Netsh – Managing Windows Networking and Firewall Using the Netsh Command

The netsh command is a Windows command that enables you to display and modify the network configuration of Windows computers.

We can run the netsh command in both CMD and PowerShell. To get a list of the available contexts, run the following command:

netsh help

Netsh has multiple command contexts (subcommands). Each command context has multiple subcommands you can use. For example, to get a list of the available commands under the advfirewall context, run the help command as follows:

netsh advfirewall help

You can run the help command for each context to see the different sets of available subcommands.

netsh command

Configuring Network Interfaces

In the following section, we will be learning how to use the netsh command to configure Windows networking.

To list all network interfaces on your computer, run the following command:

netsh interface show interface

Use the name parameter to show the status of a specific interface:

netsh interface show interface name="Ethernet"

To check IP Addresses, use ipv4 and ipv6 contexts as follows:

netsh interface ipv4 show addresses
netsh interface ipv6 show addresses

To find the IP Address of a specific interface, use the name parameter:

netsh interface ipv4 show addresses name="Wi-Fi"
Configuring Network Interfaces using netsh command

The show addresses command shows the IP Address, Subnet Mask, Default Gateway, and DHCP status.

Configuring IP Addresses

The following example shows how to assign a static IP Address to a network interface named Ethernet:

netsh interface ipv4 set address "Ethernet" static 192.168.1.10 255.255.255.0 192.168.1.1

In the above example, 192.168.1.1 is the default gateway. The following is the long format of the same command:

netsh interface ipv4 set address name="Ethernet" source=static address=192.168.1.10 mask=255.255.255.0 gateway=192.168.1.1

The following example shows how to configure a network interface to receive its IP configuration from the DHCP server:

netsh interface ipv4 set address name="Ethernet" source=dhcp

Configuring Name Servers

You can check DNS server addresses with the following two commands for IPV4 and IPv6, respectively:

netsh interface ipv4 show dnsservers
netsh interface ipv6 show dnsservers

Configure the NIC to receive DNS server address assignment from the DHCP server:

netsh interface ipv4 set dnsservers "Ethernet" source=dhcp

The following example shows how to set the primary DNS server address on the NIC named Ethernet:

netsh interface ipv4 set dnsservers name="Ethernet" static 192.168.1.1 primary

It will remove any existing DNS server IP addresses. To add a name server without removing existing IP addresses, use the add dnsservers command:

netsh interface ipv4 add dnsservers "Ethernet" 192.168.1.1 index=1

The above command sets the primary DNS server. If other IP addresses exist, they will move down on the list.

The following command sets the secondary DNS server:

netsh interface ipv4 add dnsservers "Ethernet" 192.168.1.2 index=2

Configuring Windows Firewall

In the following section, we will be learning how to use netsh to configure Windows Defender Firewall.

First of all, you can check Windows Firewall status with the following command:

netsh advfirewall show allprofiles

The command will show the status for all Firewall profiles. To check a specific Firewall profile (public, for example), run the netsh command as follows:

netsh advfirewall show publicprofile

The netsh advfirewall show help command will show you the list of all Firewall profiles.

Configuring Windows Firewall using netsh command

The following two commands turn on and off Windows Firewall, respectively:

netsh advfirewall set allprofile state off
netsh advfirewall set allprofile state on

The following examples show how to open ports, block ports, and allow programs through Windows Firewall.

Add an inbound Firewall rule to open port 80:

netsh advfirewall firewall add rule name="allow80" dir=in protocol=tcp localport=80 action="allow"

Disable the above rule:

netsh advfirewall firewall set rule name="allow80" new enable=no

Allow port 80 to IP Address 192.168.1.10 only:

netsh advfirewall firewall add rule name="allow80" dir=in protocol=tcp localport=80 remoteip="192.168.1.10" action=allow

Block port 80 from IP Address 192.168.1.10:

netsh advfirewall firewall add rule name="block80" dir=in protocol=tcp localport=80 remoteip="192.168.1.10" action=block

Allow a program through the Firewall:

netsh advfirewall firewall add rule name="netcat" dir=in program="C:\program files (x86)\nmap\ncat.exe" action=allow

List all Firewall rules:

netsh advfirewall firewall show rule all

List all inbound rules:

netsh advfirewall firewall show rule all dir=in

Display all the settings for inbound rules called netcat:

netsh advfirewall firewall show rule name="netcat" verbose

When using the netsh command, always use the help option to see the list of subcommands you can use. The help page also includes examples showing you how to use netsh to manage Windows networking and Firewall.