services MMC snapin, by rightclicking the service, selecting Properties, and examining Service
Name.
If service is not specified then network traffic generated by any program or service matches this rule.
[description=RuleDescription]
Provides information about the firewall rule.

[enable={yes| no}]
Specifies whether the rule is currently enabled.
If enable is not specified, the default is yes.
[profile={public| private| domain| any| [,...]}]
Specifies the profiles to which the firewall rule is assigned. The rule is active on the local computer only when
the specified profile is currently active.
You can include multiple entries for profile by separating them with a comma. Do not include any spaces.
If profile is not specified, the default is any.
[localip={Addresses}]
Specifies that network packets with matching IP addresses match this rule. localip is compared to the
Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an
outbound network packet.
localip can be any of the following values:
any. Matches any IP address.
IPAddress. Matches only the exact IPv4 or IPv6 address.
IPSubnet. Matches any IPv4 or IPv6 address that is part of the specified subnet. The format is the subnet
address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting
and ending IP addresses of the range separated by a ''.
Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.
If localip is not specified, the default is any.
[remoteip={Addresses}]
Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the
Destination IP address field of an outbound network packet. It is compared to the Source IP address field of an
inbound network packet.
remoteip can be any of the following values:
any. Matches any IP address.
localsubnet. Matches any IP address that is on the same IP subnet as the local computer.
dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the
identified server type on the local computer.
IPAddress. Matches only the exact IPv4 or IPv6 address specified.
IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet
address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting
and ending IP addresses of the range separated by a ''.
Multiple entries can be specified for remoteip by separating them with a comma.

If remoteip is not specified, the default is any.

[localport={any| Integer| rpc| rpcepmap| teredo| [,...]}]
Specifies that network packets with matching IP port numbers matched by this rule. localport is compared to
the Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound
network packet.
localport can be any of the following values:
any. Matches any value in the port field of the IP packet.
Integer. Specifies the exact port number that must be present for the packet to match the rule. The port
values can be individual numbers from 0 through 65535, a range, such as 50005020, or a comma
separated list of numbers and ranges.

Note
Port ranges are supported only on computers that are running Windows7 or Windows Server2008R2.

rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that
correctly registers the port as an RPC listening port. A rule with this option must also specify
protocol=tcp, and dir=in. We recommend that you also specify the appropriate
program=ProgramName and/or service=ServiceName options to ensure that only the correct service
can send or receive traffic by using this rule. This option eliminates the need to know the specific port
numbers assigned to the application at when it starts.
rpcepmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper
service. A rule with this option must also specify protocol=tcp, and dir=in. We recommend that you
also specify program=%windir%\system32\svchost.exe, and service=rpcss to ensure that only the
RPC service can send or receive network traffic by using this rule. This option eliminates the need to know
the specific port numbers assigned to the service when it starts. If you have one or more rules that specify
localport=rpc, then you must also create a rule with localport=rpcepmap enabled. This allows both
the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the
RPC service.
Teredo. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition
technology that allows IPv4 computers to communicate with IPv6 computers.
iphttps. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IPHTTPS is a
firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using
Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS is
another mechanism that can be used when a firewall does not support other edge traversal protocols.
The IPHTTPS option is valid on computers that are running Windows7 or Windows Server2008R2 only,
and is ignored if applied by Group Policy to computers that are running earlier versions of Windows,
Multiple entries can be specified for localport by separating them with a comma. Do not include any spaces.
If localport is not specified, the default is any.
[remoteport={any| Integer| [,...]}]
Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the
Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound
network packet.
remoteport can be any of the following values:

any. Matches any value in the port field of the IP packet.

Integer. Specifies the exact port number that must be present for the packet to match the rule. The port
values can be individual numbers, a range, such as 50005020, or a commaseparated list of numbers
and ranges.

Note
Port ranges are supported only on computers that are running Windows7 or Windows Server2008R2.

Multiple entries can be specified for remoteport by separating them with a comma. Do not include any spaces.
If remoteport is not specified, the default is any.
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
Specifies that network packets with a matching IP protocol match this rule.
protocol can be any of the following values:
any. Matches any value in the Protocol field of the IP packet.
Integer. Specifies the protocol by number that must be present for the packet to match the rule. The value
can range from 0 through 255.
icmpv4. Specifies that all ICMP v4 packets match this rule.
icmpv6. Specifies that all ICMP v6 packets match this rule.
icmpv4:type,code. Specifies that only ICMP v4 network packets with the specified type and code match
this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
icmpv6:type,code. Specifies that only ICMP v6 network packets with the specified type and code match
this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport
matches this rule.
udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and
remoteport matches this rule.
Multiple entries can be specified for protocol by separating them with a comma. Do not include any spaces.
If protocol is not specified, the default is any.
[interfacetype={any| wireless| lan| ras}]
Specifies that only network packets passing through the indicated interface types match this rule. Using this
parameter allows you to specify different firewall requirements for each of the three main network types. The
value must be one of the following:
any. Network packets passing through any of the interface types match this rule.

wireless. Network packets that pass through a wireless network adapter match this rule.
lan. Network packets that pass through a wired LAN adapter match this rule.
ras. Network packets that pass through a RAS interface, such as a VPN or dialup network connection
match this rule.
If interfacetype is not specified, the default is any.
[rmtcomputergrp=SDDLString]
Specifies that only network packets that are authenticated as coming from or going to a computer identified in
the list of computer and group accounts match this rule.
If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.
If action=bypass, then at least one computer or computer group account must be specified in
rmtcomputergrp.
For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries
computer account information.
[rmtusrgrp=SDDLString]
Specifies that only network packets that are authenticated as coming from or going to a user identified in the list
of user and group accounts match this rule.
If rmtusrgrp is specified, then security must be set to either authenticate or authenc.
For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account
information.
[edge={yes| deferapp| deferuser| no}]
Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address
Translation NAT enabled router, between the local and remote computer matches this rule. The deferapp and
deferuser options are valid on computers running Windows7 and Windows Server2008R2 only. If set to
deferapp or deferuser, then Windows allows the application or user to programmatically register with the
firewall to receive inbound unsolicited application traffic from the edge device.
This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced
Security MMC snapin.
If edge is not specified, the default is no.
[security={authenticate| authenc| authdynenc| authnoencap| notrequired}]
Specifies that only network packets protected with the specified type of IPsec options match this rule.
security can be one of the following values:
authenticate. Network packets that are authenticated by IPsec match this rule. You must create a
separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow
only secure connections in the Windows Firewall with Advanced Security MMC snapin.
authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create
a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of
the Require encryption option in the Windows Firewall with Advanced Security MMC snapin.
authdynenc. Network packets that are authenticated by IPsec match this rule, and if the initial packet is
not already encrypted, then a new quick mode SA is negotiated with the remote host to encrypt the
connection. All succeeding packets are authenticated and encrypted. If the negotiation of a quick mode

encryption SA fails, then the firewall blocks the connection. You must create a separate connection
security rule that requires authentication and encryption to permit negotiation of an appropriate
encrypted SA. This option is the equivalent of the Allow systems to dynamically negotiate encryption
in the Windows Firewall with Advanced Security MMC snapin.

Note
This option is valid for inbound firewall rules only.
This option is available only on computers that are running Windows7 or Windows Server2008R2.
Group Policies created with this option are compatible with computers that are running WindowsVista
or later versions of Windows.

authnoencap. Network connections that are authenticated, but not encapsulated by ESP or AH match
this rule. This option is useful for connections that must be monitored by network equipment, such as
intrusion detection systems IDS, that are not compatible with ESP NULLprotected network packets. The
initial connection is authenticated by IPsec by using AuthIP, but the quick mode SA permits cleartext
traffic. To use this option, you must also configure a connection security rule that specifies authnoencap
as a quick mode security method.

Note
This option is valid on computers that are running Windows7 or Windows Server2008R2 only.

notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option is
the equivalent of not selecting the Allow only secure connections option in the Windows Firewall with
Advanced Security MMC snapin.
If security is not specified, the default is notrequired.

Remarks
Rules that specify port ranges can be created by using netsh on Windows7 and Windows Server2008R2 only.
However, rules with port ranges that are applied to computers running WindowsVista and Windows Server2008
by using Group Policy work correctly.
Do not create a firewall rule with the name all. Doing this creates a conflict with the netsh option to select all
firewall rules for example, delete rule name=all.
If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security
rule that authenticates the connection. The authentication protocol used must include identification of a
computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping
enabled.
Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the firewall
blocking all network traffic from outside the edge device.
For more information about SDDL strings and their format, see "Security Descriptor String Format"
http://go.microsoft.com/fwlink/?linkid=109950 on the Microsoft MSDN Web site.

One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with
Advanced Security MMC snapin to create a temporary firewall rule. If the accounts of interest are domain
accounts, you must run the snapin on a computer that is joined to the domain with the accounts. Be sure to
disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select
Only allow connections from these computers, and then click the Add button to find the computer or
machine group account of interest. You can also select the Only allow connections from these users, and then
click the Add button to find the user or group account of interest. After creating the rule, you can use the
command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that
computer or group. Be sure to delete the temporary rule when you are finished.
The localport=teredo option is valid for protocol=udp only.

Examples
The following command creates an outbound rule to block all traffic from the local computer that originates on
TCP port 80.
add rule name="Block Outbound Port 80" dir=out localport=80 protocol=TCP action=block
The following command creates a rule that blocks all inbound traffic from all WINS servers:
add rule name="Block WINS" dir=in action=block remoteip=wins
The following command creates an inbound rule that allows traffic for the Windows Messenger program only
from computers on the same subnet as the local computer.
add rule name="Allow Messenger" dir=in program="c:\program files\messenger\msmsgs.exe"
remoteip=localsubnet action=allow
The following command creates a rule that permits inbound Windows Messenger network traffic only if the
connection from the remote computer is authenticated by using a separate connection security rule.
add rule name="Allow Authenticated Messenger" dir=in program="c:\program
files\messenger\msmsgs.exe" security=authenticate action=allow
The following command creates a rule that allows all network traffic from computers that are members of a
specific computer group, and only from users that are members of a specific user group. Both memberships
must be confirmed by authentication using a separate connection security rule. The actual SDDL strings to use
should be determined by referring to the SDDL documentation and steps identified in the Remarks section
above.
add rule name="Allow Only Specific Computers and Users" dir=in rmtcomputergrp=D:
A;;CC;;;SIDforMachineGroupAccount rmtusergrp= D:A;;CC;;;SIDforUserGroupAccount action=bypass
security=authenticate
The following two commands creates rules that prevent all wireless network traffic:
add rule name="Block Wireless In" dir=in interface=wireless action=block
add rule name="Block Wireless Out" dir=out interface=wireless action=block
The following command creates a rule to allow TCP traffic addressed to port 12345 and the range of ports 5000
5020 to a specific application from computers on the remote side of an edge NAT device, using the Teredo IPv6
interface:
add rule name="Allow TCP 12345 and 50005020 over Teredo" dir=in action=allow edge=yes
remoteip=any protocol=TCP localport=12345,50005020 program="c:\program files\TestIPv6App.exe"

Note
Port ranges are supported only on computers that are running Windows7 or Windows Server2008R2.

delete
In the netsh advfirewall firewall context, the Delete command only has one variation, the Delete Rule command.

delete rule
Deletes all connection security rules that match the specified criteria.

Syntax
delete rule
name={all| RuleName}
[dir={in| out}]
[profile={public| private| domain| any| [,...]}]
[program=ProgramPath\FileName]
[service={ServiceShortName| any}]
[localip={Addresses}]
[remoteip={Addresses}]
[localport={any| Integer| rpc| rpcepmap| teredo| [,...]}]
[remoteport={any| Integer| [,...]}]
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Parameters
name={all| RuleName}
Required. You can specify one of the following values:
The rule name of the connection security rule you want deleted.
all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other
parameters are included in the command then all connection security rules are deleted.
[dir={in| out}]
Specifies that only rules of the selected direction are deleted. The value can be either in or out.

[profile={public| private| domain| any| [,...]}]

Specifies that only rules assigned to the specified profiles are deleted. If you specify more than one profile,
then only rules that include the exact same list of profiles match.
[program=ProgramPath\FileName]
Specifies that only rules that match the identified program are deleted.
[service={ServiceShortName| any}]
Specifies that only rules that match the identified service name are deleted.
[localip={Addresses}]
Specifies that only rules that match the IP addresses, ranges, or subnets are deleted. If your rule includes
multiple entries, then the rule only matches if it contains the exact same list of entries.
localip can be any of the following values:
The keyword any.
IPAddress. Specifies an IPv4 or IPv6 address.
IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a ''.
You can specify multiple entries for localip by separating them with a comma. Do not include any spaces.
[remoteip={Addresses}]
Specifies that only rules that match the IP addresses, ranges, subnets, or server types are deleted. If your rule
includes multiple entries, then the rule only matches if it contains the exact same list of entries.
remoteip can be any of the following values:
One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.
IPAddress. Specifies an IPv4 or IPv6 address.
IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a ''.
You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces.
[localport={any| Integer| rpc| rpcepmap| teredo| [,...]}]
[remoteport={any| Integer| [,...]}]
Specifies that only rules that match the port numbers or keywords indicated are deleted. The port values can
be individual numbers from 0 through 65535, a range, such as 50005020, or a commaseparated list of
numbers and ranges.

Note

Port ranges are supported only on computers that are running Windows7 or Windows Server2008R2.

If you specify localport or remoteport then you must also specify protocol, and it must be set to either tcp
or udp.
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
Specifies that only rules that match the indicated protocol value are deleted.

Remarks
If multiple rules are found that match the specified criteria, then they are all deleted.
If you specify name=all and do not specify any other criteria, then all firewall rules are deleted.
Rules that specify port ranges can be created and modified by using netsh on Windows7 and Windows
Server2008R2 only. However, rules with port ranges that are applied to computers running WindowsVista
and Windows Server2008 by using Group Policy work correctly.

Examples
The following example deletes a rule based on its exact name:
Delete rule name="rule1"
The following example deletes all rules for TCP port 80:
delete rule name=all protocol=tcp localport=80

set
In the netsh advfirewall firewall context, the Set command only has one variation, the Set Rule command.

set rule
Modifies an existing firewall rule identified by name, or found by matching the specified criteria. Criteria that precede
the keyword new identify the rules to be modified. Criteria that follow the keyword new indicate properties that are
modified or added.

Syntax
set rule
{group=GroupName| name={all| RuleName}}
[dir={in| out}]

[profile={public| private| domain| any} [,...]]

[program=ProgramPath\FileName]
[service={ServiceShortName| any}]
[localip=Addresses]
[remoteip=Addresses]
[localport={any| rpc| rpcepmap| teredo| iphttps| Integer| [,...]}]
[remoteport={any| Integer| [,...]}]
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
new
[name=NewRuleName]
[dir={in|out}]
[program=ProgramPath\FileName]
[service={ServiceShortName| any}]
[action={allow| block| bypass}]
[description=RuleDescription]
[enable={yes| no}]
[profile={public| private| domain| any| [,...]}]
[localip=Addresses]
[remoteip=Addresses]
[localport={any| rpc| rpcepmap| teredo| iphttps| Integer| [,...]}]
[remoteport={any| Integer| [,...]}
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
[interfacetype={any| wiresless| lan| ras}]
[rmtcomputergrp=SDDLString]
[rmtusrgrp=SDDLString]
[edge={yes| deferapp| deferuser| no}]
[security={authenticate| authenc| authdynenc| authnoencap| notrequired}]

Parameters
{group=GroupName| name={all| RuleName}}
Required. Specifies either the group name for a set of rules to modify together, or a rule name assigned to an
existing rule that you want to modify. If you specify the group name for a set of rules, then all of the rules in
that group receive the same set of modifications.

If name=all, then all rules that match the other criteria listed before the new keyword are modified.
If name=all, and no other parameters are included before the new keyword, then all rules are modified as
indicated.
[dir={in| out}]
Specifies that only matching rules of the indicated direction are modified. The value of dir can be either in or
out.
[profile={public| private| domain| any} [,...]]
Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a
comma separated list, then only rules that contain the exact same list are modified.
[program=ProgramPath\FileName]
Specifies that only rules that match the identified program are modified.
[service={ServiceShortName| any}]
Specifies that only rules that match the identified service name are modified.
If service is not specified, then rules that specify any value, including no value, and that match all other
criteria, are modified.
[localip={Addresses}]
Specifies that only rules that match the IP addresses, ranges, or subnets are modified. If you specify a comma
separated list, then only rules that contain the exact same list are modified.
localip can be any of the following values:
The keyword any.
IPAddress. Specifies an IPv4 or IPv6 address.
IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a ''.
You can specify multiple entries for localip by separating them with a comma.
[remoteip={Addresses}]
Specifies that only rules that match the IP addresses, ranges, subnets, or server types are modified. If you
specify a comma separated list, then only rules that contain the exact same list are modified.
remoteip can be any of the following values:
One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.
IPAddress. Specifies an IPv4 or IPv6 address.
IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then
either the number of bits in the subnet mask or the subnet mask itself.
IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses
of the range separated by a ''.

You can specify multiple entries for remoteip by separating them with a comma.
[localport={any| Integer| rpc| rpcepmap| teredo| iphttps| [,...]}] [remoteport={any| Integer|
[,...]}]
Specifies that only rules that match the port numbers or keywords indicated are modified. The port values can
be individual numbers, a range, such as 50005020, or a commaseparated list of numbers and ranges. If you
specify a comma separated list, then only rules that contain the exact same list are modified.

Note
Port ranges are supported only on computers that are running Windows7 or Windows Server2008R2.

[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Specifies that only rules that match the indicated protocol value are modified. If you specify a comma
separated list, then only rules that contain the exact same list are modified.
new

Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any
parameter that follows this keyword indicates a value that is modified in the rules that match the specified
criteria.

[name=NewRuleName]
Specifies a new name for the connection security rule. The name should be unique, and must not be "all".
[dir={in| out}]
Specifies whether this rule matches inbound or outbound network traffic.
Dir can be one of the following values:
in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in
the Windows Firewall with Advanced Security MMC snapin under Inbound Rules.
out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in
the Windows Firewall with Advanced Security MMC snapin under Outbound Rules.
[action={allow| block| bypass}]
Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria
specified in this rule.
action can be one of the following:
allow. Network packets that match all criteria specified in this rule are permitted through the firewall.
block. Network packets that match all criteria specified in this rule are dropped by the firewall.
bypass. If dir=in, then this option is valid only for rules that have one or more accounts listed in
rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are
successfully authenticated against a computer account specified in rmtcomputergrp and against a
user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then
you cannot set security=notrequired. This option is the equivalent to the Override block rules

checkbox in the Windows Firewall with Advanced Security MMC snapin.

For computers that are running Windows7 or Windows Server2008R2, action=bypass is permitted
on an outbound rule. Selecting this option on an outbound rule causes matching traffic to be
permitted though this rule even if other matching rules would block the traffic. No accounts are
required in rmtcomputergrp or rmtusergrp for an outbound bypass rule, however, if authorized or
excepted computers are listed in those groups they will be enforced.
The action=bypass option on an outbound rule is not valid on computers that are running earlier
versions of Windows. Those computers will not successfully process a rule with this option.
[program=ProgramPath\FileName]
Specifies that network traffic generated by the identified executable program matches this rule.

Caution
Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in
Windows Firewall with Advanced Security. Starting in WindowsVista, the security of Windows network
services was increased by using predefined, builtin firewall rules. Creating new rules referencing services
that are already protected by the builtin rules might result in conflicts or undesired sideeffects.

[service={ServiceShortName| any}]
Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service
can be found in Services MMC snapin, by rightclicking the service, selecting Properties, and examining
Service Name.
[description=RuleDescription]
Provides information about the firewall rule.
[enable={yes| no}]
Specifies whether the rule is currently enabled.
[profile={public| private| domain| any| [,...]}]
Specifies the profiles to which the firewall rule is assigned. The rule is active on the local computer only when
the specified profile is currently active.
You can include multiple entries for profile by separating them with a comma. Do not include any spaces.
[localip={Addresses}]
Specifies that network packets with matching IP addresses match this rule. localip is compared to the
Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an
outbound network packet.
localip can be any of the following values:
any. Matches any IP address.
IPAddress. Matches only the exact IPv4 or IPv6 address.
IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet
mask itself.

IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a ''.
Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.
[remoteip={Addresses}]
Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the
Destination IP address field of an outbound network packet. It is compared to the Source IP address field of
an inbound network packet.
remoteip can be any of the following values:
any. Matches any IP address.
localsubnet. Matches any IP address that is on the same IP subnet as the local computer.
dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the
identified server type on the local computer.
IPAddress. Matches only the exact IPv4 or IPv6 address specified.
IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the
subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet
mask itself.
IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the
starting and ending IP addresses of the range separated by a ''.
Multiple entries can be specified for remoteip by separating them with a comma. Do not include any spaces.
[localport={any| Integer| rpc| rpcepmap| teredo| iphttps| [,...]}]
Specifies that network packets with matching IP port numbers match this rule. localport is compared to the
Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound
network packet.
localport can be any of the following values:
any. Matches any value in the port field of the IP packet.
Integer. Specifies the exact port number that must be present for the packet to match the rule. The port
values can be individual numbers, a range, such as 50005020, or a commaseparated list of numbers
and ranges.

Note
Port ranges are supported only on computers that are running Windows7 or Windows
Server2008R2.

rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that
correctly registers the port as an RPC listening port. A rule with this option must also specify
protocol=tcp, dir=in. We recommend that you also specify the appropriate
program=ProgramName and/or service=ServiceName options to ensure that only the correct
service can send or receive traffic by using this rule. This option eliminates the need to know the

specific port numbers assigned to the application at when it starts.

rpcepmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper
service. A rule with this option must also specify protocol=tcp, dir=in. We recommend that you
also specify program=%windir%\system32\svchost.exe, and service=rpcss to ensure that only
the RPC service can send or receive network traffic by using this rule. This option eliminates the need to
know the specific port numbers assigned to the service when it starts. . If you have one or more rules
that specify localport=rpc, then you must also create a rule with localport=rpcepmap enabled.
This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral
ports assigned by the RPC service.
teredo. Matches inbound UDP packets that contain Teredo packets. Teredo is an IPv4 to IPv6 transition
technology that allows IPv4 computers to communicate with IPv6 computers.
iphttps. Matches inbound TCP packets that contain HTTPS with embedded IPv6 packets. IPHTTPS is a
firewall traversal protocol that allows IPv6 packets that would otherwise be blocked if sent by using
Teredo, 6to4, or native IPv6. HTTPS is almost universally permitted through a firewall, so IP over HTTPS
is another mechanism that can be used when a firewall does not support other edge traversal
protocols. The IPHTTPS option is valid on computers that are running Windows7 or Windows
Server2008R2 only, and is ignored if applied by Group Policy to computers that are running earlier
versions of Windows,
Multiple entries can be specified for localport by separating them with a comma. Do not include any spaces.
[remoteport={any| Integer| [,...]}]
Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the
Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound
network packet.
remoteport can be any of the following values:
any. Matches any value in the port field of the IP packet.
Integer. Specifies the exact port number that must be present for the packet to match the rule. The port
values can be individual numbers, a range, such as 50005020, or a commaseparated list of numbers
and ranges.

Note
Port ranges are supported only on computers that are running Windows7 or Windows
Server2008R2.

Multiple entries can be specified for remoteport by separating them with a comma. Do not include any
spaces.
[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]
Specifies that network packets with a matching IP protocol match this rule.
protocol can be one of the following values:
any. Matches any value in the Protocol field of the IP packet.

Integer. Specifies the protocol by number that must be present for the packet to match the rule.
icmpv4. Specifies that all ICMP v4 packets match this rule.
icmpv6. Specifies that all ICMP v6 packets match this rule.
icmpv4:type,code. Specifies that only ICMP v4 network packets with the specified type and code match
this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
icmpv6:type,code. Specifies that only ICMP v6 network packets with the specified type and code match
this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and
remoteport matches this rule.
udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and
remoteport matches this rule.
Multiple entries can be specified for protocol by separating them with a comma.
[interfacetype={any| wireless| lan| ras}]
Specifies that only network packets passing through the indicated interface types match this rule. Using this
parameter allows you to specify different firewall requirements for each of the three main network types. The
value must be one of the following:
any. Network packets passing through any of the interface types match this rule.
wireless. Network packets that pass through a wireless network adapter match this rule.
lan. Network packets that pass through a wired LAN adapter match this rule.
ras. Network packets that pass through a RAS interface, such as a VPN or dialup network connection
match this rule.
[rmtcomputergrp=SDDLString]
Specifies that only network packets that are authenticated as coming from or going to a computer identified
in the list of computer and group accounts are filtered by this rule.
If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.
If action=bypass, then at least one computer or computer group account must be specified in
rmtcomputergrp.
For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries
computer account information.
[rmtusrgrp=SDDLString]
Specifies that only network packets that are authenticated as coming from or going to a user identified in the
list of user and group accounts are filtered this rule.
If rmtusrgrp is specified, then security must be set to either authenticate or authenc.
For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user
account information.
[edge={yes| deferapp| deferuser| no}]
Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address
Translation NAT enabled router, between the local and remote computer matches this rule. The deferapp

and deferuser options are valid on computers running Windows7 and Windows Server2008R2 only. If set to
deferapp or deferuser, then Windows allows the application or user to programmatically register with the
firewall to receive inbound unsolicited application traffic from the edge device.
This option is the equivalent of the Allow edge traversal checkbox in the Windows Firewall with Advanced
Security MMC snapin.
[security={authenticate| authenc| authdynenc| authnoencap| notrequired}]
Specifies that only network packets protected with the specified type of IPsec options match this rule.
security can be one of the following values:
authenticate. Network packets that are authenticated by IPsec match this rule. You must create a
separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow
only secure connections in the Windows Firewall with Advanced Security MMC snapin.
authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must
create a separate connection security rule to authenticate and encrypt the traffic. This option is the
equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC
snapin.
authdynenc. Network packets are that are authenticated by IPsec match this rule, and if the initial
packet is not already encrypted, then a new quick mode SA is negotiated with the remote host to
encrypt the connection. All succeeding packets are authenticated and encrypted. If the negotiation of a
quick mode encryption SA fails, then the firewall blocks the connection. You must create a separate
connection security rule that requires authentication and encryption to permit negotiation of an
appropriate encrypted SA. This option is the equivalent of the Allow systems to dynamically
negotiate encryption in the Windows Firewall with Advanced Security MMC snapin.

Note
This option is valid for inbound firewall rules only.
This option is available only on computers that are running Windows7 or Windows Server2008R2.
Group Policies created with this option are compatible with computers that are running
WindowsVista or later versions of Windows.

authnoencap. Network connections that are authenticated, but not encapsulated by ESP or AH match
this rule. This option is useful for connections that must be monitored by network equipment, such as
intrusion detection systems IDS, that are not compatible with ESP NULLprotected network packets.
The initial connection is authenticated by IPsec by using AuthIP, but the quick mode SA permits
cleartext traffic. To use this option, you must also configure a connection security rule that specifies
authnoencap as a quick mode security method.

Note
This option is valid on computers that are running Windows7 or Windows Server2008R2 only.

notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option
is the equivalent of not selecting the Allow only secure connections option in the Windows Firewall
with Advanced Security MMC snapin.

Remarks
Do not modify a firewall rule to use the name all. Doing this creates a conflict with the netsh option to select
all firewall rules for example, set rule name=all.If multiple rules match the criteria you specify, then all
matching rules are modified with the changes included in the command.
Rules that specify port ranges can be created or modified by using netsh on Windows7 and Windows
Server2008R2 only. However, rules with port ranges that are applied to computers running WindowsVista
and Windows Server2008 by using Group Policy work correctly.
Any parameters that follow the new keyword that you do not include in the command are not modified, and
maintain their previous value.
To see the group assignments for the predefined Windows Firewall rules, look in the Windows Firewall with
Advanced Security MMC snapin, under the Inbound Rules and Outbound Rules nodes. The Group column
in the Details pane contains the group assignment for each rule. This version of Windows supports group
names only for predefined rules included with Windows Firewall at installation. There is currently no
supported way to create a group or assign your custom rules to a group.
If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection
security rule that authenticates the connection. The authentication protocol used must include identification
of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping
enabled.
Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the
firewall blocking all network traffic from outside the edge device.
For more information about SDDL strings and their format, see "Security Descriptor String Format"
http://go.microsoft.com/fwlink/?linkid=109950 on the Microsoft MSDN Web site.
One way to find an SDDL string for a computer or group account is to use the Windows Firewall with
Advanced Security MMC snapin to create a temporary firewall rule. Be sure to disable the rule so that it
cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections
from these computers, and then use the Add button to find the computer or group accounts of interest.
After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename
verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you
are finished.

Examples
The following command changes a rule to match a different remote IP address of a Web server whose traffic is
allowed by a rule:
set rule name="AllowWeb80" new remoteip=192.168.0.2
The following command enables all rules in a predefined group:
set rule group="windows firewall remote management" new enable=yes
The following command changes a rule to require authentication. A separate connection security rule must
exist to perform the authentication:
set rule name="AllowMessenger" new security=authenticate
For more example of how to use the various parameters that can follow the new keyword, see the firewall
add ruleExamples.

show
In the netsh advfirewall firewall context, the show command only has one variation, the Show Rule command.

show rule
Displays an existing connection security rule.

Syntax
show rule
name={all| RuleName}
[profile={public| private| domain| any} [,...]]
[type={dynamic| static}]
[verbose]

Parameters
name={all| RuleName}
Required. Specifies the rule name assigned to the rule that you want to display. If name=all, then all rules that
match the other criteria listed before the new keyword are displayed.
If name=all, and no other parameters are included before the new keyword, then all rules are displayed.
[profile={public| private| domain| any| [,...]}]
Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma
separated list, then only rules that contain the exact same list are modified.
[type={dynamic| static}]
Specifies that you only want those rules of the selected type displayed.
Type can be one of the following values:
Dynamic. Displays the rules currently active on your local computer.
Static. Displays rules defined in the current store, as defined by the set store command.
If type is not specified, then both types of rules are displayed.
[verbose]
Specifies that you want additional details for each rule displayed.

Examples
The following command displays all currently defined firewall rules:
show rule name=all
The following command displays all firewall rules that are for the domain profile:
show rule name=all profile=domain
This command does not show rules where profile=domain,public or profile=domain,private. It only shows
rules that have the single entry domain included in the rule.

Community Additions

Protocol=integer
Hopefully you got your answer by now.

TCP = 6

UDP = 17

More info here:

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
slomike1
11/14/2015

Set New
I feel that the set rule new is not really a modify but rather a replace as it overwrites the previous values for the value after keyword
new. I would much prefer an actual modify whereas it appends to the existing values.
Josh.Squires
1/11/2014

please explain"Protocol= (integer)"

the page indicates the value of protocol may be 0 through 255, with no further explanation.

as an example, when one uses the windows firewall control panel to add an application exception for Microsoft SQL Server's
'sqlservr.exe' the rule that gets added to the registry includes two different 'integer' values for protocol: 6 and 17.

i know that in fact the main protocol is TCP so obviously that corresponds to either 6 or 17. for sake of argument, if 6 = TCP, what the
heck does 17 mean?

in addition, ive seen a number of web pages that indicate running netsh advfirewall firewall... will often result in registry keys that lack
an all important value 'EmbedCtxt' can you please explain the relevance of this field, and what parameter in netsh is used to add that
field into the registry?

thank you kindly for your insights to these questions.

sincerely,

greg aiken
greg aiken
9/26/2013

Omission - a list of values for remoteip can only be added by putting them in quotes in powershell
There is an omission in the section for remoteip and it may affect other variables that can accept a list of values
"You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces."
If you try to add multiple subnets for remote IP with this command:

netshadvfirewallfirewallsetrulename="WindowsBackup(RPC)"dir=innew
remoteip=10.1.0.0/16,192.168.1.0/24

You will receive the error

Aspecifiedvalueisnotvalid.

If you put quote marks around the list items, it will work:

PSC:\Users\Administrator>netshadvfirewallfirewallsetrulename="WindowsBackup(RPC)"dir=innew
remoteip="10.1.0.0/16,192.168.1.0/24"
Updated1rule(s).
Ok.
PSC:\Users\Administrator>
ridicully
5/3/2012