locked
Block all access except certain IP addresses from stations A and B. RRS feed

  • Question

  • Good Morning!

      What will be the correct command for the OS firewall ('netsh advfirewall firewall add rule') to block all access except certain IP addresses from stations A and B?

    Thanks all.


    Doria

    Wednesday, July 15, 2020 12:47 PM

Answers

  • Hi Doria,

    Based on my understanding, you want to use windows netsh firewall command to allow only specific IP address and deny all other IP address. Please feel free to let me know if my understanding is wrong.

    If the special IP address is 192.0.2.55, then you can try the below command:

    netsh advfirewall firewall add rule name="Allow from 192.0.2.55" dir=in action=allow protocol=ANY remoteip=192.0.2.55

    Here is a similar thread discussed before, you could have a look:

    Open Windows Firewall to all connections from specific IP Address

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    This "Server Core" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Candy




    "Windows Server Core" forum will be migrating to a new home on Microsoft Q&A! 

    We invite you to post new questions in the "Windows Server Core"  forum's new home on Microsoft Q&A! 

    For more information, please refer to the sticky post. 



    Thursday, July 16, 2020 2:04 AM
  • Hi Doria,

    The "deny" gets priority over the "allow" , so we cannot deny all IP address. We need to deny all IP address expect special IP address.

    If the special IP address is 192.0.2.55, then you can try the below command:

    netsh advfirewall firewall add rule name="Deny from all" dir=in action=block protocol=ANY remoteip=1.1.1.1-192.0.2.54,192.0.2.56-255.255.255.255

    As the picture below:

    Hope this can help you.

    Best Regards,

    Candy

     


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by dydoria Friday, July 17, 2020 12:27 PM
    Friday, July 17, 2020 3:33 AM

All replies

  • Hi Doria,

    Based on my understanding, you want to use windows netsh firewall command to allow only specific IP address and deny all other IP address. Please feel free to let me know if my understanding is wrong.

    If the special IP address is 192.0.2.55, then you can try the below command:

    netsh advfirewall firewall add rule name="Allow from 192.0.2.55" dir=in action=allow protocol=ANY remoteip=192.0.2.55

    Here is a similar thread discussed before, you could have a look:

    Open Windows Firewall to all connections from specific IP Address

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    This "Server Core" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Candy




    "Windows Server Core" forum will be migrating to a new home on Microsoft Q&A! 

    We invite you to post new questions in the "Windows Server Core"  forum's new home on Microsoft Q&A! 

    For more information, please refer to the sticky post. 



    Thursday, July 16, 2020 2:04 AM
  • Thanks for your answer!

      Well, what would be the command to clear all others default rules or to deny access from all network addresses? Would be something like this:

    netsh advfirewall firewall add rule name="Deny from all" dir=in action=deny protocol=ANY remoteip=*

    Thanks.


    Doria

    Thursday, July 16, 2020 2:41 PM
  • Hi Doria,

    The "deny" gets priority over the "allow" , so we cannot deny all IP address. We need to deny all IP address expect special IP address.

    If the special IP address is 192.0.2.55, then you can try the below command:

    netsh advfirewall firewall add rule name="Deny from all" dir=in action=block protocol=ANY remoteip=1.1.1.1-192.0.2.54,192.0.2.56-255.255.255.255

    As the picture below:

    Hope this can help you.

    Best Regards,

    Candy

     


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by dydoria Friday, July 17, 2020 12:27 PM
    Friday, July 17, 2020 3:33 AM
  • Thanks for your answer Candy. Understood!

      So, basically there are two ways of doing the same thing:

    1. Allow the desired IP and turn off all other default rules;
    2. Deny all addresses except the desired IP.

      Got it! Still, I have some questions:

    1. In which profile (public, domain, private) should I work on? Choose domain profile and turn off the others?
    2. In case we use the number one approach, what would be the command to turn off all pre-existing rules inside a specific profile?

    Regards.


    Doria


    • Edited by dydoria Friday, July 17, 2020 12:24 PM
    Friday, July 17, 2020 12:24 PM
  • Hi Doria,

    I would suggest that you can open a new thread about the discussion of the number one approach.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, July 20, 2020 2:19 AM
  • Sure Candy.


    Doria

    Monday, July 20, 2020 12:21 PM