Many people use Windows as a desktop system, but have no idea how powerful and convenient its built-in firewall is. If properly configured, even if some malware gets on your PC, it will not be able to send anything to the network without changing the firewall settings, because the firewall will block everything that is not spelled out in the rules.
Some examples of how you can use it to protect your security (not the OS security, but your own security).
The first thing to do is to put the firewall in lockdown mode. In this mode, the firewall will stop all traffic that is not specified in the rules as allowed.
Run this (and further) command in the console, running with Administrator privileges (Run As Administrator).
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
Next, allow OS authorization for MS services, the rule allowing outbound connections for AuthHost.exe
netsh advfirewall firewall add rule name=”AuthHost” dir=out action=allow Program=”%SystemRoot%\System32\AuthHost.exe”
If needed, let the operating system itself access the network, such as updating the system, for example, outbound traffic for svchost.exe
netsh advfirewall firewall add rule name=”Services (svchost)” dir=out action=allow Program=”%SystemRoot%\System32\svchost.exe”
Let’s allow Net Bios, outbound ICMP (ping), NSLookup
netsh advfirewall firewall add rule name=”NetBios Discovery allow TCP” protocol=”TCP” dir=in action=allow localport=”139,445,3702,49179,5357,5358″
netsh advfirewall firewall add rule name=”NetBios Discovery allow UDP” protocol=”UDP” dir=in action=allow localport=”139,445,1124,3702,5355″
netsh advfirewall firewall add rule name=”NetBios Discovery allow TCP” protocol=”TCP” dir=out action=allow localport=”139,445,3702,49179,5357,5358
netsh advfirewall firewall add rule name=”NetBios Discovery allow UDP” protocol=”UDP” dir=out action=allow localport=”139,445,1124,3702,5355″
netsh advfirewall firewall add rule name=”Windows ICMP” dir=out action=allow protocol=ICMPv4
netsh advfirewall firewall add rule name=”Windows NSlookup” dir=out action=allow Program=”%SystemRoot%\System32\nslookup.exe
This rule will allow the OS to check if the Internet is working, yes, at the end of the 21st year Window still checks for the presence of the Internet by downloading a txt file from this host. Allow…
netsh advfirewall firewall add rule name=”Network Identifier (svchost)” dir=out action=allow Program=”%SystemRoot%\System32\svchost.exe” remoteip=13.107.4.52
Let’s allow time services and protocol to work for time synchronization:
netsh advfirewall firewall add rule name=”Windows Time Sync” dir=out action=allow protocol=UDP localport=123 Service=”W32Time”
Allow outbound SSH and VPN
netsh advfirewall firewall add rule name=”Windows SSH” dir=out action=allow protocol=TCP remoteport=22 Program=”%SystemRoot%\System32\OpenSSH\ssh.exe”
netsh advfirewall firewall add rule name=”VPN Outbound Connect GRE47″ dir=out action=allow protocol=47
netsh advfirewall firewall add rule name=”VPN Outbound Connect TCP 1723″ protocol=”TCP” dir=out action=allow remoteport=1723
Looking at these commands, the attentive person already knows the approximate syntax, where the protocol is, where the port is, where the direction is. And he is already quite able to make up similar commands by himself.
It remains to prescribe all personal software with network activity in the permitting rules and live relatively peace of mind.
And the most interesting part:
A rule that blocks all non-WPN traffic.
If you use a VPN – it will be very useful, because in case of disclonet VPN OS immediately rebuilds routers and traffic begins to break directly, that immediately compromises the user.
netsh advfirewall firewall add rule name=”Block Direct Connections” dir=out action=block protocol=TCP remoteport=1-1722,1724-65535 localip=10.11.12.1
where 10.11.12.1 is your local ip on the internal network.
This rule blocks all traffic where the outbound IP is your network IP and the port is different from 1723, in this case the VPN connection is connected and working and so is the traffic.
In the case of a disconnect there will be no connection, but traffic will not go directly.
All these rules can be created through the interface and you can activate and deactivate them with buttons.
But the command line is better, isn’t it? You can make up a .bat file once and apply it in a click and a half.
It would be useful to learn and disable unnecessary rules of the OS itself, which are created in the default screen configuration.