The primary focus of Windows Firewall is managing inbound connections. The initial versions of Windows Firewall did not support outbound packet filtering at all. Over the years Microsoft added a large number of features to Windows Firewall; one of them being outbound packet filtering.
Windows Firewall still has some limitations when it comes to managing outbound connections. This is reasonable enough since inbound connections pose the real threat. While Windows Firewall is lacking in terms of convenience when it comes to outbound packet filtering, it does not lack power. The limitations are discussed later in the article.
Allow-rules for inbound connections
By default Windows Firewall is set to block all inbound connections, except those explicitly permitted by a rule. Windows Firewall comes with many predefined inbound rules. Some of these are enabled by default; some are not; all of them are Allow rules. These rules are meant for features like file and printer sharing, network discovery, etc.
Creating inbound rules on the fly
When an incoming connection is blocked, Windows Firewall would display a notification informing you of the fact. You can choose whether to allow access to the application, Windows Firewall will remember your decision.
Windows Firewall shows this notification only when it blocks an inbound connection as a result of the global block rule. If you have explicitly told it to block an app, it will block without any notification.
Before allowing access, you have to verify that the application is a trusted one. Remember that only certain categories of applications like peer-to-peer applications or server applications require inbound connections. If you want to allow incoming connections to the app in question, click the Allow access button. Windows Firewall would automatically create a rule permitting inbound connections for the app.
What if you clicked on the Allow Access button by mistake and want to correct? See the next section to see how.
Creating inbound rules in advance
Control Panel contains the basic settings for Windows Firewall. You can enable, disable, create or delete inbound rules here.
Press WIN+R to open the run dialog box.
Type control panel and hit ENTER
Search for Windows Firewall in the search box; then click on Windows Firewall from the results.
This opens the basic settings window of Windows Firewall. Click on the Allow an app or feature through Windows Firewall option.
Here you can see the list of apps that are allowed to accept incoming connections.
You need to click the Change settings button before you can make changes in this window. If there is a tick mark next to an app, it means that the rule for that app is active and the app is allowed to receive incoming connections. The Private and Public columns refer to the type of connection; whether the rule should apply to trusted private connections or to untrusted public connections like the internet or both.
To remove an allowed app from the list, click on the app in the list and click Remove.
To add a new app to the list of allowed apps, click the Allow another app button at the bottom of the Window.
Select the app you want to add; choose the network type for which the new rule should apply; then click add.
Creating inbound rules using advanced settings
Windows Firewall also has an advanced settings app, which is part of the Windows Management Console. We can add inbound rules via the advanced settings window as well. I will introduce advanced settings in the outbound rules section since in the case of outbound rules it is necessary to go the advanced route. The workflow for managing inbound and outbound rules is quite similar in the advanced settings window.
Rules for outbound connections
Windows Firewall allows outbound connections by default. If any of the outbound rules match the connection, it would apply the rule, otherwise, the connection is allowed. As with inbound rules, Windows Firewall comes with a number of built-in outbound rules. In order to create outbound rules of your own, you need to access the advanced settings of Windows Firewall.
- Click Start
- Search for wf.msc
- Hit ENTER
Click on the Outbound rules option. This would open a wizard-style window which will guide you through the creation of the new rule.
Here you need to choose the type of rule you want. For an application-specific rule, choose the Program option and click next.
Choose the application you want to allow or block; then click next.
Choose the type of action you want Windows Firewall to perform if the rule matches a connection. For outbound connections, the most popular choice will be Block the connection.
Choose the network type/types for which you want the rule to apply. I assume most of you want to allow or block an application from accessing the internet. Making sure that the Public option is checked should achieve that. However, it does depend on how you have set up your internet connection.
Finally, give a name and an optional description for the rule and click finish. You can find the new rule in the rules list. If you want to access more advanced options for the rule, right-click on the rule and choose properties.
Using PowerShell to create firewall rules
If you are familiar with PowerShell, you can use it to create Windows Firewall rules. Here are some very basic examples.
You will have to run PowerShell as administrator for many of these commands to work.
Be careful with PowerShell
Please be extremely careful while using PowerShell to manage Windows Firewall. Mistakes could cause a lot more harm than you might imagine. For example, using the Remove-NetFirewallRule cmdlet without any parameters would delete all static local firewall rules from your computer. Make sure to run each command with the -WhatIf switch first; run the command for real only after making sure that it is safe.
# Create a new rule allowing Deluge to accept inbound connections New-NetFirewallRule -DisplayName "Allow Deluge" -Direction Inbound -Program "C:\Program Files (x86)\Deluge\deluge.exe" -Action allow # Create a new rule blocking Firefox from making outbound connections New-NetFirewallRule -DisplayName "Block Firefox" -Direction Outbound -Program "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -Action block # Modify properties of an existing firewall rule Set-NetFirewallRule -DisplayName "Block Firefox" -Profile Public # Disable the block firefox rule Disable-NetFirewallRule -DisplayName "Block Firefox" # Enable the block firefox rule Enable-NetFirewallRule -DisplayName "Block Firefox" # Remove the block firefox rule Remove-NetFirewallRule -DisplayName "Block Firefox"
These examples barely scratch the surface of what you can do with PowerShell. Each of these cmdlets supports a large number of options. Please see the documentation of the cmdlets for details.
Block outbound connections by default
As mentioned before Windows Firewall allows outbound connections by default. It can be set to block all outbound connections except those which are explicitly allowed by a rule. This can be useful in an enterprise setting where you want tight control over exactly which application is allowed to connect to the internet. Windows Firewall can be controlled via group policy as well. Home users are likely to find Windows Firewall quite difficult to manage with a block all outbound policy enabled. Windows Firewall lacks a couple of features commonly found in third-party firewalls.
No notification when an outbound connection is blocked
Windows Firewall does not show a notification when it blocks an outgoing connection, even if the block is triggered by a global block rule. This behavior is different from its own behavior with regard to incoming connections. As described at the start of the article, when Windows Firewall blocks an inbound connection it shows a notification. You can create a firewall rule on the fly via this notification. This feature is not available when it comes to outbound connections. In an enterprise setting, you would not want a user-prompt based security policy. But for home users, this is a major drawback.
No file signature-based automatic rules
Many of the third-party firewalls also support a file signature-based security policy. They try to identify executables based on their digital signature and whitelist the ones which they consider to be safe. They prompt the user about what action to take only in the case of executables they are not sure about. Windows Firewall does not provide this feature.
If you are game enough to give block all outbound policy a try, here is how to do it. Enabling the policy is quite simple, just go to the advanced settings screen again.
- Click Start
- Search for wf.msc
- Hit ENTER
Click Windows Firewall Properties.
Here choose the block outbound connections option. As you can see from the above screenshot there are separate tabs for each of your network profiles. The options are the same in each of the profile tabs. The difficult part comes next; you have to manually create allow rules for each application you want to provide network access with.
Blocking of inbound connections should be enough for most users. But if you really want to block outbound connections by default; it would probably be better to look for alternatives. Most of the third-party firewalls make it quite easy to block outgoing connections. Another option is to use one of the many Windows Firewall frontends. These applications do not have any network filtering capability on their own; they just make Windows Firewall easy to manage with a block all outbound policy. Among these Windows Firewall Control seems quite popular and it seems to have become free without restrictions recently.