Firewall and specifying connection during boot

I wanted to start a separate thread for this question and procedure. I am currently looking at my PF panel and don't see how to accomplish what I am wanting to do. I am FLEXIBLE to switching software firewall programs (free given preference) to satisfy this NEED.

I sit on a private network behind a router. There can be several wireless devices in play at different times. I am ONLY concerned about one laptop on this post/thread. Additionally, I use a software firewall on the laptop in question. This thread is NOT about protecting from virus, trojan, etc... but is directed at protecting anonymity during the time the machine boots. I only use this machine behind and in a VPN tunnel.

I am looking to discover how to lock down the software firewall (this machine only not the network, which would be easier) so that the only outbound network connection allowed is that of the VPN IP or whatever settings will limit ANY traffic outside of that connection. Once I learn how to do this on one VPN I can then add all the others I use as well. The firewall rule for one will show me how to configure for each. I am not too experienced on setting this type of rule.

My VPN client will remove the default route out of the machine once I get connected. In other words if the VPN connection drops after I am connected I am safe with NO default connection. It won't transmit out of the tunnel. I am not concerned about the exit nodes on this thread either.

Let me explain my intent. Once and only when this laptop is tunneled to the VPN at that point my OS, AV software, etc... can update. I do NOT want them accessing the net using the IP my ISP assigns to the network.

I really could use some firewall expertise here. This is a very important piece of my security that is missing at this point.

 

I guess you guys, based upon 70 views now, are in the same place as me with this one.

For now I turned off all the auto updating I can find and will just update once inside.

I would sure love to figure this out if for no other reason than I am stumped here.

I bet when some experienced user explains how to RULE define this configuration, it will be a duhhhhhh moment. LOL!!

 

See if this is what you are asking for.

Outpost allows a user to control how the firewall starts. While a machine is starting it uses the background mode where user interaction is not possible. A user may select the policy to use for that mode. If one wanted it could be set to block all. Normally used is Block Most where everything is blocked except when there's a rule that allows a network connection.

Normally, background mode is for using the firewall without user interaction. For example, if you don't want a user to modify the firewall in any way and use only the existing ruleset. It's possible to remain in the background mode after the machine has booted.

Here's that option:

 

I may download Outpost and give it a look.

The issue is that the machine has to have access to the net using the ISP assigned IP so that I can get to the VPN tunnel from a cold boot. I think what I want to do is sort of "off the radar" and a firewall producer wouldn't be looking at what I want.

During those first few seconds/minutes (while booting) on the normal IP to get to the VPN, is when my OS starts to handshake with M$ checking for updates. Same for many of the AV products doing virus definition updates.

I have turned off auto updating on my AV and OS. I click on the AV updater when I get connected. Not too tough but not as nice as setting a rule to avoid those daily clicks.