• ARTICLES
SEARCH

How-To Geek

How to Create Advanced Firewall Rules in the Windows Firewall

image

Windows’ built-in firewall hides the ability to create powerful firewall rules. Block programs from accessing the Internet, use a whitelist to control network access, restrict traffic to specific ports and IP addresses, and more – all without installing another firewall.

The firewall includes three different profiles, so you can apply different rules to private and public networks. These options are included in the Windows Firewall with Advanced Security snap-in, which first appeared in Windows Vista.

Accessing the Interface

There are a variety of ways to pull up the Windows Firewall with Advanced Security window. One of the most obvious is from the Windows Firewall control panel – click the Advanced settings link in the sidebar.

image

You can also type “Windows Firewall” into the search box in the Start menu and select the Windows Firewall with Advanced Security application.

image

Configuring Network Profiles

The Windows firewall uses three different profiles:

  • Domain Profile: Used when your computer is connected to a domain.
  • Private: Used when connected to a private network, such as a work or home network.
  • Public: Used when connected to a public network, such as a public Wi-Fi access point or a direct connection to the Internet.

Windows asks whether a network is public or private when you first connect to it.

A computer may use multiple profiles, depending on the situation. For example, a business laptop may use the domain profile when connected to a domain at work, the private profile when connected to a home network, and the public profile when connected to a public Wi-Fi network – all in the same day.

image

Click the Windows Firewall Properties link to configure the firewall profiles.

The firewall properties window contains a separate tab for each profile. Windows blocks inbound connections and allows outbound connections for all profiles by default, but you can block all outbound connections and create rules that allow specific types of connections. This setting is profile-specific, so you can use a whitelist only on specific networks.

image

If you block outbound connections, you won’t receive a notification when a program is blocked – the network connection will fail silently.

Creating a Rule

To create a rule, select the Inbound Rules or Outbound Rules category at the left side of the window and click the Create Rule link at the right side.

image

The Windows firewall offers four types of rules:

  • Program – Block or allow a program.
  • Port – Block or a allow a port, port range, or protocol.
  • Predefined – Use a predefined firewall rule included with Windows.
  • Custom – Specify a combination of program, port, and IP address to block or allow.

image

Example Rule: Blocking a Program

Let’s say we want to block a specific program from communicating with the Internet — we don’t have to install a third-party firewall to do that.

First, select the Program rule type. On the next screen, use the Browse button and select the program’s .exe file.

image

On the Action screen, select “Block the connection.” If you were setting up a whitelist after blocking all applications by default, you’d select “Allow the connection” to whitelist the application instead.

image

On the Profile screen, you can apply the rule to a specific profile – for example, if you only want a program blocked when you’re connected to public Wi-Fi and other insecure networks, leave the “Public” box checked. By default, Windows applies the rule to all profiles.

image

On the Name screen, you can name the rule and enter an optional description. This will help you identify the rule later.

image

Firewall rules you create take effect immediately. Rules you create will appear in the list, so you can easily disable or delete them.

image

Example Rule: Restricting Access

If you really want to lock down a program, you can restrict the ports and IP addresses it connects to. For example, let’s say you have a server application that you only want accessed from a specific IP address.

From the Inbound Rule list, click New Rule and select the Custom rule type.

image

On the Program pane, select the program you want to restrict. If the program is running as a Windows service, use the Customize button to select the service from a list. To restrict all network traffic on the computer to communicating with a specific IP address or port range, select “All programs” instead of specifying a specific program.

image

On the Protocol and Ports pane, select a protocol type and specify ports. For example, if you’re running a web server application, you can restrict the web server application to TCP connections on ports 80 and 443 by entering these ports in the Local port box.

image

The Scope tab allows you to restrict IP addresses. For example, if you only want the server communicating with a specific IP address, enter that IP address in the remote IP addresses box.

image

Select the “Allow the connection” option to allow the connection from the IP address and ports you specified. Be sure to check that no other firewall rules apply to the program – for example, if you have a firewall rule that allows all inbound traffic to the server application, this rule won’t do anything.

image

The rule takes effect after you specify the profiles it will apply to and name it.


The Windows firewall isn’t as easy-to-use as third-party firewalls, but it offers a surprising amount of power. If you want more control and ease of use, you may be better off with a third-party firewall.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 04/30/12

Comments (12)

  1. Thomasson

    Good to know about the How to Create Advanced Firewall Rules in the Windows Firewall

  2. alejuss

    One question about other firewalls. For example, in my case I have a firewall on the router. If I apply a rule in the Windows Firewall, opposite to the firewall, this rule is invalid? thanks!

  3. RonV42

    alejuss,

    Your routers firewall is at the network layer, the firewall in windows can do both application and network. I use my routers firewall to keep ports closed and only allow authorized packets in. I use the windows firewall to open ports for my email server and other applications that need direct inbound connections on my server. They do work together but they are configured independently.

  4. Allan

    Nice tips anyway Windows Firewall Notifier make things easier i think.

  5. dima

    Windows Firewall has gotten a lot better in recent versions of Windows

  6. Anil Dutt Bhargava

    your tips is very usefull

  7. Ron

    Good Job!

  8. Chris Hoffman

    @Allan

    Thanks for reminding me of Windows Firewall Notifier — I’ve been meaning to take a look at it. I really like the idea of an app that can manage the built-in firewall without replacing it entirely.

  9. Brandon

    Thanks for all this great info. One question I did have though (I am not very savvy when it comes to tech related issues) is whether or not we will have to adjust the rule when we DO want to have the program connect to the internet.

    For example I use an encrypted password manager which I’d like to remain offline unless I choose to update it. Will I need to make an exception to the rule within the firewall or will I simply need to allow the connection on a one off basis?

    Thanks again! I really enjoyed the article.

  10. Chris Hoffman

    @Brandon

    Windows will block the connections without asking you.

    I think the easiest way to let it connect is to go back into the Windows Firewall configuration window, select “Outbound Rules”, right-click the blocking rule and Disable it. With the blocking rule disabled, the app will be able to connect. After it’s done updating, right-click the disabled rule and Enable it.

    Check out Windows Firewall Notifier for an easier way to do this sort of thing: http://www.howtogeek.com/113641/how-to-extend-the-windows-firewall-and-easily-block-outgoing-connections/

  11. Laszlo

    Ok a quick ?.. kinda simple but not clear.. I’ve worked with firewalls, primarily on inbound rules. I don’t have a clear picture..
    If i block all incoming connections except for enabled rules for allow.. this makes sense
    if i allow all incoming connections except for enabled rules for blocking… this makes sense also.

    So most of us have Block all Incoming (normal use of a firewall)
    So whats up with enabling a blocked rule?? I would like to know that i don’t need to create blocking rules.. is the fact that there is a rule to block, when disabled, do exactly what it means.. allow then?

    Thanks in advance.. this is more for reference since Microsoft didn’t seem to have much on it..

  12. Chris Hoffman

    @Laszlo

    By default, Windows allows all outgoing connections. Enabling a blocking rule can block specific kinds of outgoing connections.

    You could also allow all incoming connections and block specific kinds, I suppose. It’s flexible!

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!