Question about Windows Firewall Rules
I am using Windows 7 64-bit Ultimate Edition, with all patches and updates applied. I use Windows Firewall and MSE for security. This question is about my home machines, which are connected to the Internet through a cablemodem. I have no hardware firewall.
I am having trouble creating a firewall rule that would do the following task:
- for a program that I choose, BLOCK all incoming connections, and BLOCK all outgoing connections, EXCEPT allow outgoing connections ONLY to a single IP address that I specify
I have tried doing this is multiple ways, but none of them works.
I used WF.msc to create a rule for outbound connections. I chose "custom rule" and within the scope, I specified the single IP that I want to allow for outgoing connections.
However, that rule doesn't block outgoing connections at all. It still permits ALL outgoing connections, instead of to the single IP I specified.
If I make a second rule blocking all IP connections, then ALL are blocked. It makes no exception for the single IP that I allowed.
I am wondering if I'm doing something wrong, or if this is simply a limitation of the Windows firewall. I have the feeling that I'm making a mistake somewhere, since I find it hard to believe that any firewall would not be sufficiently powerful for such
a simple rule.
Any help is much appreciated.
May 20th, 2010 11:27pm
Hi,
Based on my research, I would like to share you the following article to block certain program via Windows Firewall.
Windows Firewall Is Blocking a Program
Thanks,
Novak
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2010 5:43am
Hi,
Based on my research, I would like to share you the following article to block certain program via Windows Firewall.
Windows Firewall Is Blocking a Program
Thanks,
Novak
Thanks for your reply. I read your link and found some general information about the firewall, but nothing that answers my question.
As I said, I want to make a rule for a specific program, which blocks all outbound traffic, EXCEPT to a single IP host that I specify.
I can make such a rule in Windows 7 Firewall, but the problem is that Windows 7 Firewall ignores the rule and permits outbound connections to ALL IPs by that program.
Since posting my question, I did a lot of reading on the Technet site as well as on other sites. I found no answer, though I see that a lot of people have asked this same question before.
This is my understanding so far (but I am not a computer expert, so I may be wrong):
1. The default behavior on Windows 7 firewall is to allow all outbound traffic.
2. This was a deliberate decision on part of MS.
3. Because of this default behavior, even if I make a rule that says "block all outbound for program X, except outbound to IP xxx.xxx.xxx.xxx" the default behavior continues to allow ALL outbound to ALL IPs by program X.
4. The only way to change it is to change the default behavior, to block outbound by all programs. Then I could specifically allow outbound connections for programs of my choosing.
5. However, Windows 7 Firewall was not built to work like this. If you set the default to block all outbound, Windows 7 Firewall will NOT pop up notifications to tell you which program it's blocked on which port, and then give you the option to permit it.
This pop-up notification feature is standard on most firewalls, but NOT on Windows 7 Firewall.
6. The result is that if you change the default to block all outgoing, many programs and essential Windows features will suddenly stop working. Since there are no pop-up notifications, it would be up to the user to figure out which programs needs what kind
of access and then specifically grant it. For Windows components, the task is even harder. You have to figure out which program is using which service to communicate and then allow that. Worse, there is no information about where the program that was blocked
is located, on which drive and in which directory. The user has to figure all that out for himself.
7. This is not a problem on other firewalls, such as Norton or Zone Alarm, etc. because if you set them to block all outgoing by default, they have a "learning period" so that the first time a program tries to initiate an outbound connection, a pop-up appears
on your screen telling you the program name, location, port, and what IP it tried to connect to. And right on that pop-up are two buttons for "Allow" or "Deny", which let you allow access for essential programs and Windows components, without being forced
to find them manually.
8. But these pop-ups are missing in Windows 7 Firewall, apparently because MS decided that they forced too much burden of clicking on the user, who might not know whether he ought to press "Allow" or "Deny". They figured it would lead to too many phone calls
to the help lines from confused users. So they simply changed their default to allow all outbound, on the presumption that if a program is already on your computer, it must be good. This might work from some security perspective, but it's a problem for users
like me.
Because this is an essential feature for me, I have been forced to turn off the Windows 7 Firewall, and use Norton Security Suite instead. I hate doing that, because Norton Security Suite forces me to use Norton Anti-Virus as well if I am using their firewall.
So I was forced to remove Microsoft Security Essentials as well.
Further, I need to implement the same behavior on all notebooks in our department. This means that not only do I have to buy Norton for myself, I have to buy it for a lot of machines.
I am still hoping that there is some way to implement the rule I need in Windows 7 Firewall, so I won't have to do this. But so far I have been unable to figure it out. :(
May 21st, 2010 7:29am
Hi,
Based on my research, I would like to share you the following article to block certain program via Windows Firewall.
Windows Firewall Is Blocking a Program
Thanks,
Novak
Thanks for your reply. I read your link and found some general information about the firewall, but nothing that answers my question.
As I said, I want to make a rule for a specific program, which blocks all outbound traffic, EXCEPT to a single IP host that I specify.
I can make such a rule in Windows 7 Firewall, but the problem is that Windows 7 Firewall ignores the rule and permits outbound connections to ALL IPs by that program.
Since posting my question, I did a lot of reading on the Technet site as well as on other sites. I found no answer, though I see that a lot of people have asked this same question before.
This is my understanding so far (but I am not a computer expert, so I may be wrong):
1. The default behavior on Windows 7 firewall is to allow all outbound traffic.
2. This was a deliberate decision on part of MS.
3. Because of this default behavior, even if I make a rule that says "block all outbound for program X, except outbound to IP xxx.xxx.xxx.xxx" the default behavior continues to allow ALL outbound to ALL IPs by program X.
4. The only way to change it is to change the default behavior, to block outbound by all programs. Then I could specifically allow outbound connections for programs of my choosing.
5. However, Windows 7 Firewall was not built to work like this. If you set the default to block all outbound, Windows 7 Firewall will NOT pop up notifications to tell you which program it's blocked on which port, and then give you the option to permit it.
This pop-up notification feature is standard on most firewalls, but NOT on Windows 7 Firewall.
6. The result is that if you change the default to block all outgoing, many programs and essential Windows features will suddenly stop working. Since there are no pop-up notifications, it would be up to the user to figure out which programs needs what kind
of access and then specifically grant it. For Windows components, the task is even harder. You have to figure out which program is using which service to communicate and then allow that. Worse, there is no information about where the program that was blocked
is located, on which drive and in which directory. The user has to figure all that out for himself.
7. This is not a problem on other firewalls, such as Norton or Zone Alarm, etc. because if you set them to block all outgoing by default, they have a "learning period" so that the first time a program tries to initiate an outbound connection, a pop-up appears
on your screen telling you the program name, location, port, and what IP it tried to connect to. And right on that pop-up are two buttons for "Allow" or "Deny", which let you allow access for essential programs and Windows components, without being forced
to find them manually.
8. But these pop-ups are missing in Windows 7 Firewall, apparently because MS decided that they forced too much burden of clicking on the user, who might not know whether he ought to press "Allow" or "Deny". They figured it would lead to too many phone calls
to the help lines from confused users. So they simply changed their default to allow all outbound, on the presumption that if a program is already on your computer, it must be good. This might work from some security perspective, but it's a problem for users
like me.
Because this is an essential feature for me, I have been forced to turn off the Windows 7 Firewall, and use Norton Security Suite instead. I hate doing that, because Norton Security Suite forces me to use Norton Anti-Virus as well if I am using their firewall.
So I was forced to remove Microsoft Security Essentials as well.
Further, I need to implement the same behavior on all notebooks in our department. This means that not only do I have to buy Norton for myself, I have to buy it for a lot of machines.
I am still hoping that there is some way to implement the rule I need in Windows 7 Firewall, so I won't have to do this. But so far I have been unable to figure it out. :(
Hi,
Did you find the solution? I'm coping with the same problem.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2011 5:31am
If you ever return, congrats on a good piece of work. And I share your frustration. Comodo firewall (a standalone) might help with this.
I've avoided Windows firewall on this particular computer (XP) by keeping Zone Alarm Pro 4.5.59 -- from 2003! As far as I can tell, it's better than the WF I have on a laptop running both XP and Win 7 --more configurability, a learning mode, outgoing
notifications for progs you haven't authorized, clearer logs, etc. MSFT should have choked off the "innovation" impulse (aka not made here) for the firewall, and just copied the features of a good one.
March 20th, 2011 6:14pm
If you go to "Control Panel > System & Security > Windows Firewall", your goal should be to have both "Incoming connections" and "Outgoing connections" say "Block ..."
If it does not say that then you need to go to "Advanced Settings" and change the "Windows Firewall Properties" for each profile.
There you should find drop down boxes for "Inbound connections" and "Outbound connections".
Click away.
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2011 10:13pm
Hi,
Maybe something like this should do the trick:
(In elevated command prompt)
C:\windows\system32>netsh advfirewall firewall add rule name="telnet-block" dir=out action=block program=c:\windows\system32\telnet.exe remoteip=0.0.0.0-10.10.10.1,10.10.10.3-255.255.255.255 description="block everything outbound except for 10.10.10.2"
(with, of course, default rule allowing outbound connection)
I do some test (with telnet.exe), it's works only if you specify the full path of the program in the rule definition.
Please report if it's work for you.
Hope this help
jean-marc Habyjean-marc Haby
March 21st, 2011 5:59pm