Please note that this tool is not affiliated with or created by Microsoft Corporation.
Microsoft, Encarta, MSN, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
- No complete command line solution for configuring or monitoring the Windows firewall
- "netsh advfirewall" solution does not list rule results in a tabular format
- "netsh advfirewall" does not work with group policy
- If group policy enables firewall, "netsh" does not show firewall as running
- If group policy pushes down rules, "netsh" does not show those rules
- Missing search features ("find rules with any/any local ports and any/any remote ports" criteria)
- Incomplete Logging features
- Built-in firewall logging is disabled by default
- Built-in firewall logging does not show executable associated with a blocked packet
- No command line access to logs in a reasonable format
- Windows 7 or newer with .NET 3.5+
- For some functions, administrative privileges are required
| Release | MD5 | SHA1 |
|---|---|---|
| msfw v0.3 | f3c15d198655415b046528e18234819c | b51db563ab4a7bd1a96457d4ec6befde85f43f4f |
| msfw v0.2 | e82d23ff59fc9ae9f1c9754338138914 | 685743552b8b032f6f091555b03c06ded65a8627 |
| msfw v0.1 | 44dacb1099cefbc3450f4429e08f9838 | 77d1b2c7797b0b04904a2c8ae5a12974465cccb0 |
- On Windows, run
certutil -hashfile msfw-v0.3.zip MD5ORcertutil -hashfile msfw-v0.3.zip SHA1to calculate hashfile
On Windows, a network connection is assigned a "profile": Domain, Private, or Public. The Microsoft firewall can be enabled/disabled for any or all profiles. Similarly, rules can be configured for any or all profiles.
> msfw -h
status Display firewall status.
interface Display included/excluded network interfaces.
log Display firewall log.
rule Display firewall rules.
addrule Add firewall rules.
delrule Delete firewall rules.
updinterface Update included/excluded interfaces.
updlog Enable/Disable firewall log.
updstatus Change firewall status.
> msfw status -h
-p, --profile (Default: ) Firewall profile.
-i, --interface (Default: False) List status by interface
> msfw interface -h
-n, --interfacename (Default: ) Interface Name
> msfw rule -h
-l, --list (Default: False) List out rules
-d, --duplicates (Default: False) List out duplicate rules
--profileduplicates (Default: False) List out rules that differ only by
profile
-c, --count (Default: False) Count rules
--scope (Default: ) Include local and/or group policy rules
--shortapp (Default: False) Display executable name only in log
output
--string (Default: False) Display rule as a string
-p, --profile (Default: ) Firewall profile.
-n, --rulename (Default: ) Rule Name
--dir (Default: ) Rule Direction [in, out]
--status (Default: enabled) Rule Status [enabled,disabled,all]
--action (Default: ) Rule Action [allow, block]
--local (Default: System.String[]) Rule Local Address and
Ports
--remote (Default: System.String[]) Rule Remote Address and
Ports
--protocol (Default: ) Rule Protocol
--app (Default: ) Rule Application or Service
--ext (Default: ) Rule Extended attributes
$ msfw log -h
-s, --status (Default: False) Display Status
-l, --list (Default: False) Display Blocked Connections
-t, --tail (Default: False) Tail Blocked Connections events
--since (Default: ) Filter by time since datetime string
--last (Default: ) Filter by time in last seconds, minutes, or hours
--shortapp (Default: False) Display executable name only in log output
> msfw addrule -h
-p, --profile (Default: System.String[]) Firewall profile.
-n, --rulename (Default: ) Rule Name
--dir (Default: ) Rule Direction [in, out]
--status (Default: enabled) Rule Status [enabled,disabled,all]
--action (Default: ) Rule Action [allow, block]
--local (Default: System.String[]) Rule Local Address and Ports
--remote (Default: System.String[]) Rule Remote Address and Ports
--protocol (Default: ) Rule Protocol
--app (Default: ) Rule Application or Service
$ msfw delrule -h
-n, --rulename (Default: ) Rule Name
--alllocaldisabled (Default: False) Delete all local disabled rules
-f, --force (Default: False) Force delete of rule, even if multiple
rules exist
> msfw updinterface -h
-p, --profile (Default: ) Firewall profile.
-n, --interfacename (Default: ) Interface Name
-e, --exclude (Default: False) Exclude this interface
-i, --include (Default: False) Include this interface
$ msfw updlog -h
-e, --enable (Default: False) Enable log
-d, --disable (Default: False) Disable log
> msfw updstatus -h
-p, --profile (Default: ) Firewall profile.
-s, --status (Default: ) TODO: Enabled/Disable Firewall [enable,disable]
-i, --inbound (Default: ) Set default inbound action [allow,block]
-o, --outbound (Default: ) Set default outbound action [allow,block]
To see if your firewall is currently enabled, run the following:
Definition: Display firewall status information.
- "Profile"
- Domain, Private, or Public
- "Status"
- "Enabled": Firewall is turned on
- "Disabled": Firewall is turned off
- "Active"
- "Active": Firewall is associated with a profile that has at least one active network connection
- "Inactive": Firewall is not associated with a profile that has an active network connection
- "Inbound": Default action [block,allow] for inbound traffic
- "Outbound": Default action [block,allow] for outbound traffic
- "Interface": Network adapter name
- "Network": Network name
- "Excluded"
- "Excluded": Interface is excluded from the firewall
- "Included": Interface is included with the firewall
Example:
> msfw status
"Profile","Status","Active","Inbound","Outbound"
"Domain","Enabled","Active","Allow","Allow"
"Private","Enabled","Active","Allow","Allow"
"Public","Enabled","Inactive","Block","Allow"
Example by profile:
> msfw status -p domain
"Profile","Status","Active","Inbound","Outbound"
"Domain","Enabled","Active","Allow","Allow"
Example by interface (Inactive profiles will have blank interface names):
> msfw status -i
"Profile","Status","Active","Inbound","Outbound","Interface","Network","Excluded"
"Domain","Enabled","Inactive","Allow","Allow","","",""
"Private","Enabled","Active","Allow","Allow","Wireless Network Connection","myhomenetwork","Included"
"Public","Enabled","Inactive","Block","Allow","","",""
Definition: Display list of interfaces.
NOTE: Firewall Profiles <-> interfaces <-> networks. Most networks will only be connected to one interface, but it's possible to have 2 (or more) interfaces for 1 network. In that case, you must exclude both interfaces in order to exclude the network.
Example:
> msfw interface
"Interface","Domain","Private","Public"
"Wireless Network Connection","Included","Included","Included"
"Local Area Connection","Excluded","Included","Included"
"VMware Network Adapter VMnet1","Included","Included","Included"
"Loopback Pseudo-Interface 1","Included","Included","Included"
Example by interface name:
> msfw interface -n "local area connection"
"Interface","Domain","Private","Public"
"Local Area Connection","Excluded","Included","Included"
msfw log ([-s,--status] | [-t,--tail | [-l,--list] --shortapp --since <datetimestring> --last <duration>) (Requires admin privileges)
Displays the "Filtering Platform Packet Drop" auditing of failures. The built-in firewall logging is not used as it does not display the application/service name associated with a blocked packet. The drawback is that log filtering cannot be scoped to a specific profile.
Example:
$ msfw log
Logging Enabled: True
Example:
> msfw log -l
Retrieving Logs since: 2016-10-09 14:30:43
Retrieving Logs since (UTC): 2016-10-09 19:30:43
10/9/2016 2:31:06 PM \device\harddiskvolume1\program files (x86)\landesk\ldclient\issuser.exe Out 10.10.10.10 42801 5.5.5.5 443 Tcp
10/9/2016 2:31:08 PM \device\harddiskvolume1\windows\system32\svchost.exe In 0.0.0.0 68 255.255.255.255 67 Udp
Example:
> msfw log -l --shortapp
Retrieving Logs since: 2016-10-09 14:30:43
Retrieving Logs since (UTC): 2016-10-09 19:30:43
10/9/2016 2:31:06 PM issuser.exe Out 10.10.10.10 42801 5.5.5.5 443 Tcp
10/9/2016 2:31:08 PM svchost.exe In 0.0.0.0 68 255.255.255.255 67 Udp
Example:
> msfw log -l --since "2016-10-10 12:00:00 PM"
Example:
> msfw log -l --since "2016-10-10 14:00:00 PM"
Example:
> msfw log -l --last 5m
Example:
> msfw log -l --last 30s
Example:
> msfw log -l --last 1h
Definition: Enable/disable logging
Example:
> msfw updlog -e
Action: Enable log (requires admin privileges)
The command was successfully executed.
Example:
> msfw updlog -d
Action: Disable log (requires admin privileges)
The command was successfully executed.
Firewall rules can be created locally or pushed down via group policy. Rules can also be disabled/enabled. By default, msfw only displays enabled rules. Override this behavior by passing in a value for --status.
| Flag | Values | Default |
|---|---|---|
| -s,--status | enabled,disabled,all | enabled |
| --dir | in, out | |
| -n,--rulename | String | |
| -p,--profile | Domain,Public,Private | |
| --string | False | |
| --scope | local,policy,all | all |
| --shortapp | False | |
| --action | allow,block | all |
| --local | address:port | |
| --remote | address:port | |
| --protocol | String | |
| --app | String | |
| --ext | String |
Example: List enabled rules
> msfw rule -l
"Profile","Action","Direction","Application","Local","Remote","Protocol","Name"
"--,Pr,--","Allow","Out","System","*:*","LocalSubnet:138","Udp","Network Discovery (NB-Datagram-Out)"
"--,Pr,--","Allow","In","System","*:138","LocalSubnet:*","Udp","Network Discovery (NB-Datagram-In)"
"Do,Pr,Pu","Allow","Out","%SystemRoot%\system32\svchost.exe:dnscache","*:*","*:53","Udp","Core Networking - DNS (UDP-Out)"
"Do,--,--","Allow","Out","System","*:*","*:445","Tcp","Core Networking - Group Policy (NP-Out)"
"Do,Pr,Pu","Allow","In","System","*:*","*:*","IPv6","Core Networking - IPv6 (IPv6-In)"
Example: Count all rules
> msfw rule -c --status all
Rule count: 219
Example: List enabled, private profile rules
> msfw rule -l -p private
"Profile","Action","Direction","Application","Local","Remote","Protocol","Name"
"--,Pr,--","Allow","Out","System","*:*","LocalSubnet:138","Udp","Network Discovery (NB-Datagram-Out)"
"Do,Pr,Pu","Allow","In","System","*:*","*:*","IPv6","Core Networking - IPv6 (IPv6-In)"
[snip]
Example: List enabled, allow rules
> msfw rule -l --action allow
Example: List enabled, block rules
> msfw rule -l --action block
Example: List enabled rule with name "Rule Name"
> msfw rule -l -n "Rule Name"
Example: List enabled, inbound rules
> msfw rule -l --dir in
Example: List enabled, outbound rules
> msfw rule -l --dir out
Example: List enabled, any:any local address/port rule
> msfw rule -l --local *:*
Example: List enabled, inbound, allow rules with any:any local address/port
> msfw rule -l --local *:* --dir in --action allow
Example: List enabled, inbound, allow rules with single IP and any port
> msfw rule -l --local 10.10.10.10:* --dir in --action allow
Example: List enabled, inbound, allow rules with any local IP but a single port
> msfw rule -l --local *:443 --dir in --action allow
Example: List enabled, any:any remote address/port rule
> msfw rule -l --remote *:*
Example: List enabled inbound, allow rules with any:any remote address/ports
> msfw rule -l --remote *:* --dir in --action allow
Example: List enabled inbound, allow rule with any/any local AND any/any remote addresses/ports
> msfw rule -l --local *:* --remote *:* --dir in --action allow
Example: List enabled inbound, allow rule with any/any local AND any/any remote addresses/ports
> msfw rule -l --local *:* --remote *:* --dir in --action allow
Example: List enabled, tcp rules
> msfw rule -l --protocol tcp
Example: List enabled, icmp rules
> msfw rule -l --protocol icmp
Example: List enabled, Windows service rules
> msfw rule -l --app svchost.exe
Example: List enabled, "java.exe" rules
> msfw rule -l --app java.exe
Example: List enabled, Windows service uPnP rules
> msfw rule -l --app upnphost
Example: List enabled allow rules with any/any local AND any/any remote addresses/ports AND any application
> msfw rule -l --local *:* --remote *:* --dir in --app * --action allow
Example: List enabled, local rules
> msfw rule -l --scope local
Example: List enabled, group policy rules
> msfw rule -l --scope policy
Definition: Create a rule. Minimum required fields: rule name, direction, and action. Note that names do not have to be unique, but from a best practices perspective, it's a good idea to do so.
Example: Create a rule blocking all inbound traffic
> msfw addrule -n "Hello, World" --dir in --action block
Added rule: Hello World
Example: Create a rule blocking all inbound traffic to port 443
> > msfw addrule -n "Hello, World" --dir in --action block --local 443
Added rule: Hello World
Example: Create a rule blocking all inbound traffic to port 443 (alternate)
> > msfw addrule -n "Hello, World" --dir in --action block --local *:443
Added rule: Hello World
Example: Create a rule blocking all inbound traffic to IP 1.1.1.1 on ports 80 and 443
> > msfw addrule -n "Hello, World" --dir in --action block --local 1.1.1.1 80 443
Added rule: Hello World
Example: Create a rule blocking all inbound traffic to IP 1.1.1.1 on ports 80 and 443 (alternate)
> > msfw addrule -n "Hello, World" --dir in --action block --local 1.1.1.1:80 1.1.1.1:443
Added rule: Hello World
Definition: Delete firewall rules.
Example: Delete local rule named "Hello, World"
> msfw delrule -n "Hello, World"
Deleted 1 rule(s).
Example: Delete local rules named "Hello, World"; do not prompt if multiple rules found with same name
> msfw delrule -n "Hello, World" -f
Deleted 3 rule(s).
Definition: Include or exclude interfaces from firewall.
Example: Exclude interface from all profiles
> msfw updinterface -n "local area connection" --exclude
Example: Exclude interface from domain profile
> msfw updinterface -n "local area connection" -p domain --exclude
Example: Include interface on all profiles
> msfw updinterface -n "local area connection" --include
Definition: Enable/Disable firewall or change inbound/outbound default actions.
Example: Change default inbound action for the public profile to block
> msfw updstatus -p public -i block
Example: Change default outbound action for the public profile to block
> msfw updstatus -p public -i block
- 0.1 (2016-10-09) - Initial release. Release of msfw binary with status, rule, and log subcommands.
- 0.2 (2016-10-24) - Bug fixes. Release of msfw binary with log -t (tail log), status -i (by interface), interface, updinterface, addrule, and delrule. Reformatted status output.
- 0.3 (2016-11-23) - Bug fixes. List duplicates. Warn if multiple rules will be deleted.
msfw is licensed under the MIT.
- CommandLineParser (MIT License)
- NLog (BSD-3-License)