- Delegate permissions for domain join - Mon, Jun 5 2023
- Join Windows 11 to an Active Directory domain - Thu, Jun 1 2023
- Change Windows network profiles between public and private - Wed, May 24 2023
In general, the MMC-based Window Firewall with Advanced Security is a powerful tool for managing existing rules and creating new ones. It also offers a few predefined filters that can help you to get a better overview of the large number of rules. On the other hand, netsh.exe suffers from its unintuitive syntax.
Filtering rules with Get-NetFirewallRule
PowerShell offers more flexible filters than the GUI and is easier to use than netsh.exe. The most important cmdlet for the analysis of existing rules is the Get-NetFirewallRule cmdlet. If you run it without parameters, you will receive a list of all rules with some of their properties.
For example, if you want to find out if the firewall blocks communication with a remote computer, you'll want to limit the output to those rules that could cause the problem.
For this purpose, a couple of parameters allow you to filter the list according to the most important properties, such as rule name and group name (Name, DisplayName, Group, DisplayGroup):
Get-NetFirewallRule -DisplayGroup Remote*
The wildcard "*" ensures that all group names that start with "Remote" are in the list, e.g. Remote Management and Remote Desktop.
Inbound/outbound and allow/block
Other important parameters are Action, Enabled, and Direction. Action accepts the values Allowand Block, Direction supports Inbound and Outbound, and Enabled expects True or False.
Get-NetFirewallRule -Action Block -Enabled True -Direction Inbound
This command displays all inbound rules that are enabled and block the corresponding connection.
The next example will refine the filter even further and limit the output to rule groups starting with "Network":
Get-NetFirewallRule -Action Allow -Enabled False -Direction Inbound -DisplayGroup Network* | select DisplayName, DisplayGroup
Displaying programs in rules
In most cases the kind of information you receive this way is insufficient because you don't see to which programs the rules apply. If the name or the rule description doesn't contain a hint, you can to pipe the output of Get-NetFirewallRule to Get-NetFirewallApplicationFilter to display more details:
Get-NetFirewallRule -Action Block -Enabled True | %{$_.Name; $_ | Get-NetFirewallApplicationFilter}
Distinguishing network profiles
An important feature of the Windows Firewall is its ability to distinguish between network profiles (Private, Public, and Domain). For instance, if you want find the rules in a domain environment that block a certain application, you can ignore all rules which apply to the profiles "private" and "public".
Theoretically, you could define a filter using Where-Object that examines the Profile property. However, this method is a bit cumbersome because the property will have the value Any if a rule is enabled for all profiles. Using Get-NetFirewallProfile is more straightforward here:
Get-NetFirewallProfile -Name Domain | Get-NetFirewallRule | ? DisplayName ‑like File*
This command shows you all rules for the Domainprofile where DisplayName begins with File*. You will get the default properties output by Get-NetFirewallRule.
Disabling, enabling, and deleting rules
If you want to disable rules because they block a required connection, the Disable-NetFirewallRule cmdlet is what you need. In most cases you will pass the name of a single rule you want to disable. Alternatively, with the help of the Action, Enabled, and Directionparameters, you can filter the rules you want to deactivate:
Disable-NetFirewallRule -Action Block -Enabled True -Direction Inbound
Because such a command can have undesirable side effects, I recommend that you first execute it with the additional parameter WhatIf. This will give you an overview of the affected rules.
The Disable-NetFirewallRule cmdlet only disables firewall rules and doesn't change their configuration. If needed, you can enable these rules again with its counterpart Enable-NetFirewallRule.
Subscribe to 4sysops newsletter!
By contrast, Remove-NetFirewallRule deletes rules, and you have to recreate them in case you need them again. All three cmdlets support the same parameters as Get-NetFirewallRule to limit rules.
what ps command would you use to allow only IPs in "myfile.txt" and block/deny all others inbound and/or outbound? thanks
Something like this, you need to modify it according to your needs.
In general, you dont need to explicitely block a traffic. If there is no rule, the traffic is not allowed.