I'm trying to configure Windows Firewall on Server 2008 R2 to block everything except for the traffic that I add to the rule list.
I see there are three policies - public/private/domain. I've been making the same setting changes to each one, though I only have a single NIC and its assigned the domain policy.
In the domain policy properties I've set the Inbound Connections to "Block (default)" but this still let's ICMP through. I changed it to "block all connections" and created an inbound rule that allows ICMP from all three profiles, for all programs on all interfaces but this made the firewall drop ICMP traffic even though I have an allow rule created for it.
According to this documentation the allow rules are supposed to take precidence over default rules. I want to set my default rule to block all traffic and only allow certain traffic with allow rules.
I created two custom allow rules:
- Allow inbound ICMPv4 traffic for all programs/IP addresses.
- Allow inbound ICMPv6 traffic for all programs/IP addresses.
With the Inbound connections policy set to block all connections and the above allow rules enabled it still blocks my remote pings.
How do I configure Windows Firewall to do this?
Update - It turns out I was using the wrong GUI (embarrassing). Instead of using the GUI in Administrative Tools I was using the one in Group Policy editor (which happen to look identical). There were already rules set on the firewall that I couldn't see in the group policy editor. These rules were taking effect without me realizing it which caused my confusion. To do what I wanted I just had to set the policy to "Block (default)" (with the right tool of course). After deleting all the pre-existing rules (that I didn't see with the group policy editor) I was able to only allow the traffic that I wanted by creating specific allow rules.
When you have more then one rule matching your traffic, the Block one will have precedence.
Unless you select Override Block Rules option in your Allow rule.
Also, when using a Block all connection rule, the Override option won't work.
Sorry, I just re-read the documentation.
In a Nutshell, I believe what you are hopping to achieve is not quite possible with Windows Firewall.
Unfortunately, it doesn't work like network firewalls. I.e. read rules from top to bottom and use the first that match.
I you have rules with both Allow and Block that will match traffic, then it will Block.
Rules Action Explained
Where to find Override block rules
As an aside, making changes to the firewall policies for public and private won't have any effect as long as your NIC is still using the Domain network profile.
You are doing this the hard way. The default policy of the Domain profile implements a default deny ingress policy and a default allow egress (i.e, Inbound connections are blocked and Outbound connections are allowed.) If you've changed these defaults you can set them back in the Windows Firewall Properties dialog.
Then to enable ICMP traffic enable the following two allow rules: