Microsoft Windows [Version 6.0.6001] (C) Copyright 2006 Microsoft Corp. c:\windows>netsh advfirewall firewall add rule ?
Usage: add rule name=
dir=in|out
action=allow|block|bypass
[program=][service=|any][description=][enable=yes|no (default=yes)][profile=public|private|domain|any[,...]][localip=any|||||][remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|||||][localport=0-65535|RPC|RPC-EPMap|any[,...] (default=any)][remoteport=0-65535|any[,...] (default=any)][protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any (default=any)][interfacetype=wireless|lan|ras|any][rmtcomputergrp=][rmtusrgrp=][edge=yes|no (default=no)][security=authenticate|authenc|notrequired (default=notrequired)]
Remarks:
- Add a new inbound or outbound rule to the firewall policy.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate or authenc.
- If action=bypass, the remote computer group must be specified.
- Action=bypass is only valid for rules with dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
Examples:
Add an inbound rule for messenger.exe:
netsh advfirewall firewall add rule name="allow messenger"
dir=in program="c:\programfiles\messenger\msmsgs.exe"
action=allow
Add an outbound rule for port 80:
netsh advfirewall firewall add rule name="allow80"
protocol=TCP dir=out localport=80 action=block
Add an inbound rule for messenger.exe and require security
netsh advfirewall firewall add rule name="allow messenger"
dir=in program="c:\program files\messenger\msmsgs.exe"
security=authenticate action=allow
Add an authenticated firewall bypass rule for group
acmedomain\scanners identified by a SDDL string:
netsh advfirewall firewall add rule name="allow scanners"
dir=in rmtcomputergrp= action=bypass
security=authenticate
