none
Windows Firewall bug? RRS feed

  • Question

  • Why netsh show that it changed the advfirewall state, instead of giving an error message that it cannot?

    On one server (2008 x64 SP2), I issued:
    %systemroot%\system32.netsh.exe advfirewall set allprofiles state off
    %systemroot%\system32.netsh.exe advfirewall show allprofiles state
    and get all three states shown as off, as you normally would expect.

    But I had previously set Windows Firewall settings in Group Policy. And the Windows Firewall MMC, says the three firewall profiles are On. And that the administrator has configured settings etc., which is what I expect. It just doesn't match netsh advfirewall show allprofiles state.

    Isn't that a bug, and an important one? Or have I missed something?
    ______
    Greg Stigers, MCSE
    remember to vote for the answers you like
    Wednesday, October 21, 2009 7:45 PM

Answers

  • not probably a bug I would say. In fact, there are two registry locations where the FW configurations are stored. one is the local FW configiguration and the other is the result compiled from GPOs. why use the two locations? because of the behaviour of the policy removal. you need to keep the local config unafftected. when you remove the affecting GPOs, you need the fw settings to get back to their previous local configuration. and it is done the simplest by just not overwriting anything and storing the GPO results somewhere else. When removing the GPO, you just delete the GPOs storage and leave the local settings take effect.

    the NETSH just modifies the local settings and completelly ignores the GPO results.

    yes, it may be considered a bug, but only from the user's experience point of view. in principle, nothing makes the NETSH bother with the GPOs, becuase it is only a local tool for modyfying the local configuration.

    ondrej.

    Thursday, October 22, 2009 2:14 PM