Skip to content

Instantly share code, notes, and snippets.

Forked from pavank/Manage Windows Firewall
Created May 7, 2019 19:49
Show Gist options
  • Save srpomeroy/0acd6d19c6a5cdc855228e044eba168f to your computer and use it in GitHub Desktop.
Save srpomeroy/0acd6d19c6a5cdc855228e044eba168f to your computer and use it in GitHub Desktop.
Manage Windows Advanced Firewall with PowerShell
Set-StrictMode -Version Latest
# Constants
if (!(Test-Path variable:\NET_FW_DISABLED)) { Set-Variable NET_FW_DISABLED -Option Constant $False }
if (!(Test-Path variable:\NET_FW_ENABLED)) { Set-Variable NET_FW_ENABLED -Option Constant $True }
if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_TCP)) { Set-Variable NET_FW_IP_PROTOCOL_TCP -Option Constant 6 }
if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_UDP)) { Set-Variable NET_FW_IP_PROTOCOL_UDP -Option Constant 17 }
if (!(Test-Path variable:\NET_FW_PROFILE_DOMAIN)) { Set-Variable NET_FW_PROFILE_DOMAIN -Option Constant 0x1 }
if (!(Test-Path variable:\NET_FW_PROFILE_PRIVATE)) { Set-Variable NET_FW_PROFILE_PRIVATE -Option Constant 0x2 }
if (!(Test-Path variable:\NET_FW_PROFILE_PUBLIC)) { Set-Variable NET_FW_PROFILE_PUBLIC -Option Constant 0x2 }
if (!(Test-Path variable:\NET_FW_PROFILE_ALL)) { Set-Variable NET_FW_PROFILE_ALL -Option Constant 0x7FFFFFFF }
function Enable-FirewallRule([String] $name, [String] $description = "", [ScriptBlock] $filter = { $_.Name = $name }, [ScriptBlock] $createRule = {}) {
Creates or enables a firewall rule
The Enable-FirewallRule function checks whether a given firewall rule exists, and if
it does, it enables it, if it is not already enabled. If the rule does not exist,
it is created, calling the $createRule script block to finalize the rule
the name of the rule
.PARAMETER description
a description for the firewall rule
a ScriptBlock to be passed to Where-Object to determine whether or not the rule
.PARAMETER createRule
a ScriptBlock that is called when the rule is created to allow the caller to specify
any additional restrictions on the rule
Create a rule that opens local port 8080 to all computers
Enable-FirewallRule "Enable TCP Over Port 8080" -filter { $_.Enabled -And $_.LocalPorts -And $_.LocalPorts -eq "8080" } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.LocalPorts = "8080" }"
Create a rule that allows all incoming connections to notepad.exe
Enable-FirewallRule "Enable Incoming TCP Connections to Notepad.exe" -filter { $_.Enabled -And $_.ApplicationName -And $_.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) }
$rules = @($policy.Rules | Where-Object $filter)
if ($rules.Count -eq 0) {
$rule = New-Object -com HNetCfg.FWRule
$rule.Name = $name
$rule.Description = $description
$rule.Protocol = $NET_FW_IP_PROTOCOL_TCP
if ($createRule -ne $null) { $createRule.Invoke($rule) }
$rule.Enabled = $NET_FW_ENABLED
Write-Host ("Created the rule ""{0}""" -f $rule.Name)
} elseif (@($rules | Where-Object { $_.Enabled }).Count -eq 0) {
$rules | Where-Object { !$_.Enabled } | Select-Object -f 1 | ForEach-Object {
$_.Enabled = $NET_FW_ENABLED
Write-Host ("Enabled the rule ""{0}""" -f $_.Name)
} else {
$rules | Where-Object { $_.Enabled } | ForEach-Object {
Write-Host ("The rule ""{0}"" was already enabled" -f $_.Name)
function Disable-FirewallRules([ScriptBlock] $filter = {}) {
Disables a set of firewall rules matching the filter
The Disable-FirewallRules function disables all enabled rules that match the supplied filter ScriptBlock.
a ScriptBlock matching all the rules to disable
Disable all rules for incoming port 80 connections
Disable-FirewallRules { $_.LocalPorts -And $_.LocalPorts -eq "80" }
$rules = @($policy.Rules | Where-Object $filter | Where-Object { $_.Enabled })
$rules | ForEach-Object { Write-Host ("Disabling rule: ""{0}""" -f $_.Name); $_.Enabled = $NET_FW_DISABLED }
function Remove-FirewallRules([ScriptBlock] $filter = {}) {
Deletes a set of firewall rules matching the filter
The Remove-FirewallRules function removes all rules that match the supplied filter ScriptBlock.
a ScriptBlock matching all the rules to remove
Remove all firewall rules in the "Mistake" group
Remove-FirewallRules { $_.Grouping -And $_.Grouping -eq "Mistake" }
$rules = @($policy.Rules | Where-Object $filter)
if ($rules.Count -gt 0) {
$rules | ForEach-Object { Write-Host ("Deleting rule: ""{0}""" -f $_.Name); $policy.Rules.Remove($_.Name) }
} else {
Write-Host "No rules matched the supplied filter"
$policy = New-Object -com HNetCfg.FwPolicy2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment