There may come a time when you need to write a script or remotely connect to the terminal and run a command to enable or disable the Windows firewall. For most IT environments, using Group Policy is the easiest way to configure the Windows Firewall on client computers.
It’s also the easiest way to add port exceptions for services such as HTTP, file sharing, software applications, and more. However, it’s also good to know how to configure the Windows Firewall from the command prompt just in case you have computers and servers not in Active Directory.
First, to see whether the Windows Firewall is enabled on a server or computer, type this command at the command prompt:
netsh firewall show opmode
You should get something similar to what is below:
Depending on how many network adapters you have installed on your computer, you’ll see three or more listings. Operational Mode means if the Firewall is turned on or off. Exception mode is if exceptions are allowed or not. Enable means on.
To enable the Firewall in Windows, simply run this command:
netsh firewall set opmode enable
Pretty simply eh? Now what if you want to add a port exception (open a port) to the Firewall using the command line? That’s simple too!
Let’s say you wan to open port 3389, which is for remote desktop in Windows. You would simply run this command:
netsh firewall add portopening TCP 3389 RDP enable subnet
The way the command works is by using the netsh firewall add portopening command, following by the protocol (TCP, UDP), followed by the actual port number, followed by a name (anything you want) and then the enable subnet command.
If you were to run this command then go view the exceptions in Windows Firewall, you would see that the item is now checked:
Pretty neat eh!? This is also useful for any headless Windows 2008 Server Core machines that you can only access via the command prompt. Enjoy!