The Windows 7 firewall can.
The Windows XP firewall it seems couldn't block outgoing How do I block all outgoing ports in Windows XP firewall?
The Windows 7 Firewall can block outgoing
see where it says "outbound rules" outbound means outgoing
And look at the text under domain,private and public
It states the default policies.. so for inbound, it's a whitelist (that's stricter), for outbound it's a blacklist (that's more lenient).
A blacklist means let everything through unless it's listed to not be let through.
A whitelist means block everything unless it's listed to be let through.
So a whitelist would be more permissive. Like what at a real life event would be called 'by invitation only'. So the packet arrives if it's on the list it's allowed in and the firewall has done its thing for that packet, if the packet is not on the list then continue with the instruction to just block everything. A blacklist is equivalent to when everybody is invited unless they're on a list of people not allowed to come. So a packet arrives, if it's on the blacklist then you block it and the firewall has done its thing for that packet, otherwise, continue to the next instruction which is to allow everything.
For outbound, the default of a blacklist enables you to browse the web easily. The outbound rule is by default the more permissive one.
For inbound, the default is a whitelist.. So if you run any servers(i.e. listening), then a client(i.e. computer initiating a connection) can only reach them, if you have allowed it to.
You can change these policies. And you can add or remove or change rules in the list of rules, for inbound or for outbound.
It's almost useless blocking outgoing ports as applications need to send an initial response first to check the server's there (of which no reply will be recieved since the incoming port is blocked).
To only allow Windows Update to communicate, you need to block all incoming ports except the following domains and subdomains:
- windowsupdate.microsoft.com
- *.windowsupdate.microsoft.com
- *.windowsupdate.microsoft.com
- *.update.microsoft.com
- *.update.microsoft.com
- *.windowsupdate.com
- download.windowsupdate.com
- download.microsoft.com
- *.download.windowsupdate.com
- wustat.windows.com
- ntservicepack.microsoft.com
You may be able to use the localhost file to block the above domains, by following the instructions here.
The above are not specific to any Windows version (although the TechNet page is for Windows Server 2003 and XP, this solution works with all modern Windows versions too), so it'll work on Windows versions other than Windows 10.
Best Answer
Comodo Personal Firewall is a free replacement for the Windows Firewall that will query whether you want an application to be able to make outbound connections the first time that application is used. You will also be able to allow programs to open incoming ports so you should be fine there too.
It's pretty comprehensive, you can (I believe) add the most commonly used applications during setup, so Firefox, IE and most email programs are not blocked by default.
The configuration is relatively straightforward and the baloon popups that appear when an application tries to access the network were quite informative when I used it last.
Unless you want Antivirus as well try to make sure that you only download the Firewall installer, their site makes it a bit too easy to get both by mistake.