A member of this forum recently asking me about my ruleset for this firewall has re-kindled my interest in this often underappreciated firewall, which for the last few years I had enabled only for basic inbound protection, so I decided to re-enable Outbound protection allowing applications network access only when an applicable rule exists. This firewall has excellent network filtering capabilities and really can be a viable option for those who simply want program control to the Internet without the process protection (HIPS) that are often included in 3rd-party options, and don't mind putting in the extra effort it requires to set up application rules. It's already built into Windows so there is no added potentially buggy software which can cause system instability, conflicts or crashes. There is an excellent older and locked thread on it here that applies to Windows Vista and 7. I'm not too sure if all these options are available on Win 10 or any Windows Home versions. In my case I'm using Win 7 Ultimate. My current Outbound ruleset which I thought to share is attached below. To generate the firewall's ruleset, open a command prompt as Administrator and type: Code: netsh advfirewall monitor show firewall rule name=all dir=in >path_to_directory\filename.txt Use dir=out for saving Outbound rules to a text file.You can view firewall Audit Success or Fail attempts by enabling IPsec as described here. I highly recommend this be enabled so you will know how your trusted programs such as web browsers and email clients require network access. Of course you can also create rules to secure DNS queries, ICMP requests, and such. Again, I don't know if this will work on Windows versions below Pro, Enterprise or Ultimate. Anyone who wants to share their thoughts and experience, by all means please do so.
Using Windows Firewall w/advanced settings since Win8, i block all connections (In & Out) on all profiles, and created allow rules on the fly in less than a minute. Not so hard to do if a user is willing to spend some time to learn it. Actually using Binisoft WFC, to fasten the process but still let all connections blocked.
That's a good idea using a 3rd-part fw to create rules, especially if you're gaming and your games use numerous servers. I did that a few years ago using Jetico fw. Afterwards it's a matter of replicating the rules in Windows fw, except in your case better because Binisoft does it for you. BTW, I use the Public profile always with its default set of Core rules, and notice I tie svchost process to its specific service for each rule such as wuauserv.exe for updates, DNS Client for DNS queries and W32Time for the time service.
Latest and probably finalized rulesets for both incoming and outgoing rules, using the Public profile... As an added extra, I included the specific program file's path for each Outgoing rule. You'll see I've even restricted the Microsoft update rule for svchost - wuauserv.exe service to a wide range of MS Update server IP addresses. I build upon the list whenever I discover blocked connections upon running the Windows update service.
Block rules can be created for any of the profiles or all of them. The option is available under the Advanced tab of the specific rule selected. Actually if you block either inbound, outbound or both by default, then you really don't have to create block rules, since only a defined allow rule will allow the connection. The block SMB ports in the outbound rules was already one of the pre-defined default rules, along with the "Core Networking" rules, included in all the profiles, so I just left it alone. Btw, if you use the firewall, it's a good idea to check through the rules that you are using for the profile you've selected. Some programs upon installation will generate rules "behind the scenes" without you knowing unless you go looking for them. Some might be necessary but are often too permissive or not necessary at all. Google Chrome browser of late does this by creating multicast UDP rules in the Inbound rules used for a service called Chromecast, used for streaming media between a device such as an iPhone or iPad and your TV. I don't need it so I disabled the rules, as well as the option under chrome://flags.
Be aware some windows services bypass windows firewall. I don't know if any malware exploites that or not...
You're welcome. I disabled mine yesterday, and so far nothing seems broken. I don't see those in my Outbound rules, either in the enabled or disabled rules?? Are they tied to Chrome?
For me and the relatively basic setup of Internet-facing programs I use, I prefer to create the rules manually without 3rd-party aid. The big difference being is that my method is done without an additional program installed and running on the system.
OK I see. I think it's a shame that M$ made it so hard to manage the Windows Firewall, without WFC I would have been using a third party firewall. My approach is very simple, I auto-block all apps and most system processes from outbound and inbound access, unless they need it to function.
I agree it would be great if one could create rules on the fly from pop-ups, but as I remember seeing somewhere in these forums, 3rd-party vendors might complain about unfair competition. On my Windows 10 gaming machine that my son primarily uses, I confess that I would have to use a 3rd-party product to create rules because they would be far more extensive than on my Win 7 laptop.