[!]

*** Does NOT work with Windows 10. I will update this if I manage to get it working in Windows 10. ***

*** THIS WORKS WITH WINDOWS 10 AS WELL. I have tested on Windows 8.x and Windows 10! ***

RECOMMENDED, SEE ALSO: How to disable Windows 10 spyware telemetry logging.

How to use Windows Firewall in an efficient manner (BLOCK ALL EXCEPT) (poor man's firewall)? That is, what if you wanted to block everything, all traffic from all applications except for certain applications and/or ports? It is not as easy as you would think because it would also kill off your Internet connection completely.

Of course, I wanted this because I hate installing extra crap in my system so I try to avoid it as much as possible. Even and extra firewall software is crap if I can use the Windows built-in stuff... and cheaper!

After a lot of trial and errors, I managed to use Windows Firewall like a tiny little firewall because usually, the firewall applications are super bloated, they do lots of stuff I don't want them to do. I needed a simple "kill everything except this" functionality.

This also works with a guest operating system inside Hyper-V. I will explain that as well because I needed the file sharing to work in my guest system.

Bear in mind that this works in my system. Will probably work in most systems but it's at least a good base and you can try and see how this works for you.

WARNING: THESE SETTINGS WILL ALSO KILL OFF YOUR ENTIRE WINDOWS SYSTEM FROM THE INTERNET. IT MEANS YOUR WINDOWS WILL NOT GET WINDOWS UPDATES! I have NOT found a solution to how to enable Windows Update as an individual rule but I have a rule which allows "C:Windowssystem32svchost.exe" as "Outbound rule". I enable it manually to check for updates and then disable the rule again.

This how you setup the host operating system to kill everything, except whatever you choose:

windows firewall 01.png (51.12 KiB) Viewed 44406 times

windows firewall 02.png (44.24 KiB) Viewed 44406 times

windows firewall 03.png (39.12 KiB) Viewed 44406 times

UPDATE FOR "windows firewall 04.png", IT SEEMS THAT UNICAST RESPONSE SHOULD BE ALLOWED. SET IT TO "YES". If your line glitches, it won't be able to reconnect if you set it to "no", so you must set it to "YES". This of course may depend on your router but for me, looks like I must set it to "Yes (default)".

windows firewall 04.png (70.65 KiB) Viewed 44406 times

windows firewall 04 addendum.png (19.51 KiB) Viewed 44402 times

UPDATE FOR "windows firewall 04.png", IT SEEMS THAT UNICAST RESPONSE SHOULD BE ALLOWED. SET IT TO "YES". If your line glitches, it won't be able to reconnect if you set it to "no", so you must set it to "YES". This of course may depend on your router but for me, looks like I must set it to "Yes (default)".

windows firewall 05.png (42.38 KiB) Viewed 44406 times

windows firewall 06.png (153.58 KiB) Viewed 44406 times

windows firewall 07.png (146.43 KiB) Viewed 44406 times

If you have done so according to the pictures above, all your Internet connectivity should now be lost. You can't even get an IP address from your (DHCP) router. Nothing goes in or out.

windows firewall 08.png (56.75 KiB) Viewed 44406 times

windows firewall 09.png (67.04 KiB) Viewed 44406 times

The two above pictures show which firewall rules you need to enable to get file sharing and Internet connectivity in the host operating system.

windows firewall hyper-v 10.png (31.81 KiB) Viewed 44406 times

windows firewall hyper-v 11.png (32.77 KiB) Viewed 44406 times

The two above pictures show which firewall rules you need to enable to get file sharing and Internet connectivity in the guest operating system.

...and of course, this is how you add a new rule. For example, if you need to enable a certain application (Firefox etc.) to be able to have access to the Internet:

windows firewall new rule.png (107.67 KiB) Viewed 44406 times

UPDATE: Windows Update uses "svchost.exe" to reach out to the Internet but we don't want the "svchost.exe" to be able to access the Internet all the time so you can create a new rule, for example call it "Windows update" and then you can just make a batch file to enable/disable it when you need to run the Windows Update. You probably can also use scheduling for it if you need to automate the process.

Command line, ENABLE A RULE CALLED "Windows update":
netsh advfirewall firewall set rule name="Windows update" new enable=yes

Command line, DISABLE A RULE CALLED "Windows update":
netsh advfirewall firewall set rule name="Windows update" new enable=no

windows update svchost.exe.png (32.75 KiB) Viewed 44394 times

[PROBLEMCHYLD]

You should put it in a vb script, more people will find it useful. I feel the same way you feel about bloated software. I hate having a ton of shit running in the background.

[!]

You should put it in a vb script, more people will find it useful...

Definitely a very good idea but sadly, I'm super busy with making of "THE LANDS BEYOND" that game we are developing right now, not much extra time left for other stuff... for a while at least.

...I feel the same way you feel about bloated software. I hate having a ton of shit running in the background.

Oh dear God, don't even get me started on bloated shit running in the background. From Windows to fucking Corel Paint Shop Pro X... I would go on ranting for weeks! Indeed, we are on the same page about this. Hahahahaa...

[!]

OMFG... this doesn't work anymore in Windows 10.

[PROBLEMCHYLD]

You might as well update your whole software catalog. Only the sheeple will be eaten by wolves.

[!]

You know, this has to be some kind of bug because the text says "Outbound connections that do not match a rule are blocked" so it should be that when it is the case, outbound connections that do match a rule shouldn't be blocked but this kills everything in Windows 10. It doesn't matter if there is a rule or not, everything gets blocked.

Although, maybe it's not a bug but a "bug/feature" where they purposely broke it and pretend it's a bug. Chances are that not many will report this and heck, since when has Microsoft given two fucks about bug reports, hey?

Anyway, I will keep an eye on this thing, if I ever get it to work in Windows 10, I'll update and post it in here.

bug windows 10 firewall.PNG (41.32 KiB) Viewed 44315 times

[!]

I'm not sure if there was an update that fixed the issue or maybe I was doing a bad testing. Either way, this now works in Windows 10 as well. So basically, I am able to block ALL connections except the ones I really need and want. It even kills Windows Update.

Talking about GUEST operating system (Windows 10), you disable ALL rules and allow these, they are the ones I currently use for my clean testing machine which will kill everything and only allow networking with file and printer sharing:

windows 10 firewall for file and printer sharing.PNG (20.06 KiB) Viewed 44276 times

...and if you mix it with my recommendations in How to disable Windows 10 spyware telemetry logging, you get a pretty good deal going regarding to privacy. NOTHING gets out or in unless you allow it. After all, it is MY machine and Microsoft doesn't own it!

[Tina]

When making your outbound rule to BLOCK Windows Update from downloading/applying fixes w/o my permission, I get this warning pop-up:

"Windows services have been restricted with rules that allow expected
behaviour only. Rules that specify host processes, such as svchost.exe,
might not work as expected because they can conflict with Windows
service-hardening rules."

So: will this rule block WinUpd on Win10 or not? I can't take the
gamble of opening up Internet access if this will not block updates,
even if the service is disabled...thankx.

[!]

@Tina,

It blocks it. If you then try to run Windows Update, it says that it can't go online or some error. Please also see this: How to disable Windows 10 spyware telemetry logging. That is what I have done to my Windows 10. KILLED OFF THE MOTHERFUCKING WINDOWS UPDATE AND ALSO THE SPYWARE.

Let me know if ou have more questions, I have Windows 10 in a Virtual PC so I can test stuff without destroying my own PC.

[Tina]

Great. I knew it at least blocked my Ethernet, so I was hoping it would
do so for Wireless. I changed the rules' Interface to allow Ethernet and
block Remote Access and Wireless. Ethernet gets thru OK now.

Great idea about the VM; I can't do that, so I rely on others like you.

Also, FYI, it seems that WinUpd does NOT allow blocking itself via the HOSTS
file (even in Win7 where I tested it), hence, I needed something else.

Thankx.