Netsh Commands for Windows Firewall
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings.
Important
The firewall context of the netsh command-line tool is provided only for backwards-compatibility with earlier versions of Windows. The firewall context works on computers that are running Windows® 7, Windows Server® 2008 R2, Windows Vista®, and Windows Server® 2008, but it does not allow you to manage or interact with any of the firewall features that are new to those newer versions of Windows. This context does not allow you to work remotely on a computer to directly configure its firewall.
We recommend that you instead use the advfirewall context unless you are using this tool in a mixed environment and must maintain backwards-compatibility with earlier versions of Windows. To use the new firewall features that are included with Windows Vista and later versions of Windows, you must use the advfirewall context instead. For more information, see Netsh Commands for Windows Firewall with Advanced Security.
We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista and later versions of Windows, standard maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile.
Starting with Windows 7 and Windows Server 2008 R2, if you run any command in the firewall context, the command still works, but is accompanied by the message:
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at https://go.microsoft.com/fwlink/?linkid=121488.
Important
To use the netsh firewall commands remotely on another computer by using the netsh –r parameter, the Remote Registry service must be running on the remote computer. If it is not, then Windows displays a “Network Path Not Found” error message.
You can run these commands from within the netsh tool at the netsh firewall> prompt.
For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.
Note
If User Account Control is enabled on your computer and you want to run any netsh firewall command that changes the firewall configuration, you must run the command from a command prompt that was started with the Run as administrator option. If you try to change the firewall state without having administrator permissions available to the command-line tool, it fails with the message "The requested operation requires elevation."
For more information about netsh, see Netsh Overview and Enter a Netsh Context.
Netsh firewall
The following sections describe each command and its syntax.
add allowedprogram
set allowedprogram
delete allowedprogram
set icmpsetting
set multicastbroadcastresponse
set notifications
set logging
set opmode
add portopening
set portopening
delete portopening
set service
show commands
reset
Note
In earlier versions of Windows, many of these command accepted a parameter called interface. This parameter is not supported in the firewall context in Windows Vista or later versions of Windows.
add allowedprogram
Adds a program-based exception to the firewall.
Syntax
add allowedprogram [ program = ] PathAndFileName [ name = ] ProgramName [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
- [ program = ] PathAndFileName
Required. The path and file name of the program to be added to the firewall exception list. If the path or file name includes spaces, then you must use quotation marks around the path and file name.
- [ name = ] ProgramName
Required. Friendly name of the program to be added to the list. This value is displayed in the Firewall control panel exception list.
- [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable.
- [ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all.
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:An IPv4 or IPv6 address. For example, 192.168.0.15.
An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The firewall profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,21AB:0000:0000:CD30::/60,localsubnet
set allowedprogram
Modifies the settings of an existing program-based exception.
Syntax
set allowedprogram [ program = ] PathAndFileName [ [ name = ] ProgramName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
- [ program = ] PathAndFileName ]
Required. The path and file name of the program whose exception you want to modify. If the path or file name includes spaces, then you must use quotation marks around the path and file name.
- [ [ name = ] ProgramName ]
Friendly name of the program to be added to the list. This value is displayed in the Firewall control panel exception list.
- [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer.
- [ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter.
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:An IPv4 or IPv6 address. For example, 192.168.0.15.
An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
You must specify at least one parameter other than program.
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set allowedprogram program="C:\My App\MyApp.exe" name=MyApp mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete allowedprogram
Deletes an existing program-based exception.
Syntax
delete allowedprogram [ program = ] PathAndFileName [ [ profile = ] { current | domain | standard | all } ]
Parameters
- [ program = ] PathAndFileName
Required. The path and file name of the program to be deleted from the firewall exception list.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe profile=all
set icmpsetting
Specifies the types of ICMP traffic that are permitted through the firewall.
Syntax
set icmpsetting [ type = ] { 2-5 | 8-9 | 11-13 | 17 | all } [ [ mode = ] { enable | disable} ] [ [ profile= ] { current | domain | standard | all } ]
Parameters
[ type = ] { 2-5** | 8-9 | 11-13 | 17 | all }**
Required. The type of ICMP traffic to allow. The value must be one of the following ICMP message types:2 - Outbound packet too big.
3 - Outbound destination unreachable.
4 - Outbound source quench.
5 - Redirect.
8 - Inbound echo request (ping).
9 - Inbound router request.
11 - Outbound time exceeded.
12 - Outbound parameter problem.
13 - Inbound timestamp request.
17 - Inbound mask request.
all - All of the above types.
- [ [ mode = ] { enable | disable} ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set icmpsetting 8 enable all
set icmpsetting type=all mode=disable
set multicastbroadcastresponse
Specifies whether or not responses to a multicast or broadcast request are allowed through the firewall.
Syntax
set multicastbroadcastresponse [ mode = ] { enable | disable} [ [ profile= ] { current | domain | standard | all } ]
Parameters
- [ mode = ] { enable | disable}
Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. The default value is enable.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.current specifies that the command applies to the profile that is currently active on the computer.
domain specifies that the command applies only to the domain profile.
standard specifies that the command applies only to the private profile.
all specifies that the command applies to all profiles except the private profile.
The default value is current.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set multicastbroadcastresponse enable
set multicastbroadcastresponse mode=enable profile=all
set notifications
Specifies whether the firewall displays a pop-up notification to the user when a program attempts to listen on a port.
Syntax
set notifications [ mode = ] { enable | disable} [ [ profile= ] { current | domain | standard | all } ]
Parameters
- [ mode = ] { enable | disable}
Required. Specifies whether to enable or disable responses to multicast or broadcast traffic.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.current specifies that the command applies to the profile that is currently active on the computer.
domain specifies that the command applies only to the domain profile.
standard specifies that the command applies only to the private profile.
all specifies that the command applies to all profiles except the private profile.
The default value is current.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set notifications enable
set notifications disable
set notifications mode=enable profile=current
set logging
Specifies whether the firewall writes information to a log file, and what details are included. This command only affects the currently active profile.
Syntax
set logging [ [ filelocation = ] PathAndFileName ] [ [ maxfilesize = ] Integer ] [ [ droppedpackets = ] { enable | disable } ] [ [ connections = ] { enable | disable } ]
Parameters
- [ [ filelocation = ] PathAndFileName ]
Specifies the path and file name of the file to which the firewall writes its log. The default value is %windir%\pfirewall.log.
- [ [ maxfilesize = ] Integer ]
Specifies the maximum file size in kilobytes. Must be an integer value from 1 to 32767. The default value is 4096.
- [ [ droppedpackets = ] { enable | disable } ]
Specifies whether to include an entry for each packet dropped by the firewall. The default value is disable.
- [ [ connections = ] { enable | disable } ] ]
Specifies whether to include an entry for each successful connection. The default value is disable.
Remarks
- At least one parameter must be specified.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set logging enable enable
set logging 4096 enable disable
set logging c:\mylogs\mylog.log 4096 enable enable
set opmode
Specifies the operating mode of Windows Firewall.
Syntax
set opmode [ mode = ] { enable | disable } [ [ exceptions = ] { enable | disable } ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
- [ mode = ] { enable | disable}
Required. Specifies whether to turn the firewall on or off.
- [ [ exceptions = ] { enable | disable } ]
Specifies whether the firewall uses any currently defined port and program exceptions that are enabled. If exceptions=disable, then all enabled port and program exceptions are ignored. Default is enable.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set opmode enable
set opmode mode=enable exceptions=enable
add portopening
Creates a port-based exception.
Syntax
add portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ name = ] ExceptionName [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
- [ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both.
- [ port = ] Integer
Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported.
- [ name = ] ExceptionName
Required. Specifies the name of the exception. This value is displayed in the Firewall control panel exception list.
- [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer.
- [ scope = ] { all | subnet | custom }
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all.
[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:An IPv4 or IPv6 address. For example, 192.168.0.15.
An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add portopening tcp 80 MyWebPort
add portopening udp 500 "IKE Exception" enable all
add portopening all 53 DNS enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set portopening
Modifies the settings of an existing port-based exception.
Syntax
set portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ name = ] ExceptionName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
- [ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both.
- [ port = ] Integer
Required. Specifies the port number of the exception to be modified. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported.
- [ [ name = ] ExceptionName ]
Specifies the name of the exception. This value is displayed in the Firewall control panel exception list.
- [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer.
- [ scope = ] { all | subnet | custom }
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter.
[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:An IPv4 or IPv6 address. For example, 192.168.0.15.
An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
Remarks
You must specify at least one parameter other than port and protocol.
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set portopening tcp 80 "My Web Port"
set portopening udp 500 "IKE Exception" enable all
set portopening all 53 "DNS Exception" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete portopening
Deletes an existing port-based exception.
Syntax
delete portopening
[ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ profile = ] current | domain | standard | all } ]
Parameters
- [ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both.
- [ port = ] Integer
Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535.
[ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.current specifies that the command applies to the profile that is currently active on the computer.
domain specifies that the command applies only to the domain profile.
standard specifies that the command applies only to the private profile.
all specifies that the command applies to all profiles except the private profile.
The default value is current.
Remarks
- To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete portopening tcp 80
delete portopening protocol=all port=25
set service
Enables or disables the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.
Syntax
set service [ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all } [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all }
Required. Specifies the service whose pre-defined rules are enabled or disabled. The value must be one of the following:fileandprint. The file and printer sharing service.
remoteadmin. The ability to remotely administer a computer running Windows.
remotedesktop. The ability to use a Terminal Services client such as Remote Desktop.
upnp. Universal Plug-and-Play protocol for networked devices.
all. All of the above services.
- [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable.
- [ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter.
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:An IPv4 or IPv6 address. For example, 192.168.0.15.
An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.- current specifies that the command applies to the profile that is currently active on the computer.
Note
On Windows 7 and Windows Server 2008 R2, this option applies to all profiles that are currently active on the computer.
- **domain** specifies that the command applies only to the domain profile.
- **standard** specifies that the command applies only to the private profile.
- **all** specifies that the command applies to all profiles except the private profile.
The default value is **current**.
Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set service fileandprint
set service remoteadmin enable subnet
set service type=remotedesktop mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
show commands
The following show commands are used to display the current configuration:
Note
The show command cannot be used to see the list of exceptions for the public profile, even if the public profile is the current profile. To see the list of exceptions for the public profile, use the Windows Firewall with Advanced Security MMC snap-in, and use the Filter by Profile option in the Actions pane.
show allowedprogram [ [ verbose = ] { enable | disable } ]
Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.
show config [ [ verbose = ] { enable | disable } ]
Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.
show currentprofile
Displays the current profile in use for the network location type.
Note
If the current profile is the public profile, then this command shows the standard profile.
show icmpsetting [ [ verbose = ] { enable | disable } ]
Displays the ICMP settings. Use parameter verbose=enable to see additional details.
show logging
Displays the current logging settings.
Note
If the current profile is the public profile, then this command shows the standard profile.
show multicastbroadcastresponse
Displays multicast/broadcast response settings for each profile.
show notifications
Displays whether the firewall displays pop-up notifications for each profile.
show opmode
Displays the operational mode for the firewall for each profile.
show portopening
Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.
show service
Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.
show state
Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.
reset
Resets the configuration of Windows Firewall to default settings. All manually configured changes are lost. There are no parameters for the reset command.