The integrated firewall of Windows XP is often regarded as useless, but the powerful functions of the current WIN7 firewall also have a "professional" flavor. Today I will teach you how to use WIN7 firewall.
Like Vista, you can perform basic configuration of Windows 7 firewall by accessing the Control Panel program. Unlike Vista, you can also perform advanced configuration (including configuration of outbound connection filters) by accessing the control panel, rather than having to create a blank MMC and add an embedded snap-in. Just click on the advanced configuration options in the left panel.
Vista firewall allows you to choose whether to be on a public mesh or a private network, and in Windows 7 you have three choices - public network, home network, and office network. The latter two options are refinements of private networks.
If you select the "Home Network" option, you will be able to create a "HomeGroup." In this environment, Network Discovery will automatically start and you will be able to see other computers and devices on the network, and they will be able to see your computer. Computers that belong to a "homegroup" can share pictures, music, videos, document libraries, and hardware devices such as printers. If there are folders in the document library that you don't want to share, you can also exclude them.
If you select "Work Network", "Network Discovery" will also start automatically, but you will not be able to create or join a "Homegroup". If your computer joins a Windows domain (via Control Panel - System and Security - System - Advanced System Configuration - Computer Name tab) and passes DC verification, the firewall will automatically identify the network type as a domain environment network.
The "Public Network" type is an appropriate choice when you are in an airport, hotel, cafe, or using a mobile broadband network to connect to a public Wi-Fi network. "Network Discovery" will be turned off by default so that computers on other networks will not Your shares are discovered and you will not be able to create or join a HomeGroup.
In all network modes, the Windows 7 firewall will by default intercept any connection sent to an application that is not in the whitelist. Windows 7 allows you to configure different network types separately.
Multi-purpose firewall policy
In Vista, although you have two profiles, public and private, only one will be active at a given time. So if your computer needs to connect to two different networks at the same time, you will be out of luck. The most restrictive profile will be used on all connections, which means you may not be able to do what you want on the local (private) network because you are operating under the rules on the public network. In Windows 7 (and Server 2008 R2), different configuration files can be used on different network adapters. This means that network connections between private networks are governed by private network rules, while traffic to and from public networks is governed by public network rules.
It’s the little, inconspicuous things that make the difference
In many cases, better usability often comes down to small changes, and MS has listened to users and added some "unobtrusive but effective little things" to the Windows 7 firewall. For example, when you create a firewall rule in Vista, you must list each IP address and port separately. Now you only need to specify a range, which reduces the time spent performing common administrative tasks.
You can also create Connection Security Rules in the firewall console to specify which ports or protocols require IPsec without having to use the netsh command. For those who prefer GUI, this is a more convenient improvement.
Connection Security Rules also support dynamic encryption. This means that if the server receives unencrypted (but authenticated) information from a client, the security association will require encryption through the agreed "on-the-fly" to establish more secure communication.
Configure the configuration file in "Advanced Settings"
Using the Advanced Settings control panel, you can configure profiles for each network type.
For the configuration file, you can make the following settings:
* Turn on/off firewall
* (Block, block all connections, or allow) inbound connections
* (allow or block) outgoing connections
* (Whether to notify you after a program is blocked) Notification display
* Allow unicast to respond to multicast or broadcast
* Allow local administrators to create and apply local firewall rules in addition to Group Policy firewall rules
About using netsh.exe to configure system firewall
(1). View, enable or disable system firewall
Open the command prompt and enter the command "netsh firewallshow state" and press Enter to view the status of the firewall. From the displayed results, you can see the disabling and enabling of each functional module of the firewall. The command "netsh firewall set opmode disable" is used to disable the system firewall, while the command "netsh firewall set opmode enable" enables the firewall.
(2).Allow file and print sharing
File and print sharing are commonly used in local area networks. If you want to allow clients to access shared files or printers on this machine, you can enter and execute the following commands respectively:
netsh firewall add portopening UDP 137 Netbios-ns
(Allows the client to access port 137 of the server UDP protocol)
netsh firewall add portopening UDP 138 Netbios-dgm
(Allow access to port 138 of UDP protocol)
netsh firewall add portopening TCP 139 Netbios-ssn
(Allows access to port 139 of the TCP protocol)
netsh firewall add portopening TCP 445 Netbios-ds
(Allows access to port 445 of the TCP protocol)
After the command is executed, the ports required for file and print sharing are all allowed by the firewall.
(3).Allow ICMP echo
By default, Windows 7 does not allow external hosts to ping it for security reasons. But in a secure LAN environment, the Ping test is necessary for administrators to conduct network testing. How to allow the ping test echo of Windows 7?
Of course, you can set the "File and Print Sharing (Echo Request – ICMPv4-In)" rule to allow in the "Inbound Rules" through the system firewall console (if the network uses IPv6, you must also allow ICMPv6- In rules. However, we can quickly implement it through the netsh command on the command line. Execute the command "netsh firewall set icmpsetting 8" to enable ICMP echo, and conversely execute the command "netsh firewall set icmpsetting 8 disable" to disable the echo.