Windows firewall

[Joveice]

Hello, I need to block all connections to a port, simple right.

 

Now I need to allow some IP's to connect to that port, how do I do that?

 

Let's say the guy who is allowed has the ip 38.100.26.205 (this is random)

 

so I tryed blocking 0.0.0.0-38.100.26.204 and from 38.100.26.206-255.255.255.255 but this dident work.

 

What do I need to do?

[Joveice]

2 hours ago, Joveice said:

Hello, I need to block all connections to a port, simple right.

 

Now I need to allow some IP's to connect to that port, how do I do that?

 

Let's say the guy who is allowed has the ip 38.100.26.205 (this is random)

 

so I tryed blocking 0.0.0.0-38.100.26.204 and from 38.100.26.206-255.255.255.255 but this dident work.

 

What do I need to do?

And I don't understand why this wouldent work?

[Akolyte]

31 minutes ago, Joveice said:

And I don't understand why this wouldent work?

Well, it depends on whether you are trying to let in or out, I assume you are letting in.  Windows Firewall by default blocks all incoming connections unless specified otherwise.  This means that you aren't really helping yourself by blocking those IP ranges, you should just simply make an inbound rule to allow the IP address. 

 

You can change the default policies of Windows Firewall, you can check your current rules in Windows Firewall with Advanced Security. on the main page. You can go to Windows Firewall Properties on the main page to configure these default policies.  

 

I think the only thing you were doing wrong was not noticing the default policies. 

[Joveice]

1 minute ago, Mike_The_B0ss said:

Well, it depends on whether you are trying to let in or out, I assume you are letting in.  Windows Firewall by default blocks all incoming connections unless specified otherwise.  This means that you aren't really helping yourself by blocking those IP ranges, you should just simply make an inbound rule to allow the IP address. 

 

You can change the default policies of Windows Firewall, you can check your current rules in Windows Firewall with Advanced Security. on the main page. You can go to Windows Firewall Properties on the main page to configure these default policies.  

 

I think the only thing you were doing wrong was not noticing the default policies. 

The ports are normaly open (game ports) and players connect on them so they are open no doubt.

 

I need this for a program so I do not want to change the default settings at all.

[Akolyte]

Just now, Joveice said:

The ports are normaly open (game ports) and players connect on them so they are open no doubt.

 

I need this for a program so I do not want to change the default settings at all.

You should be able to make a custom rule in Windows Firewall, select all programs for the program, specify the protocol, and the port, then you are able to specify allowed IP addresses.  Don't block the IPs, only the ones that are allowed, then allow the connection, select where it applies, and then name it.  

 

So, this is in Windows Firewall with Advanced Security btw, and you right click on inbound rules and click new rule.  

[Joveice]

1 minute ago, Mike_The_B0ss said:

You should be able to make a custom rule in Windows Firewall, select all programs for the program, specify the protocol, and the port, then you are able to specify allowed IP addresses.  Don't block the IPs, only the ones that are allowed, then allow the connection, select where it applies, and then name it.  

 

So, this is in Windows Firewall with Advanced Security btw, and you right click on inbound rules and click new rule.  

You don't get my point. Right now it allows all which it should. Now when I activate my new rule I need it to block all and only allow those I chose

[Akolyte]

2 minutes ago, Joveice said:

You don't get my point. Right now it allows all which it should. Now when I activate my new rule I need it to block all and only allow those I chose

If it's on the specific port, can't you just use the same rule but to block?  It only applies to the IPs specified.  

Otherwise just change the policy for all ports in a certain area like domain/inbound/outbound?  

[Joveice]

10 minutes ago, Mike_The_B0ss said:

If it's on the specific port, can't you just use the same rule but to block?  It only applies to the IPs specified.  

Otherwise just change the policy for all ports in a certain area like domain/inbound/outbound?  

Let's say the guy who is allowed has the ip 38.100.26.205 (this is random)
 
so I tryed blocking 0.0.0.0-38.100.26.204 and from 38.100.26.206-255.255.255.255 but this dident work.

Why doesent this work?

[Akolyte]

2 minutes ago, Joveice said:

Let's say the guy who is allowed has the ip 38.100.26.205 (this is random)
 
so I tryed blocking 0.0.0.0-38.100.26.204 and from 38.100.26.206-255.255.255.255 but this dident work.

Why doesent this work?

If you blocked those ports in a custom rule AND made an allowed rule for the allowed IP I wouldn't know.  The only possibility is that you didn't allow the port over WAN through your firewall on your router or VPN.  If you run into even more issues, my only advice would be to suggest setting up a VPN so they can directly connect to your PC and block all ports on the VPN interface except the one you have allowed.  Sorry for not fully understanding your issue.  

 

Other than that I wouldn't know and you are better talking to an IT professional like @leadeater

[leadeater]

3 hours ago, Joveice said:

Hello, I need to block all connections to a port, simple right.

 

Now I need to allow some IP's to connect to that port, how do I do that?

 

Let's say the guy who is allowed has the ip 38.100.26.205 (this is random)

 

so I tryed blocking 0.0.0.0-38.100.26.204 and from 38.100.26.206-255.255.255.255 but this dident work.

 

What do I need to do?

For what you want do it in the reverse, ports are only allowed through the firewall if allowed so you can just limit the rule to only apply to a set or range of IP addresses you want.

 

First create the allow rule then edit it to modify the scope settings.

 

 

This allow rule will only work for the listed IP address otherwise the port is blocked, unless another rule is allowing it.

[Joveice]

3 minutes ago, Mike_The_B0ss said:

If you blocked those ports in a custom rule AND made an allowed rule for the allowed IP I wouldn't know.  The only possibility is that you didn't allow the port over WAN through your firewall on your router or VPN.  If you run into even more issues, my only advice would be to suggest setting up a VPN so they can directly connect to your PC and block all ports on the VPN interface except the one you have allowed.  Sorry for not fully understanding your issue.  

 

Other than that I wouldn't know and you are better talking to an IT professional like @leadeater

That would not be a option. but I might have gotten it to work what I just sendt you worked for my teamspeak, enabling it and I could connect to the server, moving the ip range up and I could no longer connect, I might just have done wrong last time I did this.

[Joveice]

2 minutes ago, leadeater said:

For what you want do it in the reverse, ports are only allowed through the firewall if allowed so you can just limit the rule to only apply to a set or range of IP addresses you want.

 

First create the allow rule then edit it to modify the scope settings.

 

 

This allow rule will only work for the listed IP address otherwise the port is blocked, unless another rule is allowing it.

By default there is a rule that allows all ports on UDP to the program (No IP's listed) when I block I want to block all but those I allow so I do not need to touch the old rule, this is what I want atleast, if it works I have no idea and thats why I'm here for help.

[Akolyte]

1 minute ago, Joveice said:

By default there is a rule that allows all ports on UDP to the program (No IP's listed) when I block I want to block all but those I allow so I do not need to touch the old rule, this is what I want atleast, if it works I have no idea and thats why I'm here for help.

Well to be honest, that's just inefficient.  You should disable the old rule at least, there could be some collision going on.  Telling the firewall to allow all IPs and block all of them might have undesired effects, I've never tried it. My suggestion would just be to disable the rule if you don't want to touch it, and make a new rule that just allows the port(s) for one IP address. 

 

Otherwise you could just change the rule you already have setup and set it to only apply to the IP. 

[Joveice]

Just now, Mike_The_B0ss said:

Well to be honest, that's just inefficient.  You should disable the old rule at least, there could be some collision going on.  Telling the firewall to allow all IPs and block all of them might have undesired effects, I've never tried it. My suggestion would just be to disable the rule if you don't want to touch it, and make a new rule that just allows the port(s) for one IP address. 

 

Otherwise you could just change the rule you already have setup and set it to only apply to the IP. 

Both of those are really good points.

 

And last time I checked the firewall will first look at blocking rules then allowing rules. (Not sure if this is changed but thats what I found on the web)

[leadeater]

2 minutes ago, Joveice said:

By default there is a rule that allows all ports on UDP to the program (No IP's listed) when I block I want to block all but those I allow so I do not need to touch the old rule, this is what I want atleast, if it works I have no idea and thats why I'm here for help.

That rule is the one I would edit and set the scope to the IP addresses you only want the allow rule to apply to, then any other IP will not be allowed. As long as you only change the scope there is little that you can break, if anything goes wrong set the scope back to Any IP address and try again.

 

Doesn't really matter how you do it as long as it works, I understand not wanting to alter the default rule. Sounds like you just got it working anyway 

[Joveice]

Just now, leadeater said:

That rule is the one I would edit and set the scope to the IP addresses you only want the allow rule to apply to, then any other IP will not be allowed. As long as you only change the scope there is little that you can break, if anything goes wrong set the scope back to Any IP address and try again.

 

Doesn't really matter how you do it as long as it works, I understand not wanting to alter the default rule. Sounds like you just got it working anyway 

Yes I will try this out, like @Mike_The_B0ss also mentioned. If I got it to work or not I have to test because I did the same earlyer today and it dident work but I might have done it wrong. And now it works when I did the same thing for teamspeak.

[leadeater]

5 minutes ago, Mike_The_B0ss said:

Well to be honest, that's just inefficient.  You should disable the old rule at least, there could be some collision going on.  Telling the firewall to allow all IPs and block all of them might have undesired effects, I've never tried it. My suggestion would just be to disable the rule if you don't want to touch it, and make a new rule that just allows the port(s) for one IP address. 

 

Otherwise you could just change the rule you already have setup and set it to only apply to the IP. 

Block rules always take precedence over allow rules so in the case of conflicting/overlapping rules for a deny and an allow the block will take effect. Good suggestion about disabling the default rule and making a copy of it then changing the scope.

[Akolyte]

2 minutes ago, Joveice said:

Yes I will try this out, like @Mike_The_B0ss also mentioned. If I got it to work or not I have to test because I did the same earlyer today and it dident work but I might have done it wrong. And now it works when I did the same thing for teamspeak.

And this is on a different subject, but I assume you are allowing the connection from WAN?  This would mean you allowed the port over WAN (you should just specify a source address in the port triggering table) or you are using a DMZ.  Which isn't a very good idea.  Hope you've got your issue sorted. (You could try making a VM with Pfsense and set it as the default gateway, and route the WAN connection on the VM bridged through your physical adapter to your internet?)