Purpose of the Windows firewall and its configuration. Basics of Windows Firewall Disabling the firewall through the "Administration" tab
A firewall is a program that allows or denies access to the Internet for certain applications. Inexperienced users have problems with it.
For example: the system connects to the network normally (search works, updates are automatically downloaded), but browsers and other utilities cannot connect to the remote server. The reason lies in the firewall settings.
Fixing firewall issues
A common problem with the firewall is "Service Initialization Failed". Occurs more often on custom builds of Windows. It is eliminated in the service settings, the Firewall is turned on, after which the computer is restarted (only after that the settings made will be activated. Otherwise, the efforts will be in vain, and the step-by-step instructions will have to be repeated).
If there is no Internet connection, check which ports the firewall is blocking.
It may have malfunctioned and the service needs to be restarted. Restoring the Hosts file is performed by an antivirus program (free CureIT, it can easily cope with the task and offers to restore the file parameters at startup) or manually using the Notepad ++ text editor.
Sometimes the reason lies in blocked outgoing connections. In this case, go to the advanced settings of the firewall, and in the "Properties" dialog box, uncheck the enabled "block outgoing connections" sub-items (in both private and public profiles).
If you need to create a new connection (Wi-Fi), but the network connection is still not established (and there are no problems with other devices), you can add a service exception (see ). To do this, open the advanced settings in the settings window, select the "Create rule" item, go to the "Custom" tab.
We enable the desired service (for example, a remote connection that is responsible for accessing the World Wide Web), set the parameters to “predefined”.
You can also turn off the firewall if you don't need it for your work.
Netsh allows you to configure Windows Firewall clients from the command line either directly or through a batch file. For example, the command
netsh firewall show config
shows the current state of Windows Firewall on the client computer.
Current state of the Windows Firewall
Netsh allows you to control almost all Windows Firewall settings, so scripted administrators can use domain join scripts to configure and test Windows Firewall functionality.
For example, the following Netsh command creates a local firewall rule that allows Telnet access to a computer protected by Windows Firewall from the specified addresses.
protocol = TCP port = 23
name=Telnetmode=ENABLE
scope = CUSTOM addresses =
192.168.0.0/255.255.255.0,
10.0.0.0/255.255.240.0
This command could have been shortened by omitting the attribute names:
netsh firewall add portopening
TCP 23 Telnet ENABLE CUSTOM
192.168.0.0/255.255.255.0,
10.0.0.0/255.255.240.0
The result of executing the above commands can be checked using the command
netsh firewall show portopening
Domain profiles and local profiles
Another useful feature of the Windows firewall is the ability to select one of two operating modes - standard or work in a domain - depending on which network the computer is currently connected to. Each mode can have its own set of exceptions. For example, you can allow file sharing on a computer only when connected to a domain. Windows Firewall compares the current AD domain name with the DNS suffix of the IP configuration to determine which mode to use at the moment. To configure domain and standard profiles, run the Windows Firewall GPO and select the object to configure.
Setting exclusions
The Windows Firewall contains several predefined exceptions that allow network access for some common system tasks such as remote control and file and printer sharing. The table lists Windows Firewall exceptions that are enabled by default, as well as open ports and programs that use them.
| Exception | Opened ports | Enabling program | Limit source to |
| Allow remote control | TCP 135, TCP 445, | Subnets | |
| Allow file and printer sharing | UDP 137, UDP 138, TCP 139, TCP 445, | Subnets | |
| Remote Desktop | TCP 3389 | Any address | |
| Allow UPnP Framework | UDP 1900, TCP 2869 | Subnets | |
| Remote Assistance | Sessmgr.exe | Any address | |
| ICMP Options | Allow incoming echo request |
An administrator can also set their own set of exceptions locally through the Windows Firewall application in Control Panel, or remotely using the Group Policy engine. To do this, simply specify the name of the program that generates traffic or network parameters (TCP or UDP port number) and the source address, and then allow the generated exception in Windows Firewall.
Predefined exclusions are more flexible than custom exclusions because they allow multiple ports to be specified in a single rule. For example, the file and printer sharing exception allows the use of ports TCP 139, TCP 445, UDP 137, and UDP 138. When you create a custom exception, the system allows you to specify only one port, so you must create a set of exceptions for each port to open a range of ports. This allows the creation of custom areas, i.e. IP addresses or ranges of IP addresses for which the exchange is allowed. This allows you to set port sets for both predefined and custom exceptions.
Port sets for predefined and custom exceptions
Corporate network administrators can use group policies to configure Windows Firewall. You must specify a port (for example, 80), a transport (TCP or UDP), an area, a status (allowed or denied), and a connection name. The construction looks like Port:Transport:Scope:Status:Name (Port:Transport:Scope:Status:Name).
The syntax for describing the scope for a GPO is slightly different from that used in the Windows Firewall application (probably due to discrepancies between RC2 and the final version of SP2). In RC2, the GPO was defined as "*" (all traffic), localsubnet (local subnet traffic), and IP addresses (for example, 10.0.0.1 or the abbreviation CIDR, Classless Inter-Domain Routing, like 192.168. the number of bits in the subnet mask). For example, the parameters "1433:TCP:10.0.0.1:Enabled:MSSQL" and "23:TCP:192.168.0.0/24:Enabled:Telnet" allow incoming MS SQL Server connections using port 1433 only for host 10.0.0.1, and Telnet connections using TCP port 23 from subnet 192.168.0.0/24.
Logging
You can configure Windows Firewall to log as a text file on a local computer or network drive. Windows Firewall can log packet blocking and successful connection events. The log contains the necessary information for troubleshooting and errors when you cannot connect to the necessary resources or view allowed connections.
Below is an example of the contents of the log.
The log file contains two file share request failures and one successful RDP connection
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2004-06-19 21:02:52 DROP TCP 192.168.0.220 192.168.0.250 3519 445 48 S 817765275 0 64240 - - - RECEIVE
2004-06-19 21:02:52 DROP TCP 192.168.0.220 192.168.0.250 3520 139 48 S 2567421875 0 64240 - - - RECEIVE
2004-06-19 21:03:16 OPEN TCP 192.168.0.250 192.168.0.8 1139 3389 - - - - - - - - -
The first two lines contain information about blocked attempts to connect to the shared folder, and the last line contains information about a successful RDP connection on TCP port 3389.
By default, Windows Firewall warns the user that a program is trying to use the specified port. By centrally configuring Windows Firewall through Group Policy, an administrator can optionally disable warnings to users.
Disable Windows Firewall
When using third-party personal firewalls or the secure IPSec protocol, the administrator may choose to disable the Windows Firewall when installing XP SP2. This can be done in several ways. First, if the computers are members of a domain, you can simply create a GPO that disables Windows Firewall. To do this, you need to specify the following settings in the GPO:
When using third-party personal firewalls or the secure IPSec protocol, the administrator may choose to disable the Windows Firewall when installing XP SP2. This can be done in several ways. First, if the computers are members of a domain, you can simply create a GPO that disables Windows Firewall. To do this, you need to specify the following settings in the GPO:
Protect all network connections
If you want to disable Windows Firewall when computers are on a domain, but use remote user protection when they are not on the corporate network, you can use the following setting:
Domain profile--Windows Firewall:
Protect all network connectionsStandard profile--Windows Firewall:
Protect all network connectionsProhibit use of Internet Connection
Firewall on your DNS domain network
If Windows XP computers are not members of a Windows 2003 or Windows 2000 domain that supports Group Policy, you can edit the netfw.inf configuration text file and save it with the rest of the XP SP2 installation files to disable Windows Firewall. Add the line HKLM,"SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ DomainProfile","EnableFirewall", 0x00010001.0 to the section. For more information about using the netfw.inf file to control Windows Firewall deployment, see the Microsoft documentation.
An administrator can also use the Registry Editor to disable the Windows Firewall on computers prior to installing XP SP2. To do this, add two parameters (DWORD type) to the registry: HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ FirewallPolicy\ DomainProfile\ EnableFirewall=0 and HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ FirewallPolicy\ StandardProfile\ EnableFirewall=0.
All users by firewall
The enhanced Windows Firewall, enabled by default when you install XP SP2, provides good protection for computers and will help individual and corporate users. Preconfigured rules and exceptions help less experienced administrators quickly set up Windows Firewall; however, the firewall also provides fine-tuning to suit different requirements and usage scenarios. The firewall can be managed through group policies, that is, you can create the required group policy and apply it centrally to a group of computers. The fact that Windows Firewall is available for free may have a decisive impact on the choice of many corporate users for protecting computers.
For the correct operation of Windows, the installation of security systems that preserve the working state of the computer is required. But in some cases, it is required to disable the windows firewall, which protects the system from viruses. This is necessary if the firewall perceives the downloaded program as a threat.
How to turn off the Windows 7 firewall
How to disable the Windows 7 firewall using the command line
You can disable it using the command line. This is done using the Netsh command. By typing the text netsh firewall show config, the user sees the state of the firewall at the moment. You can disable the security system using the netsh firewall ipv4 set opmode mode=disable command.
How to enable command line:
On the desktop we find the Start menu. Open the "Search" panel at the bottom, enter the text "command line" or cmd, press Enter. We click with the mouse, left button, on the inscription "command line".
On the black screen that opens, information about the operation of the operating system appears, the cursor flashes below, where you need to enter the command. Enter the netsh firewall ipv4 set opmode mode=disable command and disable the firewall.
If the user does not know what text to enter, then the text help is entered into the line, displaying all commands on the console.
How to disable the windows 7 firewall using the control panel, you can read
How to turn off the Windows 8 firewall
How to turn off the Windows 10 firewall
The protection system is easily disabled through the "Control Panel": First, right-click on the windows tab and select Control Panel.
In the control panel, select System and Security.
Now on the left in the list we are looking for the item Turn Windows Firewall on or off.
In the settings, check the items Turn off the firewall and save the settings.
For a permanent shutdown, you can use the service that ensures the functioning of the firewall. To do this, we type the combination Win + R on the keyboard and type the text services.msc and turn off the firewall in the service control window.
Before disabling the windows firewall, it is recommended to install a good antivirus program. These are the easiest but not the only ways to disable the firewall.
Windows OS is equipped with its own protection system, which is based on the work of the "Firewall" or the system firewall. This system blocks unwanted applications that, in its opinion, are potential carriers of malicious viruses or spyware. In order to avoid blocking the necessary software and to ensure the effective operation of all installed ones, it is sometimes necessary to deactivate such protection. This article discusses how to disable in the most popular versions of Windows (7, 8, 10).
Windows 7
The algorithm of actions is very simple:
- As soon as all the described actions have been completed, the control window for our defender should turn red. The system tray will pop up a message about deactivating the firewall.
But, it is worth noting that when the firewall itself is turned off, the service responsible for its operation continues to function. Interference with this service may cause network problems. Therefore, all the actions described below can be performed at your own risk, or require the intervention of a professional.
- Next, the computer will prompt you to reboot the system, to which you should give your consent.
- After a reboot, the service will be disabled.
Windows 8
For this version of the operating system, the only change in the algorithm of actions is that it is necessary to enter the firewall control window through the "Control Panel". Login is carried out by pressing the combination "Win" + "I" and selecting the line "Control Panel" in the list that appears. Next, you need to select the icon corresponding to the firewall, but if all the icons in the window that opens are categorized, then you need to change the viewing option to "Large icons" in the upper right corner of the window.
Shutdown on Windows 10
In this version of the operating system, all actions are repeated in the same way as the two previous methods, despite the fact that the “Control Panel” can again be opened through the start menu, as in Windows 7. There is also an additional way to disable it through the command line, but it is not more or less effective , but requires the ability to use the specified service. Therefore, it is more expedient to switch off in the way already described above.
From the foregoing, it becomes clear that it is not difficult to disable the protection system, but it is best to think about your decision in advance, since very often it is the operation of the system firewall that saves unprepared users from various kinds of malicious manifestations in the operating system that lead to problems. Also, do not take any action in case of an unsuccessful shutdown attempt. It is best to turn to professionals who can restore the working condition of the device, as well as explain the errors in the actions taken.
Video by OS versions.
As you know, the built-in Windows firewall does not have special functionality, so it is usually disabled by more advanced products. However, even with the firewall turned off, it is sometimes necessary to make some adjustments. For example, open/close ports. And, if it is easier to do this on one computer through a graphical interface, then it will be tedious to carry out the same settings on several computers on the network in this way. Consider managing the Windows firewall through the command line. The resulting commands can then be written to a bat file and sent over the network.
This syntax is relevant for Windows Vista, 7, 8 and server editions starting from 2008 .
Let's start with the basics. Turning on the firewall:
netsh advfirewall set allprofiles state onTurning off the firewall:
netsh advfirewall set allprofiles state offEnabling individual profiles:
netsh advfirewall set domainprofile state on netsh advfirewall set privateprofile state on netsh advfirewall set publicprofile state onDisabling individual profiles:
netsh advfirewall set domainprofile state off netsh advfirewall set privateprofile state off netsh advfirewall set publicprofile state offClose all incoming connections and allow all outgoing connections:
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutboundSimilarly, the blockoutbound command will close all outgoing connections, while allowinbound will open all incoming ones. But why? 🙂
Open a local TCP port for an incoming connection. For example 80:
netsh advfirewall firewall add rule name="test" protocol=TCP localport=80 action=allow dir=INIn the example, name is the name of the rule. You can choose which is convenient for you.
Similarly with the UDP protocol:
netsh advfirewall firewall add rule name="test" protocol=UDP localport=80 action=allow dir=INWell, and, accordingly, if we want to prohibit incoming to the local port 80 via TCP:
netsh advfirewall firewall add rule name="test" protocol=TCP localport=80 action=block dir=INFor UDP I will not duplicate. Everything is the same except for the name of the protocol.
Allow outgoing to remote port via TCP protocol. Again, let it be port 80.
netsh advfirewall firewall add rule name="test" protocol=TCP remoteport=80 action=allow dir=OUTOpen a range of remote ports for outgoing connection via UDP protocol:
netsh advfirewall firewall add rule name="test" protocol=UDP remoteport=5000-5100 action=allow dir=OUTCreate a rule to connect only from a specific IP:
netsh advfirewall firewall add rule name="test" protocol=TCP localport=80 action=allow dir=IN remoteip=192.168.0.1Or an IP range:
netsh advfirewall firewall add rule name="test" protocol=TCP localport=80 action=allow dir=IN remoteip=192.168.0.1-192.168.0.100The subnet can also be entered by name or simply as 192.168.0.1/100 .
Allow a connection for a specific program:
netsh advfirewall firewall add rule name="test" dir=in action=allow program="C:\test\test.exe" enable=yesThe created rule can be deleted with the command
netsh advfirewall firewall delete rule name="test"Commands can be combined and modified, and quite flexibly. For example, if we want to open a port only for a certain type of profile, then we can type the following command:
netsh advfirewall firewall add rule name="test" protocol=TCP localport=80 action=allow dir=IN profile=domain