Windows Firewall: Port and Rule Management
Configure Windows Firewall on Windows Server via PowerShell and GUI. Open ports, block connections and manage rules.
Windows Server includes Windows Defender Firewall built-in. It's active by default and blocks all inbound connections not explicitly allowed.
Essential PowerShell Commands
Firewall Status
# View status of profiles (Domain, Private, Public)
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction
# Typical output:
# Name Enabled DefaultInboundAction
# ---- ------- --------------------
# Domain True Block
# Private True Block
# Public True BlockOpen a Port
# Single TCP port (es. web server)
New-NetFirewallRule -DisplayName "HTTP 80" `
-Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
# UDP port (es. game server)
New-NetFirewallRule -DisplayName "Rust Server" `
-Direction Inbound -Protocol UDP -LocalPort 28015 -Action Allow
# Port range
New-NetFirewallRule -DisplayName "Game Ports" `
-Direction Inbound -Protocol TCP -LocalPort 27015-27020 -Action Allow
# Both TCP and UDP
New-NetFirewallRule -DisplayName "DNS" `
-Direction Inbound -Protocol TCP -LocalPort 53 -Action Allow
New-NetFirewallRule -DisplayName "DNS UDP" `
-Direction Inbound -Protocol UDP -LocalPort 53 -Action AllowCommon Ports to Open
# RDP (already open by default on Windows Server)
New-NetFirewallRule -DisplayName "RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
# HTTP / HTTPS
New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
# SQL Server
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow
# FTP
New-NetFirewallRule -DisplayName "FTP" -Direction Inbound -Protocol TCP -LocalPort 21 -Action Allow
New-NetFirewallRule -DisplayName "FTP Passive" -Direction Inbound -Protocol TCP -LocalPort 49152-65535 -Action AllowManage Existing Rules
# List all active inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Select DisplayName, LocalPort, Protocol, Action
# Search rule by name
Get-NetFirewallRule -DisplayName "*HTTP*"
# Disable rule (without deleting)
Disable-NetFirewallRule -DisplayName "HTTP 80"
# Enable rule
Enable-NetFirewallRule -DisplayName "HTTP 80"
# Delete rule
Remove-NetFirewallRule -DisplayName "HTTP 80"Limit Access by IP (Whitelist)
# Allow RDP only from your IP
New-NetFirewallRule -DisplayName "RDP office only" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3389 `
-RemoteAddress "1.2.3.4" `
-Action Allow
# Block everything else on RDP
New-NetFirewallRule -DisplayName "Block RDP others" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3389 `
-Action Block
# Multiple IPs or subnets:
-RemoteAddress "1.2.3.4","192.168.1.0/24","10.0.0.0/8"Rule Order
Unlike iptables, Windows Firewall evaluates Block rules first, then Allow rules. A Block rule always takes precedence over Allow for same port/IP.
Block a Suspicious IP
# Block inbound connections from specific IP
New-NetFirewallRule -DisplayName "Block Suspicious IP" `
-Direction Inbound `
-RemoteAddress "1.2.3.4" `
-Action Block
# Also block outbound to that IP
New-NetFirewallRule -DisplayName "Block Outbound Suspicious IP" `
-Direction Outbound `
-RemoteAddress "1.2.3.4" `
-Action BlockDisable Firewall (test only)
# Disable all profiles: DON'T use in production
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# Re-enable
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled TrueWarning
Disabling firewall on an internet-exposed server is dangerous. Do it only temporarily for diagnostics and re-enable immediately after.
GUI: Windows Defender Firewall with Advanced Security
Open with Win+R → wf.msc
Structure:
- Inbound Rules: incoming connections
- Outbound Rules: outgoing connections
- Connection Security Rules: IPsec
To create manual rule: right-click Inbound Rules → New Rule → Port → specify port → Allow.
Export and Import Rules
# Export all rules to XML file
netsh advfirewall export "C:\firewall-backup.wfw"
# Import (overwrites all rules!)
netsh advfirewall import "C:\firewall-backup.wfw"Firewall Logs
# Enable logging for blocked connections
Set-NetFirewallProfile -Profile Public -LogBlocked True -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
# View log
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Tail 30The log shows source IP, destination, port and action (DROP/ALLOW) for each packet.
IIS: Web Server on Windows Server
Install and configure IIS (Internet Information Services) on Windows Server. Hosting websites, ASP.NET, PHP and SSL management.
SQL Server: Installation and Management on Windows Server
Install Microsoft SQL Server on Windows Server, manage databases, users and backups. Basic configuration for web applications and business systems.