'netsh' is the network shell of Windows. It is used to control the firewall, log network activity, reset the Windows networking stack and more.
Using the command line:
Turn the firewall off: netsh advfirewall set allprofiles state off
Turn the firewall on: netsh advfirewall set allprofiles state on
Check status of firewall: netsh advfirewall show allprofiles
Reset Windows Firewall to default settings: netsh advfirewall reset
nftables is a userspace firewall that was created for the Linux networking stack.
It is very different from iptables because it it supposed to replace certain parts of netfilter.
I.E: nftables replaces the popular {ip,ip6,arp,eb}tables.
The syntax is also very different:
(A command to drop any packets with the destination IP address 1.2.3.4)
nftables: nft add rule ip filter output ip daddr 1.2.3.4 drop
iptables: iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables only applies to IPv4, whereas ip6tables will apply to IPv6, arptables will apply to ARP and ebtables will apply to Ethernet bridges.
In most Linux systems, iptables is insalled to /usr/sbin/iptables, but a symbolic link is usually found at /sbin/iptables.
Table
NOTE: Some of the Windows firewall commands are PowerShell commands. So run all of your Windows commands through PowerShell instead of CMD.
NOTE: I add 'A: ' to the beginning of custom rules, so that they are grouped together and easy to locate.
| Description | Windows Firewall | Linux (firewalld - iptables tool) | Linux (iptables) |
|---|---|---|---|
| Turn firewall off. | netsh advfirewall set allprofiles state off | systemctl stop firewalld | systemctl stop iptables |
| Turn firewall on. | netsh advfirewall set allprofiles state on | systemctl start firewalld | systemctl start iptables |
| List firewall profiles. | netsh advfirewall show allprofiles | firewall-cmd --list-all | N/A |
| List firewall rules. | netsh advfirewall firewall show rule name=all | firewall-cmd --list-services && firewall-cmd --list-ports | iptables -L |
| Delete all firewall rules. | netsh advfirewall reset/Remove-NetFirewallRule | Remove from: /etc/firewalld/zones/ |
iptables -F |
| Delete firewall profiles/chains. | netsh advfirewall reset | rm -f /etc/firewalld/zones/*.xml | iptables -X |
| Select firewall profile. | Set-NetFirewallProfile -Name <ProfileName> | firewall-cmd --set-default-zone=zone | N/A |
| Turn firewall off for remote computer. | netsh -r <ComputerName> advfirewall set publicprofile state off | ssh user@server 'sudo systemctl stop firewalld' | ssh user@server 'sudo systemctl stop iptables' |
| Turn firewall on for remote computer. | netsh -r <ComputerName> advfirewall set publicprofile state on | ssh user@server 'sudo systemctl start firewalld' | ssh user@server 'sudo systemctl start iptables' |
| Enable firewall logging to specifc file. | netsh advfirewall set currentprofile logging filename "C:\temp\pfirewall.log" | N/A | N/A |
| Enable firewall logging. | netsh advfirewall set allprofile logging droppedconnections enable netsh advfirewall set allprofile logging allowedconnections enable (stored in '%SystemRoot%\system32\logfiles\firewall\pfirewall.log' by default) |
firewall-cmd --set-log-denied=all/unicast/broadcast/multicast/off (saves to /etc/sysconfig/firewalld -> LogDenied=all/etc.) | iptables -A INPUT -j LOGGING (stored in '/var/log/messages') |
| Disable ICMPv4 echo requests. | netsh advfirewall firewall add rule name="A: ICMP Block incoming V4 echo request" protocol=icmpv4:8,any dir=in action=block | firewall-cmd --zone=public --remove-icmp-block=echo-request --permanent (NOTE: firewall-cmd --get-icmptypes) | iptables -A INPUT -p icmp --icmp-type echo-request -j DROP (NOTE: /sbin/iptables -p icmp -h) |
| Enable ICMPv4 echo requests. | netsh advfirewall firewall add rule name="A: ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow | firewall-cmd --zone=public --remove-icmp-block=echo-request --permanent | iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
| Disable all of ICMPv4. | netsh advfirewall firewall add rule name="A: ICMP Block incoming V4 all" protocol=icmpv4,any dir=in action=block | firewall-cmd --zone=public --add-icmp-block={echo-request,echo-reply,timestamp-reply,timestamp-request} --permanent | iptables -A INPUT -p icmp -j DROP |
| Enable all of ICMPv4. | netsh advfirewall firewall add rule name="A: ICMP Allow incoming V4 all" protocol=icmpv4,any dir=in action=allow | firewall-cmd --zone=public --remove-icmp-block={echo-request,echo-reply,timestamp-reply,timestamp-request} --permanent | iptables -A INPUT -p icmp -j ACCEPT |
| Disable ICMPv6 echo requests. | netsh advfirewall firewall add rule name="A: ICMP Block incoming V6 echo request" protocol=icmpv6:128,any dir=in action=block | iptables -A INPUT -p icmp6 --icmp-type echo-request -j DROP | |
| Enable ICMPv6 echo requests. | netsh advfirewall firewall add rule name="A: ICMP Allow incoming V6 echo request" protocol=icmpv6:128,any dir=in action=allow | iptables -A INPUT -p icmp6 --icmp-type echo-request -j ACCEPT | |
| Disable all of ICMPv6. | netsh advfirewall firewall add rule name="A: ICMP Block incoming V6 all" protocol=icmpv6,any dir=in action=block | iptables -A INPUT -p icmp6 -j DROP | |
| Enable all of ICMPv6. | netsh advfirewall firewall add rule name="A: ICMP Allow incoming V6 all" protocol=icmpv6,any dir=in action=allow | iptables -A INPUT -p icmp6 -j ACCEPT |
Windows
TechGenix IT Pro Today IT Pro Today TechTarget How-To Geek Internet Assigned Numbers Authority (IANA)Linux - firewalld
Wikipedia - firewalld TecMint TecMint Stack OverflowLinux - iptables/nftables
Wikipedia - nftables Netfilter.org Rayhan's blog The Geek Stuff