2

I'm trying to set up a firewall to only permit inbound traffic on ports 80 and 443 from specific IP addresses. I tried creating a rule to block all traffic on TCP, local port 80 and 443, then I added a rule to allow the same from a specific remote IP address. However, I kept getting traffic from any IP address. So I disabled the rule to allow traffic, and I still was getting traffic from any IP address. Then I changed the rule to block all TCP traffic on any port, but I'm still getting traffic.

There are no rules that allow traffic on TCP 80, 443, or Any that aren't limited to a specific program. How can I block incoming traffic on those ports except for specific IP addresses? Is there some way to identify which rule is letting the traffic through? Thanks!

Becca Dee
  • 123
  • 1
  • 1
  • 5
  • By default, all inbound connections are blocked unless stated otherwise. You can see that in the firewall them in the firewall properties. If you say there are no rules that allow this traffic, than it must be it. Also, you can make the firewall logging all incoming packets from the same menu, and then see what's going on. – EliadTech Jun 18 '14 at 18:20
  • One more thought, maybe the rules you've created are in the wrong profile (domain, private, public)? – EliadTech Jun 18 '14 at 18:22

1 Answers1

3

First of all:

  1. If there is no rule for a port/service/application and the firewall is enabled, all traffic for it is blocked!
  2. If there is an enabled allow rule for a port/service/application, matched traffic is allowed.
  3. If there is an enabled block rule for a port/service/application, it takes precedence over allow rules and matched traffic is blocked!

You say that inbound traffic on the ports 80 and 443 is allowed from everywhere. That means there is an active rule that allows that traffic. You want to allow traffic to those ports only from certain ip addresses.

You first need to remove the rule that allows the traffic and then create a rule that only allows traffic from certain ip addresses.

To find out what rule causes your ports 80 and 443 to be reachable, get all active rules first:

$active_rules = Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow

The next step is to search for possible rules that allow inbound traffic on the ports 80 and 443:

$port_filters = $active_rules | Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -in (80, 443) }

Then find the associated firewall rules:

$port_filters | Get-NetFirewallRule

It is probably easier to just sort by the LocalPort column in the graphical user interface of the Advanced Firewall Settings. But those commands might help you track down the rule somehow.

Things to remember: Check the three different profiles. If you don't find a port filter, maybe the web application or the web service has an active allow rule.

When you have located and removed (or disabled) the rule in question, create a new allow rule for the ports and the addresses:

New-NetFirewallRule -DisplayName "Allow TCP:80,443 from certain IPs" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80,443 -RemoteAddress ("8.8.8.8", "8.8.4.4", "…")

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • I think you've misread Don's post. He said he created the rules properly, only they didn't work as should. – EliadTech Jun 18 '14 at 18:21
  • He specifically asked "*How can I block incoming traffic on those ports except for specific IP addresses?*" Further, a block rule always has precedence. If he set up block rules, he did it wrong. – Daniel Jun 18 '14 at 18:23
  • @Daniel, thanks for the reply, but you did misread the post. I want to block traffic *except* for specific IP addresses, which I take to be the same as permitting traffic only from specific IP addresses. Are the PowerShell command equivalent to using the Firewall graphical interface? I may try with those. Thank you, both! – Becca Dee Jun 18 '14 at 18:35
  • @EliadTech, I'm not convinced I set up the rules properly. In fact, I agree with Daniel; I must have set up them up wrong, otherwise they'd do what I want. Thank you both for your replies! – Becca Dee Jun 18 '14 at 18:37
  • Don01001100, @EliadTech sorry, I did misread the question. I feel stupid now. I did rewrite my answer and hopefully this time it is helpful. – Daniel Jun 18 '14 at 19:51
  • @Daniel, I manage to do at least one thing every day that leaves me feeling stupid, so no worries :) Unfortunately, I'm using Server 2008, and it looks like those PS commands are only available in Server 2012. I ended up restarting the firewall service, and that did it. Should it be necessary to restart the firewall service? I did use the outline of those three rules at the top of your post to solve my problem. – Becca Dee Jun 19 '14 at 15:44
  • Don, I believe you can make those commands available by installing PowerShell 3.0, but I am not entirely sure. Normally you would not need to restart the firewall service. – Daniel Jun 19 '14 at 16:35