为什么 Windows 命令 shell 告诉我使用不同的命令，然后说该命令不存在？答案

【问题标题】：Why does the Windows command shell tell me to use a different command and then say that command does not exist?为什么 Windows 命令 shell 告诉我使用不同的命令，然后说该命令不存在？
【发布时间】：2013-11-20 20:17:47
【问题描述】：

关于我的手持设备应用程序使用此处讨论的 Web API RESTful 方法问题 (Does an ASP.NET Web API app need to be installed into the "real" IIS before a handheld device can access its RESTful methods?)，我尝试使用此处描述的 shell 命令验证我没有防火墙问题：http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx，明确：

netsh firewall add portopening TCP 80 IISExpressWeb enable ALL

我也使用端口 777，因为这是我在 applicationhost.config 中设置的：

<bindings>
  <binding protocol="http" bindingInformation="*:28642:localhost" />
  <binding protocol="http" bindingInformation="*:777:192.168.125.50" />
  <binding protocol="https" bindingInformation="*:44300:localhost" />
</bindings>

这样做，我从命令 shell 中得到了这个手指：

重要提示：命令已成功执行。但是，“netsh 防火墙”已被弃用；改用“netsh advfirewall 防火墙”。

所以，我接着输入了以下内容（传统/默认端口 80，如 Hanselmann 的帖子中所示，然后是我在传统失败时添加到 applicationconfig.host 的那个（777）），一个接一个：

netsh advfirewall firewall add portopening TCP 80 IISExpressWeb enable ALL
netsh advfirewall firewall add portopening TCP 777 IISExpressWeb enable ALL

但是，在输入命令 shell 的命令（或建议）后，我从 cmd shell 得到以下反馈（两次）：

未找到以下命令：advfirewall firewall add portopening TCP 80 IISExpressWeb enable ALL。

所以它告诉我使用新奇的命令，然后说没有这样的东西！这有什么故事？有没有办法实际使用新命令？是我的语法错了，还是……？？？

【问题讨论】：

标签： command-line tcp port iis-express windows-firewall

【解决方案1】：

在命令提示符下键入 netsh /? 可解释可用选项，以及查看有关您要键入 netsh <option> /? 的选项的信息。使用

I:\>netsh advfirewall /?

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
consec         - Changes to the `netsh advfirewall consec' context.
dump           - Displays a configuration script.
export         - Exports the current policy to a file.
firewall       - Changes to the `netsh advfirewall firewall' context.
help           - Displays a list of commands.
import         - Imports a policy file into the current policy store.
mainmode       - Changes to the `netsh advfirewall mainmode' context.
monitor        - Changes to the `netsh advfirewall monitor' context.
reset          - Resets the policy to the default out-of-box policy.
set            - Sets the per-profile or global settings.
show           - Displays profile or global properties.

The following sub-contexts are available:
 consec firewall mainmode monitor

To view help for a command, type the command, followed by a space, and then
 type ?.

你可以更深地应用<command> /?，比如netsh advfirewall firewall /?，会导致'netsh advfirewall firewall add /?`，从而导致

I:\>netsh advfirewall firewall add rule /?

Usage: add rule name=<string>
      dir=in|out
      action=allow|block|bypass
      [program=<program path>]
      [service=<service short name>|any]
      [description=<string>]
      [enable=yes|no (default=yes)]
      [profile=public|private|domain|any[,...]]
      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=a
ny)]
      [remoteport=0-65535|<port range>[,...]|any (default=any)]
      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
         tcp|udp|any (default=any)]
      [interfacetype=wireless|lan|ras|any]
      [rmtcomputergrp=<SDDL string>]
      [rmtusrgrp=<SDDL string>]
      [edge=yes|deferapp|deferuser|no (default=no)]
      [security=authenticate|authenc|authdynenc|authnoencap|notrequired
         (default=notrequired)]

Remarks:

      - Add a new inbound or outbound rule to the firewall policy.
      - Rule name should be unique and cannot be "all".
      - If a remote computer or user group is specified, security must be
        authenticate, authenc, authdynenc, or authnoencap.
      - Setting security to authdynenc allows systems to dynamically
        negotiate the use of encryption for traffic that matches
        a given Windows Firewall rule. Encryption is negotiated based on
        existing connection security rule properties. This option
        enables the ability of a machine to accept the first TCP
        or UDP packet of an inbound IPsec connection as long as
        it is secured, but not encrypted, using IPsec.
        Once the first packet is processed, the server will
        re-negotiate the connection and upgrade it so that
        all subsequent communications are fully encrypted.
      - If action=bypass, the remote computer group must be specified when dir=i
n.
      - If service=any, the rule applies only to services.
      - ICMP type or code can be "any".
      - Edge can only be specified for inbound rules.
      - AuthEnc and authnoencap cannot be used together.
      - Authdynenc is valid only when dir=in.
      - When authnoencap is set, the security=authenticate option becomes an
        optional parameter.

Examples:

      Add an inbound rule with no encapsulation security for messenger.exe:
      netsh advfirewall firewall add rule name="allow messenger"
      dir=in program="c:\programfiles\messenger\msmsgs.exe"
      security=authnoencap action=allow

      Add an outbound rule for port 80:
      netsh advfirewall firewall add rule name="allow80"
      protocol=TCP dir=out localport=80 action=block

      Add an inbound rule requiring security and encryption
      for TCP port 80 traffic:
      netsh advfirewall firewall add rule
      name="Require Encryption for Inbound TCP/80"
      protocol=TCP dir=in localport=80 security=authdynenc
      action=allow

      Add an inbound rule for messenger.exe and require security
      netsh advfirewall firewall add rule name="allow messenger"
      dir=in program="c:\program files\messenger\msmsgs.exe"
      security=authenticate action=allow

      Add an authenticated firewall bypass rule for group
      acmedomain\scanners identified by a SDDL string:
      netsh advfirewall firewall add rule name="allow scanners"
      dir=in rmtcomputergrp=<SDDL string> action=bypass
      security=authenticate

      Add an outbound allow rule for local ports 5000-5010 for udp-
      Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010
action=allow

【讨论】：

虽然是这样，但这并不是一个非常有用的答案，因为它没有显示与 advfirewall firewall 一起使用的任何 add rule 语法。编辑：netsh advfirewall firewall add rule /? 可能更有用。
@admdrew：我提供了有关使用 netsh command /? 语法进行更深入研究的信息。它还继续应用更深，例如netsh advfirewall firewall /?，这导致'netsh advfirewall firewall add /?@987654332@。
完全。但是，“如您所见，add portopening 不是其中之一。”并没有真正回答这个问题，因为发布者正在寻找更新的语法。

【解决方案2】：

我只是为未来的“几代人”添加这个 - 我希望我可以将答案检查与 Ken White 和 admdrew 分开；第一个做了这么多工作，我想我会把它给他，虽然两个答案都很好。我实际上在我的问题顶部引用的 Hanselmann 帖子的评论中找到了我需要的东西（由 Blake 撰写，在页面下方的 60% 处）。

我必须在“开始”>“运行”框中输入“cmd”，混合 Ctrl+Shift+Enter 以管理员身份运行 shell，然后输入以下命令：

netsh advfirewall firewall add rule name="IISExpressWeb" dir=in protocol=tcp localport=80 profile=private remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name="IISExpressWeb" dir=in protocol=tcp localport=777 profile=private remoteip=localsubnet action=allow

它们运行时没有来自控制台内的 Microsoft 精灵的尖叫声（在我粘贴并运行它们后，它们温顺地回响了一个简单的“Ok.”）。

【讨论】：

【解决方案3】：

看起来这只是一个语法问题； portopening 不是 advfirewall 的有效选项。签出：

从命令行运行netsh advfirewall firewall add rule /?也会给你一堆语法信息。

【讨论】：