Windows Firewall – Difference Between Disable and Block

firewallwindowswindows-firewall

In "Windows Firewall with advanced security", what is the difference between disabling a rule and setting it to "block traffic"?

Besides knowing the difference, in my case I want to diminish the system vulnerability to exploits by keeping open only the minimal ports that I need. For that, would it make a difference if I use block or disable?

Best Answer

Disabling a rule means that the rule will no longer take effect. The block action refers to the behaviour of the rule itself...that is should it allow or block the traffic matched by that rule.

So for example you can have a block rule that is preventing traffic, but you may want to temporarily allow that traffic for testing or other purposes, so you can select that rule and then disable it. Then if you want to reactivate the rule you can enable it again.

As Ryan says below. Another concept that might help you understand is "default behavior" of inbound versus outbound rules. By default, Windows Firewall is configured to block incoming traffic by default, and allow outgoing traffic by default. So a "Block" rule typically isn't needed for inbound traffic, but you might want it if you're specifically targeting outbound traffic. Depends on the context.

Related Solutions

Security – Whats the difference between local and remote addresses in 2008 firewall address

Local IP addresses are referring to IP addresses of adapters on the server itself. Let's say you have a multihomed server with 192.168.0.2 and 10.10.10.10. If you specify only 10.10.10.10, the firewall will not consider the rule as matching to the traffic if it hits 192.168.0.2 instead.

Remote IP addresses are the source IP address from which the traffic came from. If you put in 20.20.20.20, then the rule will only apply if the traffic came from that IP address.

In this example, if you wanted to block domain authentication traffic from the adapter with the public IP address, you would specify the public IP address(es) for the local IP, and all remote IP's for the rule set to deny this traffic.

To allow it for the local IP'ed adapter, you would make a rule that specifies the internal IP address for local, and then the range of IP addresses that would include your domain controllers as remote, with an allow rule.

How to know currently open ports on the Windows Firewall

The reason you can't get the same results using the same commands is that the Win7 firewall rules can be specific to an individual application, and configured per network type (Private, Domain, Public), protocol, port, etc. Powershell should give you a much better way to query this information and sort it. Here's a quick script I have to dump my configuration, when I need it.

Function Get-EnabledRules
{
    Param($profile)
    $rules = (New-Object -comObject HNetCfg.FwPolicy2).rules
    $rules = $rules | where-object {$_.Enabled -eq $true}
    $rules = $rules | where-object {$_.Profiles -bAND $profile}
    $rules
}

$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
 $connections = $networkListManager.GetNetworkConnections()
[int[] ] $connTypes = @()
$connTypes = ($connections | % {$_.GetNetwork().GetCategory()})
#$connTypes += 1
Write-Host $connTypes

$connTypes | ForEach-Object {Get-EnabledRules -profile $_ | sort localports,Protocol | format-table -wrap -autosize -property Name, @{Label="Action"; expression={$_.action}}, @{Label="Protocol"; expression={$_.protocol}}, localPorts,applicationname}

A lot of this was based off of this post on MSDN

Best Answer

Related Solutions

Security – Whats the difference between local and remote addresses in 2008 firewall address

How to know currently open ports on the Windows Firewall

Related Topic