For average +/- and other. To simplify life with built in Windows firewall these two simple code block internet access for all *.exe or *.dll file in a specific folder and sub-folders. Save code as extension of *.bat, copy *.bat to the desired folder and run as admin. 1. --- block internet access for all *.exe and *.dll file in a specific folder --- Spoiler @echo off cls SetLocal EnableDelayedExpansion pushd %~dp0 for %%a in (*.exe) do ( netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%cd%\%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes ) 2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders --- Spoiler @echo off cls SetLocal EnableDelayedExpansion for /r "%~dp0" %%a in (*.exe) Do ( netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes ) 3. --- usually is enough to block *.exe file, but if you feel the need to block and *.dll file, edit and change code (*.exe) --> (*.exe, *.dll). 4. --- open --> Start, click All Apps (Programs), click Administrative Tools, and then click Windows Firewall with Advanced Security, or at the command prompt type: wf.msc and enjoy your newly created firewall rule. Spoiler @Echo Off cd %systemroot%\system32 call :IsAdmin reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DHCP" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|LPort=68|RPort=67|LA4=0.0.0.0|RA4=255.255.255.255|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dhcp|Name=VPN_DHCP|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|RPort=53|LA4=10.4.0.0-10.9.255.255|RA4=8.8.4.4|RA4=8.8.8.8|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dnscache|Name=VPN_DNS|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS_Block" /t REG_SZ /d "v2.25|Action=Block|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|IFType=Lan|IFType=RemoteAccess|App=%%SystemRoot%%\System32\svchost.exe|Svc=Dnscache|Name=VPN_DNS_Block|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_LOCALNETWORK_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|RA4=LocalSubnet|RA6=LocalSubnet|Name=VPN_LOCALNETWORK_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_RESOLUTION_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Program Files\OpenVPN\bin\openvpn.exe|Name=VPN_RESOLUTION_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Chrome\App\chrome.exe|Name=VPN_INTERNET_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Firefox\Bin\Firefox\firefox.exe|Name=VPN_INTERNET_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|LA4=10.4.0.0-10.9.255.255|App=C:\Program Files (x86)\Internet Explorer\iexplore.exe|Name=VPN_INTERNET_OUTBOUND|" /f Exit :IsAdmin reg.exe query "HKU\S-1-5-19\Environment" If Not %ERRORLEVEL% EQU 0 ( Cls & Echo You must have administrator rights to continue ... Pause & Exit ) Rule that excludes non-VPN (OpenVPN) traffic with Windows Firewall and permit only VPN traffic If you are interested know more you should ask.
Forgive my density; but is running the script from within the desired directory enough? Or does one point firewall rule to the .bat file? A bit confused on this.... Thanks
1. --- block internet access for all *.exe and *.dll file in a specific folder --- Spoiler @echo off cls SetLocal EnableDelayedExpansion pushd %~dp0 for %%a in (*.exe) do ( netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%cd%\%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes ) It is enough to copy this *.bat (above) file to desired folder where *.exe or *.dll file is that you want to block internet access. Example, copy *.bat to "C:\Program Files (x86)\Internet Explorer" or "C:\Program Files\Internet Explorer" for 64-bit. Right click on it and "run as administrator", script will create block out firewall rule for all *.exe in "C:\Program Files (x86)\Internet Explorer" folder. If you want to block all *.exe or *.dll i same root directory and in all sub-folder in the same root directory ( example C:\Program Files (x86)\Internet Explorer) then copy the latter *.bat to the desired directory. 2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders --- Spoiler @echo off cls SetLocal EnableDelayedExpansion for /r "%~dp0" %%a in (*.exe) Do ( netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes ) Script (2)will create block out firewall rule for all *.exe in "C:\Program Files (x86)\Internet Explorer" folder and all *.exe or *.dll file in all sub-directory if there are in themselves. I do not know if I was clear enough, but they are always available to clarify if things are not clear.
Visual example, if you run first *.bat file from "C:\Program Files (x86)\Internet Explorer" and then open wf.msc you'll see these three block/out /exe auto created firewall rule. 1. --- block internet access for all *.exe and *.dll file in a specific folder --- If you run second *.bat file from "C:\Windows\SystemApps" and then open wf.msc you'll see these eighteen block/out sub and sub-sub folder/exe auto created firewall rule. 2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders ---
So no need to use Firewall UI to create rules... got it. I really like this idea as although the .exe may be blocked; there may be other "callers" that run independent of that .exe. This script basically blocks the other potential "callers" without the need to create a rule for each and every possibility. Time saver and efficient. Thanks, shewolf. Nice piece as my lazy ass hates the arduous task of identifying/creating rules for potential offenders. Much love to ya!
Spoiler @Echo Off cd %systemroot%\system32 call :IsAdmin reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DHCP" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|LPort=68|RPort=67|LA4=0.0.0.0|RA4=255.255.255.255|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dhcp|Name=VPN_DHCP|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|RPort=53|LA4=10.4.0.0-10.9.255.255|RA4=8.8.4.4|RA4=8.8.8.8|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dnscache|Name=VPN_DNS|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS_Block" /t REG_SZ /d "v2.25|Action=Block|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|IFType=Lan|IFType=RemoteAccess|App=%%SystemRoot%%\System32\svchost.exe|Svc=Dnscache|Name=VPN_DNS_Block|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_LOCALNETWORK_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|RA4=LocalSubnet|RA6=LocalSubnet|Name=VPN_LOCALNETWORK_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_RESOLUTION_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Program Files\OpenVPN\bin\openvpn.exe|Name=VPN_RESOLUTION_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Chrome\App\chrome.exe|Name=VPN_INTERNET_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Firefox\Bin\Firefox\firefox.exe|Name=VPN_INTERNET_OUTBOUND|" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|LA4=10.4.0.0-10.9.255.255|App=C:\Program Files (x86)\Internet Explorer\iexplore.exe|Name=VPN_INTERNET_OUTBOUND|" /f Exit :IsAdmin reg.exe query "HKU\S-1-5-19\Environment" If Not %ERRORLEVEL% EQU 0 ( Cls & Echo You must have administrator rights to continue ... Pause & Exit ) Rule that excludes non-VPN (OpenVPN) traffic with Windows Firewall and permit only VPN traffic If you are interested know more you should ask.
Nice idea for a thread, but IMO, with the advent of Window 10 anything other than a whitelist/deny-by-default strategy is a fruitless endeavour. A blacklist strategy requires constant maintenance. You always have to be on the lookout for the next thing that Microsoft does and they sure as hell won't come out and announce it whenever they add a new data collection mechanism.
I need another feature: Block Internet + Allow Lan (Especially useful on Windows File Explorer, to restore expected function.)
Scope Block Internet --- set the Remote IP address to "These IP addresses" --- select "Internet" under the list of "Predefined set of computers" --- set the Action to "Block the connection" Allow LAN --- set the Remote IP address to "These IP addresses" --- select "Local subnet" under the list of "Predefined set of computers" --- set the Action to "Allow the connection" Make sure to check the correct profile that is assigned to the network card that you want this rule to work on. The rule is active immediately. ,
Thank you! So far, I've used the Internet block on explorer.exe and searchui.exe (still works on lan). And, I've used the complete block on sihclient.exe and backgroundtaskhost.exe.
So, I'd like a Set Firewall Rules submenu that looks like this: Block Outbound Internet Block Outbound Telemetry on 443 Block Outbound All Block Inbound All Show Adv.Firewall Console Allow Outbound Local Subnet Allow Inbound Local Subnet Allow Outbound All Allow Inbound All The least secure options are then at the bottom of the list. The more useful options of blocking internet misuse, are at the top, inviting one to click. Block and Allow sections were divided for "hinting" that these are separate firewall rules. That entry Block Outbound Telemetry on 443 means Block Outbound Internet on only port 443, but it can be named for function because it stops explorer.exe. searchui.exe, dashost.exe, sihclient.exe, diagtrack, and cousins, from sending reports to microsoft (its always on port 443), without blocking useful functions. The Allow Local Subnet menu items (not applied to public zone) are a good choice for file explorer, searchui and svchost (including lan file browsing, search nas files, and wireless printer management). In the case of svchost, adding an explicit allow local subnet rule tends to streamline it down to what is suitable for a lan. It no longer served as a back door to the internet. Well, for an allow rule, that's a nice surprise. Yes, I'd love a right-click firewall submenu like that (top of this post), but I'm not good at coding.