Windows 10: Hello, I've created firewall rules to block several remote ip addresses for inbound...

Hello, I've created firewall rules to block several remote ip addresses for inbound connections. Windows defender firewall 11 seems to be ignoring my custom firewall rules, and I ma still receiving junk & porn gmails from these ip addresses. I've created a new custom rule and it;s not working. Please help me.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy] 172.67.146.79Name=Paul's custom ip rules" "{DEFF9ABD-4C10-4B4D-8397-0410164DFF17}"="v2.32Action=BlockActive=TRUEDir=InRA4=51.195.46.0/255.255.255.0

:)

 

firewall rule to block addresses NOT on an IP list?


I am just starting to learn the Windows Firewall (working on both Windows 7 and 10) and I'm not impressed with the inflexibility of its rules. I would like to know if


1. Is there is a way to do what I want with Windows Firewall?
2. Is there is a third-party firewall that would do it?


What I want to do is create a rule that blocks outgoing connections, for program X, that are to a destination **NOT** in an IP list.


Windows Firewall is not very flexible in how you specify IP list rules. When you give an IP list, your rule will match that list... you can't say "trigger the rule for non-matching IP addresses." Therefore to allow outgoing connections to a list, you have to


1. Change the entire firewall policy to block outgoing connections by default so that you can create an "allow rule" matching your list. This will mess up the rest of your programs.


2. Somehow combine a block rule and allow rule. Create a block rule for most traffic, with the "allow" rule overriding it when appropriate. However, this doesn't appear to be possible in general. It **may** be possible for connections that use IPSec, I'm not sure. And I'm not sure if I can use IPSec in my application.

And is there a third-party firewall that can do it? Most 3rd-party firewalls are LESS sophisticated than Windows Firewall, because the use case they are addressing is providing an interface that doesn't require much comprehension. I need one that's actually MORE sophisticated than Windows Firewall.

 

Inbound firewall rule for trusted subnets not working as expected

I'm trying to create a basic domain firewall policy (primarily for Win7) that does two things;

Allow two trusted subnets inbound connection to the host on ALL ports (so essentially open)

Block everything else

All outbound traffic will be unfiltered - only the inbound traffic is being controlled.

I created a domain firewall policy

I added an 'allow trusted subnets' inbound rule, which is as follows;

Action: Allow the connection

Allow all programs

Protocol Type: Any

Scope

Local IP addresses: Any

Remote IP addresses: My two subnets in CIDR annotation

Advanced

Profile: Domain

Block Edge traversal

I then set the Domain profile firewall state to ON, and set Inbound to Block (default) and Outbound to Allow (default). Running RSoP shows the policy is being applied, but here's the problem. Windows still allows inbound connectivity from all untrusted subnets!
My understanding is that setting the Domain policy state to ON means that all traffic inbound will be blocked unless specifically allowed, and I specifically allowed connectivity from only two trusted subnets!

I tried created a 'Deny All' rule after the allow one (even though that should be implied), and that worked great - it blocked everything inbound, even my trusted subnets!!!

Anyone have any idea what's going on here. I'm very familiar with firewalls in general, but this just isn't working as it should do. No other firewall policies are being applied according to RSoP and my testing.

Thanks

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.