对比:
Example 1: Enable a program
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
Example 2: Enable a port
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
Example 3: Delete enabled programs or ports
netsh advfirewall firewall delete rule name=rule nameprogram="C:\MyApp\MyApp.exe
netsh advfirewall firewall delete rule name=rule nameprotocol=udp localport=500
Example 4: Configure ICMP settings
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow
netsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block
Example 5: Set logging
netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
netsh advfirewall set currentprofile logging maxfilesize 4096
netsh advfirewall set currentprofile logging droppedconnections enable
netsh advfirewall set currentprofile logging allowedconnections enable
Example 6: Enable Windows Firewall
netsh advfirewall set currentprofile state on
netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
Domainprofile
Privateprofile
Publicprofile
Example 7: Restore policy defaults
netsh advfirewall reset
Example 8: Enable specific services
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
// ===============================================================
恢复到默认设置
Netsh advfirewall reset
导出防火墙配置
netsh advfirewall export “c:\advfirewall.wfw”
导入防火墙配置
Netsh advfirewall import “c:\advfirewall.wfw”
增加一个针对messenger.exe的入站规则
netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe” action=allow
删除针对本地21端口的所有入站规则:
netsh advfirewall firewall delete name rule name=all protocol=tcp localport=21
让防火墙关闭所有配置文件:
netsh advfirewall set allprofiles state off
在所有配置文件中设置默认阻挡入站并允许出站通信:
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
在所有配置文件中打开远程管理:
netsh advfirewall set allprofiles settings remotemanagement enable
在所有配置文件中记录被断开的连接:
netsh advfirewall set allprofiles logging droppedconnections enable
(1)启用桌面防火墙
netsh advfirewall set allprofiles state on
(2)设置默认输入和输出策略
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
以上是设置为允许,如果设置为拒绝使用blockinbound,blockoutbound
(3)关闭tcp协议的139端口
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
(4)关闭udp协议的139端口
netsh advfirewall firewall add rule name="deny udp 139" dir=in protocol=udp localport=139 action=block
(5)关闭tcp协议的445端口
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
(6)关闭udp协议的445端口
netsh advfirewall firewall add rule name="deny udp 445" dir=in protocol=udp localport=445 action=block
(7)使用相同的方法,依次关闭TCP协议的21、22、23、137、138、3389、5800、5900端口。
netsh advfirewall firewall add rule name= "deny tcp 21" dir=in protocol=tcp localport=21 action=block
netsh advfirewall firewall add rule name= "deny tcp 22" dir=in protocol=tcp localport=22 action=block
netsh advfirewall firewall add rule name= "deny tcp 23" dir=in protocol=tcp localport=23 action=block
netsh advfirewall firewall add rule name= "deny tcp 3389" dir=in protocol=tcp localport=3389 action=block
netsh advfirewall firewall add rule name= "deny tcp 5800" dir=in protocol=tcp localport=5800 action=block
netsh advfirewall firewall add rule name= "deny tcp 5900" dir=in protocol=tcp localport=5900 action=block
netsh advfirewall firewall add rule name= "deny tcp 137" dir=in protocol=tcp localport=137 action=block
netsh advfirewall firewall add rule name= "deny tcp 138" dir=in protocol=tcp localport=138 action=block
(8)执行完毕后暂停
pause
echo 按任意键退出
恢复初始配置
(1)恢复初始防火墙设置
netsh advfirewall reset
(2)关闭防火墙
netsh advfirewall set allprofiles state off
netsh advfirewall