How To Block Or Allow Websites, IPs, Apps, And Ports Using Windows Firewall And PowerShell

Windows Firewall Allow BlockWindows Firewall Allow Block

The Windows Firewall is a security application that comes preinstalled with the Windows OS. It acts as a filtering mechanism for data packets that come in and out of your system via the network.

The firewall can be used to block websites, certain applications, specific IP addresses, and even ports. This is achieved by configuring the Windows Firewall to block or allow incoming or outgoing packets by filtering each one.

In this post, we discuss how you can use Windows Firewall to configure website filtering, IP filtering, application filtering, and port filtering. This can be done using the Firewall itself and through Windows PowerShell. But before we do, let us discuss what exactly Windows Firewall is, how it works, and who needs to configure it.

What is Windows Firewall

Windows Firewall, or Windows Defender Firewall, is a Microsoft software application embedded with the operating system. It is used to filter the incoming and outgoing traffic of data packets from your system via the network, whether wireless or wired.

By default, the Windows Firewall is enabled and configured to allow all sorts of traffic to come or go from your PC. However, you can alter its settings to apply filters and block the packets.

Each packet contains a header and a payload. The header has both the destination and the source IP addresses, amongst other information. Windows Firewall filters the traffic using these IP addresses, port information, and other data by examining each packet.

If the firewall finds a rule to block or allow the traffic for a certain app, IP address, website, or port, then it performs the respective action on those respective packets, which is how the filtration process works.

Who Needs to Configure Windows Firewall

Applying new rules to Windows Firewall doesn’t need to be done by every user. Depending on what your requirements are, you can configure the firewall accordingly.

Most home users do not need to perform any actions on the firewall if it is for personal use. However, if their children are also using the same computer, then they can block prohibited apps and websites from being accessed.

If you work inside an organization, then the Windows Firewall can be configured to block employees from accessing social media websites, or other unproductive online content.

If you work on a system where all data is configured to be blocked through Windows Firewall, then you can add a rule to allow only certain types of traffic to pass through, while blocking all others.

Before you start configuring the firewall, consider all the tangent pros and cons.

Pros and Cons of Allowing/Blocking Using Windows Firewall

Now that we understand how Windows Firewall works, you must also understand that each packet will be inspected before it is forwarded to its destination, whether it’s inbound traffic or outbound.

This means added delay in your network and will seem like your internet is (slightly) slow. This will also significantly higher system resources when the firewall is inspecting the packets.

On the contrary, configuring Windows Firewall also has benefits. You do not need external firewall hardware to filter the network traffic, saving costs. Additionally, configuring the firewall will prevent potential attackers from accessing your PC remotely, keeping your system as well as your data secure.

Moreover, you will be prompted when an app or program is trying to access the internet, giving you will control over whether or not to permit it.

Hence, configuring the integrated firewall enhances your privacy.

How to Block/Allow IP Address or Website/Domain on Windows

The Windows Firewall is unable to filter any packets using URLs. Hence, if you wish to allow or block a website, you must first determine its IP address or range of IP addresses. This limitation makes the method to block an IP address or a website very similar.

If you are not sure which IP address(es) you need to block, follow the steps in the given section below to determine the IP address of a domain/website. If you do know which IP address to block, then skip this next section and learn how to allow/block an IP address using either Windows Firewall or PowerShell from the given sections under it.

How to Find the IP Address of Website

You can use either of the following cmdlets in an elevated PowerShell to find the IP address or range of IP addresses for a website/domain.

Resolve-DnsName "website.com"
nslookup "website.com"

Replace website.com with the domain name.

Find the IP address of a domain website
Find the IP address of a domain/website

You may now get 1 or more IP addresses in return (both IPv4 and IPv6). Note them down and then continue to the next step to allow or block this website’s IP address(es).

From Windows Firewall

If you know which IP address you wish to block or allow, follow these steps to do so using Windows Firewall:

  1. Open Advanced Firewall Settings by typing in wf.msc in the Run Command box.

    wf msc
    Open Advanced Windows Firewall settings
  2. Now click Outbound Rules from the left pane and then right-click it. Then click New Rule from the context menu.

    Create new outbound rule
    Create new outbound rule
  3. The New outbound rule wizard will now open. Select Custom and then click Next.

    Create custom outbound rule
    Create custom outbound rule
  4. Now select All programs and then click Next.

    Apply rule to all programs
    Apply rule to all programs
  5. Now select Any from the drop-down menu in front of “Protocol type” and then click Next.

    Select protocol to apply rule to
    Select the protocol to apply the rule to
  6. Select These IP addresses under the “Which remote IP addresses does this rule apply to” and then click Add.

    Add remote IP addresses
    Add remote IP addresses
  7. Now select This IP address or subnet and then enter the IP address you want to allow or block. This IP address can also be of a website if you want to allow or block it, or it can be an IP address with a subnet mask if you want to block the complete subnet.

    Click Ok when entered.

    Enter IP address to block
    Enter IP address to block

    Note: You can also select This IP address range if you want to allow or block a range of IP addresses, and then fill in the IP address range details in the From and To text fields.

  8. (Optional) If you want to allow/block more IP addresses (including IPv6 addresses), click Add again and repeat Step 7.

  9. Once the IP addresses have been added, click Next.

    IP addresses have been added
    IP addresses have been added
  10. On the next screen, select one of the following options depending on whether you want to allow those IP addresses or block them:

    • Allow the connection: If you want to allow the IP address(es). This will be used if your default policy is set to block all connections.
    • Block the connection: If you want to block the IP address(es).

    Click Next when selected.

    Allow or block the IP addresses
    Allow or block the IP address(es)
  11. Now select the network types you want to apply this rule on, and click Next.

    Select network type to apply the rule on
    Select the network type to apply the rule on
  12. On the final screen, enter a custom name for this rule and click Finish.

    Name the firewall rule
    Name the firewall rule

The Windows Firewall will now block the IP address(es) or website. However, since some websites have many different IP addresses rerouting to the destination address, one rule may not completely block the website.

If it did work, then accessing a blocked website will show you the following statement:

Firewall or antivirus software may have blocked the connection.
Website is blocked successfully
Website is blocked successfully

If you later want to undo your action by allowing a blocked website/IP address, or blocking an allowed website/IP address, all you need to do is either change the rule you created, disable it temporarily, or simply delete it.

To disable or delete the outbound rule, navigate to the Outbound Rules folder inside the Advanced Windows Firewall settings, right-click on the rule, and click either Disable Rule or Delete from the context menu.

Disable or delete the firewall rule
Disable or delete the firewall rule

Using PowerShell

If you know which IP address you wish to block or allow, follow these steps to do so using Windows PowerShell:

Note: These steps guide on how to create a new rule to allow or block IP address(es). If you wish to change the setting of an existing rule using PowerShell, continue to the section below.

  1. Open an elevated PowerShell instance.

  2. Now use the following cmdlet to create a new firewall rule to allow or block an IP address.

    Replace [CustomName] with a name for the rule, and [IPAddress] with the IP address that you want to allow or block. Also, replace [ActionToPerform] with either “Allow” or “Block” depending on whether you want to allow or block the IP address(es).

    You can optionally add “/” followed by a subnet mask after the IP address if you want to allow or block the complete subnet.

    New-NetFirewallRule -DisplayName "[CustomName]" -Direction Outbound –LocalPort Any -Protocol TCP -Action [ActionToPerform] -RemoteAddress [IPAddress]
    Block IP address or website using PowerShell
    Block IP address or website using PowerShell
  3. The website/IP address(es) will now be allowed/blocked. At this point, note down the GUID given in front of the “Name” field returned after running the cmdlet and save it as it will be needed in the future if you ever wish to delete the rule.

    Block IP address or website using PowerShell 1
    Note and save the GUID

A new rule in Windows Firewall will now be created by the custom name you entered. However, the steps above only apply to creating a new rule. If you wish to undo these changes, you either need to use the steps given below that apply to an existing firewall rule, or delete this rule.

Edit Existing Firewall Rule using PowerShell

To allow a blocked IP address/website for which there is already a firewall rule in place, use this cmdlet:

Set-NetFirewallRule -DisplayName "[CustomName]" -Action Allow
Allow a blocked IP address website using PowerShell
Allow a blocked IP address/website using PowerShell

To block an allowed IP address/website for which there is already a firewall rule in place, use this cmdlet:

Set-NetFirewallRule -DisplayName "[CustomName]" -Action Block
Block an allowed IP address website using PowerShell
Block an allowed IP address/website using PowerShell

Delete Firewall Rule using PowerShell

To delete a rule, you need to use the GUID for the firewall rule which we noted earlier when creating the rule. Replace [GUID] with the noted GUID in this cmdlet to delete the associated firewall rule:

Remove-NetFirewallRule -Name "[GUID]"
Remove firewall rule using PowerShell using GUID
Remove firewall rule using PowerShell using GUID

If you do not have the associated GUID, use the following cmdlet to obtain the GUIDs of all the outbound firewall rules. For inbound rules, replace “outbound” with “inbound.”

Get-NetFirewallRule -Direction Outbound | Select-Object Name, DisplayName, Description
Get GUIDs with firewall rule names
Get GUIDs with firewall rule names

How to Block/Allow Network Ports on Windows

Network ports are used by Windows services and applications to send and receive data over the network. On top of a unique IP address, a port defines what application or service on that particular device to send that information to.

You can allow or block these network ports using Windows Firewall as it makes your system safer. Open ports that are listening can be dangerous as they increase the attack surface area for hackers.

Learn how to check which ports are open/listening.

Blocking a port using a firewall is the same as closing it. Ports can be blocked or allowed using both Windows Firewall and PowerShell.

From Windows Firewall

Follow these steps to block a port from listening or allow it on your computer using Windows Firewall:

  1. Open Advanced Firewall Settings by typing in wf.msc in the Run Command box.

    wf msc
    Open Windows Firewall advanced settings
  2. Now click Outbound Rules from the left pane and then right-click it. Then click New Rule from the context menu.

    Create new outbound rule
    Create new outbound rule
  3. The New Outbound Rule wizard will now open. Select Port and then click Next.

    Create new port rule 1
    Create new port rule
  4. On the next screen, select the type of port you want to allow or block, and then enter the port number in front of Specific local ports. Click Next when done.

    Specify port number and type 1
    Specify port number and type
  5. On the next screen, select one of the following options depending on whether you want to allow the port or block it:

    • Allow the connection: If you want to allow the IP address(es). This will be used if your default policy is set to block all connections.
    • Block the connection: If you want to block the IP address(es).

    Click Next when selected.

    Allow or block the IP addresses
    Allow or block the port
  6. Now select the network types you want to apply this rule on, and click Next.

    Select network type to apply the rule on
    Select network type to apply the rule on
  7. On the final screen, enter a custom name for this rule and click Finish.

    Name the firewall rule2 1
    Name the firewall rule

The specific port will now be allowed to listen on or be blocked, depending on what you selected in Step 5 above.

If you feel like removing or disabling this rule in the future, all you need to do is either change the rule you created, disable it temporarily, or simply delete it.

To disable or delete the outbound rule, navigate to the Outbound Rules folder inside the Advanced Windows Firewall settings, right-click on the rule, and click either Disable Rule or Delete from the context menu.

Disable or delete the firewall rule2 1
Disable or delete the firewall rule

Using PowerShell

Follow these steps to block a port from listening or allow it on your computer using Windows PowerShell:

  1. Launch PowerShell with administrative privileges.

  2. Now use the following cmdlet to create a new firewall rule to allow or block a network port.

    Replace [CustomName] with a name for the rule, and [Port] with the port that you want to allow or block. Also, replace [ActionToPerform] with either “Allow” or “Block” depending on whether you want to allow or block the port.

    New-NetFirewallRule -DisplayName "[CustomName]" -Action [ActionToPerform] -Direction Outbound -Profile Any -Protocol tcp -RemotePort [Port]
    Block port using PowerShell
    Block port using PowerShell
  3. The network port will now be allowed/blocked. At this point, note down the GUID given in front of the “Name” field returned after running the cmdlet and save it as it will be needed in the future if you ever wish to delete the rule.

    Note down GUID
    Note down GUID

A new rule in Windows Firewall will now be created by the custom name you entered to allow/block the network port. However, the steps above only apply to creating a new rule.

If you wish to undo these changes, you either need to edit an existing firewall rule or delete it.

How to Block/Allow Apps or Programs on Windows

You can also block an application or a Windows program from accessing the internet by blocking it through Windows Firewall. This can be done using the advanced Windows Firewall settings, through the “allowed apps” settings in the Control Panel, and using Windows PowerShell.

From Control Panel

Follow these steps to allow or block an app or program using the Control Panel:

  1. Open the Firewall applet by typing in firewall.cpl in the Run Command box.

    firewall
    Open FIrewall applet
  2. Now click “Allow an app or feature through Windows Defender Firewall” on the left.

    Allow an app through the firewall
    Allow an app through the firewall
  3. (Conditional) If the checkboxes on the next page under “Allowed apps and features” are grayed out, then click Change settings.

    Change allowed app settings
    Change allowed app settings

    You should now be able to manage the allowed apps through the checkboxes which were previously grayed out.

  4. Now, check or uncheck the boxes to the left of the app that you want to allow or block through the firewall. The apps and programs which a checked box are allowed through the firewall, while the unchecked ones are blocked.

    Allow or block apps and programs from Control Panel
    Allow or block apps and programs from Control Panel
  5. Also, check on which network types you want to allow the app. This is defined by the checkboxes on the right side of the app under the respective columns (Public, Private, or Domain).

    Select type of network to all block
    Select type of network to allow/block
  6. If you do not find the app or program in this list, then click Allow another app and then click Browse.

    Browse for another app top allow block
    Browse for another app to allow/block
  7. Now browse for the app you want to add to the list and then click Add.

    Add another app 1
    Add another app
  8. When all configurations are done, click Ok to save the changes.

    Save changes
    Save changes

The application or program will now be allowed or blocked from accessing the network by Windows Firewall. If you want to undo these changes in the future, simply use the checkboxes to allow or disallow them.

From Advanced Firewall Settings

You can also block or allow an app or program from transmitting outbound data using the advanced Windows Firewall settings. Here is how:

  1. Open Advanced Firewall Settings by typing in wf.msc in the Run Command box.

    wf msc
    Open Windows Firewall advanced settings
  2. Now click Outbound Rules from the left pane and then right-click it. Then click New Rule from the context menu.

    Create new outbound rule
    Create new outbound rule
  3. The New Outbound Rule wizard will now open. Select Program and then click Next.

    Create new app program rule
    Create new app/program rule
  4. On the next screen, select This program path and then click Browse.

    Browse for app program
    Browse for app/program
  5. Now browse for the app or program that you want to allow or block. When selected, click Next.

    Select program and proceed
    Select app/program and proceed
  6. On the next screen, select one of the following options depending on whether you want to allow the app or block it:

    • Allow the connection: If you want to allow the IP address(es). This will be used if your default policy is set to block all connections.
    • Block the connection: If you want to block the IP address(es).

    Click Next when selected.

    Allow or block the IP addresses
    Allow or block the port
  7. Now select the network types you want to apply this rule on, and click Next.

    Select network type to apply the rule on
    Select network type to apply the rule on
  8. On the final screen, enter a custom name for this rule and click Finish.

    Name the firewall rule3
    Name the firewall rule

The application will now be successfully allowed or blocked from accessing the network. However, the app will still run on your computer.

If you feel like removing or disabling this rule in the future, all you need to do is either change the rule you created, disable it temporarily, or simply delete it.

To disable or delete the outbound rule, navigate to the Outbound Rules folder inside the Advanced Windows Firewall settings, right-click on the rule, and click either Disable Rule or Delete from the context menu.

Disable or delete the firewall rule3
Disable or delete the firewall rule

Using PowerShell

Follow these steps to create a Windows Firewall rule to allow or block an app using Windows PowerShell:

  1. Launch Windows PowerShell with administrative privileges.

  2. Now use the following cmdlet to allow or block an app:

    Replace [CustomName] with a name for the rule, [ActionToPerform] with either “Allow” or “Block” depending on whether you want to allow or block the application, and [ProgramPath] with the complete path for the .EXE file for the program.

    New-NetFirewallRule -DisplayName "[CustomName]" -Direction Outbound -Program "[ProgramPath].exe" -Action [ActionToPerform]
    Block app program using PowerShell
    Block app/program using PowerShell
  3. The program will now be allowed/blocked. At this point, note down the GUID given in front of the “Name” field returned after running the cmdlet and save it as it will be needed in the future if you ever wish to delete the rule.

    Block app program using PowerShell 1
    Note and save the GUID

A new rule in Windows Firewall will now be created by the custom name you entered to allow/block the network port. However, the steps above only apply to creating a new rule.

If you wish to undo these changes, you either need to edit an existing firewall rule or delete it.

Closing Thoughts

The Windows Firewall is a handy software when it comes to filtering internet traffic on your PC. This is excellent for parents to control what their children can and can’t access.

We would also like to add that the methods described in this post can be manipulated as per your needs. For example, if you want a port to work internally but not communicate over the network, you can create an inbound firewall rule for it instead of an outbound rule.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Leave the first comment

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Talk to us now

Talk to us straight and get your questions answered right away

Tell Us About Your Project