Set Windows Firewall to block all outbound and allow DHCP and web

Question

I am trying to set Windows firewall to block default public profile, but am having difficulty when outbound activity is set to block by default, despite including allow rules for DHCP and DNS.

Failure typically results in connection to wireless services without internet access. In other words, router association and DHCP may take place but do not provide full wireless functionality and access to web.

Worse, when enacted, failure frequently results in the inoperability of wireless adapter altogether, even when a working firewall policy is reinstated, requiring adapter to be disabled and reenabled and computer restarted to restore normal wireless functionality. I understand in Windows netsh is used to configure both firewall and TCP/IP stack and adapter state, which is not the case in other operating systems with which I have had experience.

Before connection action, the complete network will remain visible in Windows GUI. Following failure, the network and wifi icon will disappear, and the airplane mode icon will remain disactivated and unusable.

These results occur when firewall is set to block by default in either the advanced firewall GUI or in .bat script, which I include here.

These results were checked against two public wireless locations, to ensure absence of specific wireless service failure.

Note that to further avoid some simple failure, DHCP port allowances were opened up to 67-68 in all cases to test and both UDP and TCP rules for DNS were included.

Logging shows an inexplicable drop action for DHCP and DNS.

Note that evaluation order from default block to specific allow rules was not assumed to be a problem, and I would be surprised if this is the case. Here a default is specified for all packets to which I assume explicit allow rules the exception outbound, but there is some confusion as to whether this should be the case.

See the following two answers on Superuser for examples of statement. The second example is very similar to my own policy tests, which utterly destroy wireless functionality but are claimed to work.

https://superuser.com/questions/564701/configure-windows-firewall-to-allow-dhcp-client-and-specific-remote-ips-only

https://superuser.com/questions/1182658/how-to-block-everything-all-incoming-and-outgoing-internet-access-except-those

Bat script rules and log excerpt are shown below.

REM Set policy for all profiles:

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

REM Core networking in:

netsh advfirewall firewall add rule NAME="CoreNetworking_DHCP-UDP" dir=in interfacetype=wireless ACTION=ALLOW protocol=UDP remoteip=dhcp localport=68 remoteport=67 program="%WINDIR%\System32\svchost.exe" service=dhcp ENABLE=YES

netsh advfirewall firewall add rule NAME="CoreNetworking_DNSCache-UDP" dir=in interfacetype=wireless ACTION=ALLOW protocol=UDP remoteip=dns remoteport=53 program="%WINDIR%\System32\svchost.exe" service=dnsclient ENABLE=YES

netsh advfirewall firewall add rule NAME="CoreNetworking_DNSCache-TCP" dir=in interfacetype=wireless ACTION=ALLOW protocol=TCP remoteip=dns remoteport=53 program="%WINDIR%\System32\svchost.exe" service=dnsclient ENABLE=YES

REM Core networking out:

netsh advfirewall firewall add rule NAME="CoreNetworking_DHCP-UDP" dir=out interfacetype=wireless ACTION=ALLOW protocol=UDP remoteip=dhcp localport=67 remoteport=68 program="%WINDIR%\System32\svchost.exe" service=dhcp ENABLE=YES

netsh advfirewall firewall add rule NAME="CoreNetworking_DNSCache-UDP" dir=out interfacetype=wireless ACTION=ALLOW protocol=UDP remoteip=dns remoteport=53 program="%WINDIR%\System32\svchost.exe" service=dnsclient ENABLE=YES

netsh advfirewall firewall add rule NAME="CoreNetworking_DNSCache-TCP" dir=out interfacetype=wireless ACTION=ALLOW protocol=TCP remoteip=dns remoteport=53 program="%WINDIR%\System32\svchost.exe" service=dnsclient ENABLE=YES

2023-04-21 17:59:11 DROP UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - SEND

2023-04-21 17:59:11 DROP UDP [redacted] 8.8.8.8 49915 53 0 - - - - - - - SEND

2023-04-21 17:43:50 DROP UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - SEND

2023-04-21 17:43:50 DROP UDP [redacted] 8.8.8.8 64584 53 0 - - - - - - - SEND

Answer 1

Hi, I'd be happy to help you out with your question. Sorry for the inconvenience caused. Firstly, I suggest that you verify if the DHCP and DNS servers are correctly configured and reachable. If the servers are not reachable, your network will experience connectivity issues, which could explain the behavior you are experiencing. If the DHCP and DNS servers are correctly configured, then let's move on to the Windows Firewall configuration. Please note that when the default outbound activity is set to block, even including allow rules for DHCP and DNS may not be enough to establish a connection. To configure the Windows Firewall to block all outbound traffic, except for DHCP and web access, I suggest the following steps:

1. Open the Windows Firewall with Advanced Security control panel.
2. Under the Outbound Rules section, create a new rule to block all outbound traffic. Ensure that you select the Public profile for this rule.
3. Create another rule that allows outbound DHCP traffic. The protocol is UDP, and the remote port is 67. Ensure that you select the Public profile for this rule.
4. Create two more rules to allow outbound DNS traffic, one for TCP and one for UDP. The protocol is TCP/UDP, and the remote port is 53. Ensure that you select the Public profile for both of these rules.
5. Save and apply the new firewall rules. Please note that the order of the rules matters. The rule that allows DHCP traffic must come before the rule that blocks all outbound traffic. If you still experience issues, please ensure that the DHCP and DNS servers are reachable, and then check the Windows Firewall logs to see if the traffic is being blocked. If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.