Managing WFAS with Netsh

You can use the Netsh.exe command-line utility from an elevated command prompt to manage WFAS rules. The advantage of this is that you can combine it with Windows Remote Shell (WinRS), which you will learn about in the next lesson, to manage WFAS rules on other computers running Windows 7 on your network. You can also use Netsh.exe to script the creation of firewall rules on stand-alone computers that are not members of an AD DS domain and hence are not subject to domain-applied Group Policy.

To use Netsh.exe to create WFAS firewall rules, you need to be in the advfirewall firewall context. The following are some examples of using WFAS to create firewall rules:

• To create a rule named WebServerRule that applies in the domain profile and allows inbound traffic on TCP port 80, issue the command netsh advfirewall firewall add rule name="WebServerRule" profile=domain protocol=TCP dir=in localport=80 action=allow.
• To create a rule named AllowCalc that allows inbound traffic to the Calc.exe application in all network profiles, issue the command netsh advfirewall firewall add rule name="Calc" dir=in program="c:\windows\system32\calc.exe".
• To create a rule named BlockFTP that blocks outbound traffic from the Ftp.exe application, issue the command netsh advfirewall firewall add rule name="BlockFTP " dir=out program="c:\windows\system32\ftp.exe" action=block.

Tip Know when you need to use WFAS to create a rule and when you can use Windows Firewall.