Netsh 는 로컬 또는 원격으로 현재 실행 중인 컴퓨터의 네트워크 구성을 표시하거나 수정할 수 있는 명령줄 스크립팅 유틸리티입니다. Netsh는 또한 지정된 컴퓨터에 대해 일괄 모드로 명령 그룹을 실행할 수 있는 스크립팅 기능을 제공합니다. Netsh는 보관 목적으로 또는 다른 서버를 구성하는 데 도움이 되도록 구성 스크립트를 텍스트 파일에 저장할 수도 있습니다.

https://learn.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)?redirectedfrom=MSDN

C:\>netsh 입력하면 아래와 같이 커맨드가 나온다

netsh> 

이제 다음 명령을 사용할 수 있다. 
이 컨텍스트에 있는 명령: 
.. - 한 컨텍스트 수준 위로 이동합니다. 
? - 명령 목록을 표시합니다. 
abort - 오프라인 모드에서 변경된 내용은 무시합니다. 
add - 항목 목록에 구성 항목을 추가합니다. 
advfirewall - `netsh advfirewall' 컨텍스트의 변경 내용입니다. 
alias - 별칭을 추가합니다. 
branchcache - `netsh branchcache' 컨텍스트의 변경 내용입니다. 
bridge - `netsh bridge' 컨텍스트의 변경 내용입니다. 
bye - 프로그램을 끝냅니다. 
consec - `netsh advfirewall consec' 컨텍스트의 변경 내용입니다.
commit - 오프라인 모드에서 변경한 내용을 적용합니다. 
delete - 항목 목록에서 구성 항목을 삭제합니다. 
dhcpclient - `netsh dhcpclient' 컨텍스트의 변경 내용입니다. 
dnsclient - `netsh dnsclient' 컨텍스트의 변경 내용입니다. 
dump - 구성 스크립트를 표시합니다. 
exec - 스크립트 파일을 실행합니다. 
exit - 프로그램을 끝냅니다. 
export - 현재 정책을 파일로 내보냅니다.
firewall - `netsh firewall' 컨텍스트의 변경 내용입니다. 
help - 명령 목록을 표시합니다. 
http - `netsh http' 컨텍스트의 변경 내용입니다. 
interface - `netsh interface' 컨텍스트의 변경 내용입니다. 
ipsec - `netsh ipsec' 컨텍스트의 변경 내용입니다. 
lan - `netsh lan' 컨텍스트의 변경 내용입니다. 
mbn - `netsh mbn' 컨텍스트의 변경 내용입니다. 
mainmode - `netsh advfirewall mainmode' 컨텍스트의 변경 내용입니다. 
monitor - `netsh advfirewall monitor' 컨텍스트의 변경 내용입니다.
namespace - `netsh namespace' 컨텍스트의 변경 내용입니다. 
netio - `netsh netio' 컨텍스트의 변경 내용입니다. 
offline - 현재 모드를 오프라인 모드로 설정합니다. 
online - 현재 모드를 온라인 모드로 설정합니다. 
p2p - `netsh p2p' 컨텍스트의 변경 내용입니다. 
popd - 해당 스택으로부터 컨텍스트를 표시합니다. 
pushd - 현재 컨텍스트를 스택에 넣습니다. 
quit - 프로그램을 끝냅니다. 
ras - `netsh ras' 컨텍스트의 변경 내용입니다. 
rpc - `netsh rpc' 컨텍스트의 변경 내용입니다. 
reset - 정책을 기본 초기 정책으로 재설정합니다.
set - 구성 설정을 업데이트합니다. 
show - 정보를 표시합니다. 
trace - `netsh trace' 컨텍스트의 변경 내용입니다. 
unalias - 별칭을 삭제합니다. 
wcn - `netsh wcn' 컨텍스트의 변경 내용입니다. 
wfp - `netsh wfp' 컨텍스트의 변경 내용입니다. 
winhttp - `netsh winhttp' 컨텍스트의 변경 내용입니다. 
winsock - `netsh winsock' 컨텍스트의 변경 내용입니다. 
wlan - `netsh wlan' 컨텍스트의 변경 내용입니다. 

명령에 대한 도움말을 보려면 명령을 입력한 다음 공백을 입력한 후 ?을(를) 입력하십시오.

netsh advfirewall firewall 사용 방법
Vista이상의 상위 버전 윈도우에서는 netsh firewall 대신에 netsh advfirewall firewall 명령어를 사용을 추천 합니다.

1.     프로그램 허용

a.     netsh advfirewall firewall add rule name=”My Application” dir=in action=allow program=”C:\MyApp\MyApp.exe” enable=yes

b.     netsh advfirewall firewall add rule name=”My Application” dir=in action=allow program=”C:\MyApp\Myapp.exe” enable=yes remoteip=157.60.0.1, 172.16.0.0/16,LocalSubnet profile=domain

2.     포트 허용

a.     netsh advfirewall firewall add rule name=”Open Port 80” dir=in action=allow protocol=TCP localport=80

3.     허용된 프로그램과 포트 룰 제거 하기

a.     netsh advfirewall firewall delete rule name=”rulename” program=”C:\MyApp\MyApp.exe”

b.     netsh advfirewall firewall delete rule name=”rulename” protocol=udp localport=500

4.     ICMP 설정 하기

a.     netsh advfirewall  firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

b.     netsh advfirewall firewall add rule name=”All  ICMP V4” protocol=icmpv4:any,any dir=in action=allow

5.     로깅 설정

a.     netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Filewall\pfirewall.log

b.     netsh advfirewall set currentprofile logging maxfilesize 4096

c.     netsh advfirewall set currentprofile logging droppedconnections enable

d.     netsh advfirewall set currentprofile logging allowedconnections enable

6.     방화벽 On/Off

a.     netsh advfirewall set currentprofile state on

b.     netsh advfirewall set currentprofile state on
netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound

c.     netsh advfirewall set domainprofile state on
netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound

d.     netsh advfirewall set domainprofile state on
netsh advfirewall set private profile state on

7.     방화벽 설정 초기화

a.     Netsh advfirewall reset

8.     특정 서비스 허용

a.     netsh  advfirewall firewall set rule group=”File and Printer Sharing” new enable=yes

b.     netsh  advfirewall firewall set rule group=”remote desktop” new enable=yes

c.     netsh  advfirewall firewall set rule group=”remote desktop” new enable=yes profile=domain

d.     netsh advfirewall firewall set rule group=”remote desktop” new enable=yes profile=private

http://windowsitpro.com/networking/network-configuration-tasks-netsh

10. Show the system's current IP configuration?You can use the following command to see if the system is using DHCP or static addressing as well as to show the system's current IP address, submask, gateway address, and DNS server:

netsh interface ip show config 

9. Configure a remote system?One of the best features of the Netsh command is its ability to work with remote systems as easily as it can local systems. The set machine command changes the computer that the Netsh command operates on to a different system on the network. For this command to work, you need to be logged on with an account that has administrative rights on the remote system:

netsh set machine win2008-2 

8. Working with IPv6?Netsh commands work with both Windows IPv4 and IPv6 network stacks. To display your system's IPv6 address, use the following Netsh command:

netsh interface ipv6 show address 

7. Enable and disable Windows Firewall?Netsh can work with the built-in Windows Firewall. With the release of Windows Server 2008, the older Netsh firewall commands have been deprecated and replaced by the advfirewall commands. The following commands show how to disable then re-enable the Windows Firewall:

netsh advfirewall set currentprofile state off
netsh advfirewall set currentprofile state on 

6. Open a firewall port?You can also use Netsh to open ports in the firewall for various applications. The following example shows how to open TCP port 1434 for Microsoft SQL Server access:

netsh advfirewall firewall add rule name="SQL Server" dir=in action=allow protocol=TCP localport=1434 

5. Display network adapters and their status?Many of the Netsh configuration commands require you to supply the name of the interface that you want to configure. The default value is usually Local Area Connection, but many administrators and users change this value. To find the name of the system's network adapters or a system's wireless network adapters, use the following commands:

netsh interface show interface
netsh wlan show interface 

4. Configure a network adapter to use a static IP address?The following example shows how you use Netsh to set the IP address of the network adapter named Local Area Connection to 192.168.0.100, the subnet mask to 255.255.255.0, and the gateway address to 192.168.0.254:

netsh interface ip set address "Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.254 1 

3. Configure a network adapter with the address of a DNS server?When you change the system's IP address type to static, you typically need to change the DNS configuration as well. This example shows how you use Netsh to configure the Local Area Connection to use a DNS server with the address 192.168.0.2:

netsh interface ip set dns "Local Area Connection" static 192.168.0.2 

2. Add a second DNS server to a network adapter's configuration?Many networks use multiple DNS servers. To add a secondary DNS server with the address 192.168.0.3, use the following command:

netsh interface ip add dnsserver "Local Area Connection" 192.168.0.3 

1. Set a network adapter to use a DHCP-assigned IP address?You can also use Netsh to set your system's network adapter to use a DHCP server for its IP address and to dynamically obtain the address of your network's DNS servers. The following Netsh command configures your network adapter to use DHCP and DNS:

netsh interface ip set dns "Local Area Connection" dhcp 

http://windowsitpro.com/windows-server/top-10-windows-firewall-netsh-commands

10. Query firewall rules: One of the first things you'll probably need to use netsh for is to discover Windows Firewall's current configuration properties. You can query Windows Firewall settings using the following netsh command:

netsh advfirewall firewall show rule name=all

9. Enable and disable Windows Firewall: It's typically a best practice to leave Windows Firewall enabled, but sometimes when you're performing testing or setting up new applications, you need to turn Windows Firewall off for a period. The following commands illustrate how to turn Windows Firewall off and then back on:

netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles state off

8. Reset Windows Firewall: If you make a mistake configuring Windows Firewall, you might want to use the following netsh command to reset it back to its default settings:

netsh advfirewall reset

7. Set logging: The default path for the Windows Firewall log files is \Windows\system32\LogFiles\Firewall\pfirewall.log. The netsh command below changes the location of the log file to the C:\temp directory:

netsh advfirewall set currentprofile logging filename "C:\temp\pfirewall.log"

6. Allow and prevent ping: You can use netsh to control how and if a given system responds to ping requests. The following two netsh commands show how you can block and then open Windows Firewall to ping requests:

netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=block protocol=icmpv4
netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=allow protocol=icmpv4

5. Enable and delete a port: One of the most common things you need to do with Windows Firewall is open ports that are used by different programs. The following examples show how to use netsh to create a rule to open and then close port 1433, which is used by Microsoft SQL Server:

netsh advfirewall firewall add rule name="Open SQL Server Port 1433" dir=in action=allow protocol=TCP localport=1433
netsh advfirewall firewall delete rule name="Open SQL Server Port 1433" protocol=tcp localport=1433

4. Enable a program: Another common task is opening Windows Firewall for a given program. The following example illustrates how to add a rule that enables Windows Live Messenger to work through Windows Firewall:

netsh advfirewall firewall add rule name="Allow Messenger" dir=in action=allow program="C:\programfiles\messenger\msnmsgr.exe"

3. Enable remote management: Another common requirement, especially when you're setting up new systems, is to enable remote management so that tools such as the Microsoft Management Console can connect to remote systems. To open Windows Firewall for remote management, you can use the following command:

netsh advfirewall firewall set rule group="remote administration" new enable=yes

2. Enable Remote Desktop Connection: One of the first things I do with most of the server systems I set up is enable Remote Desktop Connection for easy remote systems management. The following command shows how to use netsh to open Windows Firewall for Remote Desktop Connections:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

1. Export and import firewall settings: After you get Windows Firewall configured, it's a good idea to export your settings so that you can easily reapply them later or import them into another system. In the following netsh commands, you can see how to export and then import your Windows Firewall configuration:

netsh advfirewall export "C:\temp\WFconfiguration.wfw"	

http://windowsitpro.com/windows/jsi-tip-7908-netsh-command-syntax-netsh-firewall-context
----------------------
The following Netsh commands can be used in scripts or at the command line to configure Windows Firewall for IPv4 and IPv6 traffic when executed from the netsh firewall context:
add allowedprogram
set allowedprogram
delete allowedprogram
set icmpsetting
set multicastbroadcastresponse
set notifications
set logging
set opmode
add portopening
set portopening
delete portopening
set service
show

Microsoft describes the set portopening context as follows:

Used to modify the settings of an existing open TCP or UDP port.
Syntax:
set portopening  \[ protocol = \] TCP|UDP|ALL  \[ port = \] 1-65535  \[ \[ name = \] name  \[ mode = \] ENABLE|DISABLE \[ scope = \] ALL|SUBNET \[ profile = \] CURRENT|DOMAIN|STANDARD|ALL \[ interface = \] name \]
protocol - The protocol.
           TCP
           UDP
           ALL - All protocols.
port - The port.
name - The friendly name.
mode - The mode. If no mode is specified, ENABLE is assumed.
       ENABLE  - Enforced by the firewall.
       DISABLE - Not enforced by the firewall.
scope - The scope. If no scope is specified, SUBNET is assumed.
       ALL    - All traffic will be allowed.
       SUBNET - Only local subnet traffic will be allowed.
profile - The profile. If no profile is specified, CURRENT is assumed.
       CURRENT   - The current profile.
       DOMAIN - The domain profile.
       STANDARD     - The standard profile.
       ALL       - All profiles.
interface - The friendly name of the interface from Network Connections.
NOTE: The profile and scope parameters may not be used if specifying the interface parameter.