Add Windows 2008 Firewall rule with CLI

For security reasons it is wise to keep your Windows firewall turned on. Even internal networks are not free of hack attempts. So to make sure the installed programs are functioning with the firewall turned on, you have to do your research on the communications that will occure between server and client (or other servers).
With an interest in automated installations, scripted installations and other unattended installations, I was looking for a commandline interface that would allow me to script the creation of the neccessary Windows Firewall rules for my applications.

 

For a list of known TCP and UDP IP ports you can easily check wikipedia or The Internet Assigned Numbers Authority (IANA).
 

 

This post is my own personal mental note for creating Windows Firewall rules with the NETSH commandline interface.

 

Basic Windows Firewall rule settings.

In order to configure your Windows Firewall, you need to know at least some basic information about the network traffic you want to allow. Not all programs that are installed on your server will automatically config the Windows Firewall. So your first action is to determine whether or not your application uses specified port numbers and/or protocols for your network communications. For instance, the Microsoft SQL Server requires an additional rule for your Windows Firewall to allow TCP/IP connections. A new rule to allow inbound TCP traffic on port 1433 needs to be added.

 

Using the netsh commandline interface

The netsh.exe CLI can be used to add rules to the Windows Firewall, allowing you to config your Firewall to allow specified network traffic or allow the network communications for specified programs.

* Adding a single protocol/port firewall rule:

%WINDIR%\system32\netsh.exe advfirewall firewall add rule name="[rule-name]" dir=[rule-direction] action=[rule-action] protocol=[rule-protocol] localport=[rule-port]

 
Which uses the following additional syntax:

  • rule-name: A distinctive name to recognize the firewall rule.
  • rule-direction: The direction of the network traffic (in or out for inbound or outbound network traffic).
  • rule-action: The action to perform for this rule (allow or deny).
  • rule-protocol: The network protocol this rule applies to (most common are tcp or udp for the TCP or UDP protocol).
  • rule-port: The specified port number for the Firewall rule.

 

 

Esther Barthel
Senior Consultant at PepperByte

Esther has been working in different roles and functions as an IT consultant ever since she finished her Masters degree in Computer Science in 1997. She has worked as a web developer, database administrator, and server administrator until she discovered how Server-Based Computing ( SBC ) combined servers, desktops, and user experience in one solution. Esther has been specializing in virtualization solutions such as SBC, VDI, application, and server virtualization for over eight years now and is currently working as a Senior Consultant at PepperByte, where she designs and implements Citrix® solutions for both small-business and large-enterprise infrastructures scaling from 100 to 15,000 users.
In january 2014 her first book Citrix XenApp 6.5 Expert Cookbook was published by Packt Publishing.

Esther is awarded as a Citrix Technology Professional (CTP) from 2015 - 2017.
Esther is awarded as a Microsoft Most Valuable Professional (MVP) in 2017.

Esther is a Citrix Certified Expert – Virtualization (CCE-V), Citrix Certified Professional – Mobility (CCP-M), Citrix Certified Professional – Networking (CCP-N) and RES Software Certified Professional (RCP).

One thought on “Add Windows 2008 Firewall rule with CLI

  1. Pingback: DAVID L JOHNSON