参考

使用 netsh advfirewall 防火墙而不是 netsh 防火墙来控制Windows防火墙行为
Netsh AdvFirewall Firewall Commands?redirectedfrom=MSDN)

简介

netsh advfirewall firewall 命令行在Windows Vista 和 Windows Server 2008 中可用。
它提供了用于控制 Windows 防火墙行为的功能。
在早期版本的 Windows <包含Win7> 操作系统中应该使用 netsh firewall 命令。
新版本的命令行提供了更精确地控制的防火墙规则的功能，这些规则包括以下的每个配置文件设置︰

• 域(Domain)
• 私有(Private)
• 公共(Public)

  基本使用

  使用help ```powershell C:\WINDOWS\system32>netsh advfirewall help

下列指令有效:

此上下文中的命令: ? - 显示命令列表。 consec - 更改到 netsh advfirewall consec' 上下文。 dump - 显示一个配置脚本。 export - 将当前策略导出到文件。 firewall - 更改到netsh advfirewall firewall’ 上下文。 help - 显示命令列表。 import - 将策略文件导入当前策略存储。 mainmode - 更改到 netsh advfirewall mainmode' 上下文。 monitor - 更改到netsh advfirewall monitor’ 上下文。 reset - 将策略重置为默认全新策略。 set - 设置每个配置文件或全局设置。 show - 显示配置文件或全局属性。

下列的子上下文可用: consec firewall mainmode monitor

若需要命令的更多帮助信息，请键入命令，接着是空格， 后面跟 ?。

C:\WINDOWS\system32>

```powershell
C:\WINDOWS\system32>netsh advfirewall firewall help
下列指令有效:
此上下文中的命令:
?              - 显示命令列表。
add            - 添加新入站或出站防火墙规则。
delete         - 删除所有匹配的防火墙规则。
dump           - 显示一个配置脚本。
help           - 显示命令列表。
set            - 为现有规则的属性设置新值。
show           - 显示指定的防火墙规则。
若需要命令的更多帮助信息，请键入命令，接着是空格，
后面跟 ?。

netsh advfirewall firewall add rule

将新的入站或出站规则添加到防火墙策略。

netsh advfirewall firewall add rule ?

语法规则

add rule name=<string>
      dir=in|out
      action=allow|block|bypass
      [program=<program path>]
      [service=<service short name>|any]
      [description=<string>]
      [enable=yes|no (default=yes)]
      [profile=public|private|domain|any[,...]]
      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
      [remoteport=0-65535|<port range>[,...]|any (default=any)]
      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
         tcp|udp|any (default=any)]
      [interfacetype=wireless|lan|ras|any]
      [rmtcomputergrp=<SDDL string>]
      [rmtusrgrp=<SDDL string>]
      [edge=yes|deferapp|deferuser|no (default=no)]
      [security=authenticate|authenc|authdynenc|authnoencap|notrequired
         (default=notrequired)]

参数含义

禁用端口

// 关闭端口，测试ok
netsh advfirewall firewall add rule name=test1 dir=in action=block protocol=TCP localport=8089
netsh advfirewall firewall add rule name=test1 dir=in action=block protocol=TCP localport=8089 remoteip="223.76.234.68"
netsh advfirewall firewall add rule name=test1 dir=out action=block protocol=TCP localport=8089
netsh advfirewall firewall add rule name=禁用TCP端口 dir=in action=block protocol=TCP localport="135-139,445,3389"
netsh advfirewall firewall add rule name=禁用UDP端口 dir=in action=block protocol=UDP localport="135-139,445"
netsh advfirewall firewall add rule name=允许指定IP访问3389 dir=in action=allow protocol=TCP localport="3389" remoteip="aip,bip,cip"

netsh advfirewall firewall add rule name= “deny tcp 21″ dir=in protocol=tcp localport=21 action=block
netsh advfirewall firewall add rule name= “deny tcp 22″ dir=in protocol=tcp localport=22 action=block
netsh advfirewall firewall add rule name= “deny tcp 23″ dir=in protocol=tcp localport=23 action=block
netsh advfirewall firewall add rule name= “deny tcp 3389″ dir=in protocol=tcp localport=3389 action=block 
netsh advfirewall firewall add rule name= “deny tcp 5800″ dir=in protocol=tcp localport=5800 action=block
netsh advfirewall firewall add rule name= “deny tcp 5900″ dir=in protocol=tcp localport=5900 action=block
netsh advfirewall firewall add rule name= “deny tcp 137″ dir=in protocol=tcp localport=137 action=block
netsh advfirewall firewall add rule name= “deny tcp 138″ dir=in protocol=tcp localport=138 action=block
//禁用8089
netsh advfirewall firewall add rule name= “禁用8089″ dir=in protocol=tcp localport=8089 action=block

//删除针对本地8089端口的所有入站规则： 测试OK
netsh advfirewall firewall delete rule name=all protocol=tcp localport=8089
netsh advfirewall firewall delete rule name=all protocol=udp localport=8089

配置 ICMP 设置

netsh advfirewall firewall add rule ?

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
netsh advfirewall firewall add rule name= "All ICMP V4" protocol=icmpv4:any,any dir=in action=allow
netsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block

netsh advfirewall firewall delete rule

C:\WINDOWS\system32>netsh advfirewall firewall delete rule
提供的许多参数无效。请查看帮助获取正确语法。
用法: delete rule name=<string>
      [dir=in|out]
      [profile=public|private|domain|any[,...]]
      [program=<program path>]
      [service=<service short name>|any]
      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|any]
      [remoteport=0-65535|<port range>[,...]|any]
      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
         tcp|udp|any]
注释:
      - 删除按名称识别的规则，也可按终结点、端口、
        协议和类型识别规则
      - 如果找到多个匹配项，则删除所有匹配规则。
      - 如果指定 name=all，则从指定的
        类型和配置文件中删除所有规则。
示例:
    删除本地端口 80 的所有入则:
    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
    删除名为 "allow80" 的规则:
    netsh advfirewall firewall delete rule name="allow80"
    netsh advfirewall firewall delete rule name="test1"

实例

查看规则

查看规则：

// 使用帮助
netsh advfirewall firewall show rule
netsh advfirewall firewall show rule name="test1"

实例

// 查看是否启动windows防火墙
netsh  advfirewall  show  allprofiles state
// 查看默认防火墙规则
netsh advfirewall show allprofiles firewallpolicy
//查看windows防火墙所有入站规则
netsh advfirewall firewall show rule name=all dir=in type=static verbose
//查看windows防火墙指定端口规则
netsh advfirewall firewall show rule name=all localport=8089

// 重新载入
firewall --reload
// 开启&关闭防火墙
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles state off
检测端口是否关闭成功
netstat -na -p tcp | findstr "8088"
没有任何记录返回，则说明该端口关闭成功了。

（1）恢复初始防火墙设置
    netsh advfirewall reset
（2）关闭防火墙
    netsh advfirewall set allprofiles state off
（3）启用桌面防火墙
    netsh advfirewall set allprofiles state on
（4）设置默认输入和输出策略
    netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
    以上是设置为允许，如果设置为拒绝使用blockinbound,blockoutbound
（5）关闭tcp协议的139端口
    netsh advfirewall firewall add rule name=”deny tcp 139″ dir=in protocol=tcp localport=139 action=block
（6）关闭udp协议的139端口
    netsh advfirewall firewall add rule name=”deny udp 139″ dir=in protocol=udp localport=139 action=block
（7）关闭tcp协议的445端口
    netsh advfirewall firewall add rule name=”deny tcp 445″ dir=in protocol=tcp localport=445 action=block
（8）关闭udp协议的445端口
    netsh advfirewall firewall add rule name=”deny udp 445″ dir=in protocol=udp localport=445 action=block
（9）使用相同的方法，依次关闭TCP协议的21、22、23、137、138、3389、5800、5900端口。
    netsh advfirewall firewall add rule name= “deny tcp 21″ dir=in protocol=tcp localport=21 action=block
    netsh advfirewall firewall add rule name= “deny tcp 22″ dir=in protocol=tcp localport=22 action=block
    netsh advfirewall firewall add rule name= “deny tcp 23″ dir=in protocol=tcp localport=23 action=block
    netsh advfirewall firewall add rule name= “deny tcp 3389″ dir=in protocol=tcp localport=3389 action=block 学习电脑
    netsh advfirewall firewall add rule name= “deny tcp 5800″ dir=in protocol=tcp localport=5800 action=block
    netsh advfirewall firewall add rule name= “deny tcp 5900″ dir=in protocol=tcp localport=5900 action=block
    netsh advfirewall firewall add rule name= “deny tcp 137″ dir=in protocol=tcp localport=137 action=block
    netsh advfirewall firewall add rule name= “deny tcp 138″ dir=in protocol=tcp localport=138 action=block
以上内容搬运自百度知道https://zhidao.baidu.com/question/2075121309871751268.html，稍作整理

Set命令