ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Enable/Disable Firewall
  • Logging
  • Add Rules
  • Delete Rules
  • Modify Existing Rules
  • Export/Import Rules
  • Registry Locations

Was this helpful?

  1. Windows
  2. System Ops
  3. Security
  4. Firewall

Modify

Enable/Disable Firewall

netsh firewall reset

Completely removes/resets firewall settings.

netsh firewall set opmode enable

Enables Windows Firewall.

netsh firewall set opmode disable

Disables Windows Firewall.

netsh advfirewall set allprofiles state off

Toggles firewall off for all profiles.

netsh advfirewall set currentprofile state off

Toggles firewall off for the current profile.

Set-NetFirewallProfile -Profile Domain -Enabled True

Toggles firewall for the specified profile (can toggle all at once: Domain, Private, Public).

netsh advfirewall set privateprofile state on

Toggles firewall on for the specified profile.

Logging

Log dropped connections on all profiles:

netsh advfirewall set allprofiles logging droppedconnections enable

Log dropped packets and connections:

netsh firewall set logging droppedpackets=enable connections=enable

Set current profile log's max size:

netsh advfirewall set currentprofile logging maxfilesize 1024

Add Rules

New-NetFirewallRule
New-NetFirewallRule -DisplayName "<RuleName>" -Direction Inbound -Program "c:\my.exe" -Action Allow
New-NetFirewallRule -DisplayName "<RuleName>" -Direction Outbound -Program "c:\my.exe" -Action Block
New-NetFirewallRule -DisplayName <RuleName> RemoteAddress 10.10.10.25 -Action Allow
netsh advfirewall firewall add rule
netsh advfirewall firewall add rule name="<RuleName>" dir=out action=block program="c:\my.exe" enable=yes
netsh advfirewall firewall add rule name="<RuleName>" dir=in action=allow program="c:\my.exe" enable=yes
netsh advfirewall firewall add rule name="<RuleName>" dir=in protocol=tcp localport=443 profile=public action=allow
netsh advfirewall firewall add rule name="<RuleName>" dir=in protocol=udp localport=443 profile=public action=allow
netsh advfirewall firewall add rule name="<RuleName>" dir=in action=allow protocol=TCP localport=443 
netsh advfirewall firewall add rule name="<RuleName>" dir=in action=allow program="c:\my.exe" profile=private enable=yes
netsh advfirewall firewall add rule name="<RuleName>" dir=in action=allow protocol=tcp localport=31337 remoteport=6666 remoteip=192.168.11.14 profile=private

Delete Rules

Removes a firewall rule:

Remove-NetFirewallRule

Removes a firewall rule by name:

Remove-NetFirewallRule -DisplayName "<RuleName>"

Deletes an existing inbound or outbound firewall rule:

netsh advfirewall firewall delete rule

Deletes a rule by name:

netsh advfirewall delete rule name="<RuleName>"

Deletes a rule by name:

netsh advfirewall firewall delete rule name="<RuleName>"

Modify Existing Rules

Modifies existing firewall rules:

Set-NetFirewallRule

Enable All ICMP Traffic:

netsh firewall set icmpsetting type=all mode=enable

Allow inbound echo request:

netsh firewall set icmpsetting type=8 mode=enable

Disable groups of rules:

netsh advfirewall firewall set rule group="<GroupName>" new enable=no

Enable groups of rules:

netsh advfirewall firewall set rule group="<GroupName>" new enable=yes

Export/Import Rules

Create a BACKUP of the netsh firewall configuration:

netsh advfirewall export "c:\\FW-Before-Changes.wfw"

Restore netsh firewall configuration from BACKUP:

netsh advfirewall import "c:\\FW-Before-Changes.wfw"

Registry Locations

Globally Open Ports:

reg query hklm\\system\\currentcontrolset\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\globallyopenports\\list

Authorized Apps:

reg query hklm\\system\\currentcontrolset\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\authorizedapplications\\list

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

Holds settings for Windows Firewall policies, including rules and profiles for Domain, Private, and Public networks.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall

Contains Windows Firewall configuration settings applied through Group Policy for Domain, Private, and Public profiles.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsFirewall

Used by older versions of Windows to store Windows Firewall settings that are applied across different profiles.

HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall

Stores user-specific Windows Firewall settings applied through Group Policy, affecting the firewall behavior for the current user.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy

Default configuration settings for Windows Firewall, including default rules and policy settings for all profiles.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Contains information on network profiles, which can influence Windows Firewall behavior based on the network's classification (Private, Public, Domain).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsFirewall\AdvancedSecurity

Stores advanced settings for Windows Firewall with Advanced Security, including inbound and outbound rules, and connection security rules.

PreviousEnumerateNextAudit Policies

Last updated 1 year ago

Was this helpful?

🪟