Windows 10: Explicit block rule NOT taking precedence over allow rule

According to this MS article, block rules are supposed to take precedence over any conflicting allow rules in the Defender firewall. However, I do not see this happening. I have an allow rule which basically allows any traffic to an FTP server running on this Windows box. It does work because I cannot access the FTP server when I disable this allow rule. I have a script that creates a block rule for each IP address that tries to login using the admin account on the FTP server. I have tried every manner of granular settings on both the allow and block rules but I cannot make the block rule take precedence. Another problem is that I cannot get the firewall to write to the log so I can't even view it to see what's going on. I followed these instructions but it only creates an empty log file. Anyone know what I'm doing wrong? Please let me know what details you need from me.

:)

 

Windows Firewall: Doesn't show blocking rules

Hello!

Today I've blocked all connections of a program by creating a outbound rule in Windows Firewall. However, I now wish to remove it. The problem: I can't find that newly created rule anywhere in the list. The rule does take an effect, since deactivating the
Firewall lets the program run properly. I can only see rules in the list that "allow" stuff, but not those who block things.

What I have tried so far:

- All filters set to "Show all" within the Firewall

- Created the same rule again, doesn't show up

- Created a rule that allows the program, shows up

Any solutions?

 

Windows 2012 Server - Creating an exception for a block rule in the firewall

Hy, ya'll!

I have to deploy a rule to block all outbound traffic towards port TCP 80 regardless of the destination IP, so I set up an outbound "block" rule in the Windows Firewall specifically against that port. it was straightforward and works like a charm. However,
I can't seem to find a way to add one single IP as an exception to this rule.

I tried creating a new rule allowing all traffic to the IP I'm attempting to whitelist but, from what I can gather, the blocking rules in the Windows firewall take precedence over "allow" rules so that explains why it didn't work.

How can I work around this? All I need is to block outgoing traffic to TCP 80 on all but one IP.

Thanks!

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.