Windows – How to tell which windows firewall rule is blocking traffic

firewallnetworkingwindows

I'm trying to set up a computer to accept all incoming traffic but only allow outgoing traffic to a specific IP. I have set an allow all rule for Incoming and an Allow rule that specifies an IP address as the only acceptable Outgoing address. I have also set up a deny all Outgoing rule, assuming that the other rule will take precedence.

The problem I am having is that all traffic is being blocked, even the traffic going to the IP that I specified as being allowed.

I am looking for a way to trace traffic through the firewall and see exactly what rule is blocking the traffic. The log generated by the firewall monitoring tells me that traffic was dropped but not which rule blocked it.

Best Answer

(Note: this method has been working at least on Windows 7, 10 Pro, Server 2012 R2)

Following steps will lead you to the rule blocking your connection:

Open a Windows console (with Administration rights) to enter commands
Enable the audit for Windows Filtering Platform (WFP):
run command:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
run command:
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
(This may drown you in Event Log data - enabling only failure audits, and possibly only connection failures will reduce the number of log entries. Be selective about what you actually need)
Reproduce the issue
Run command: netsh wfp show state (this creates a XML file in the current folder)
Open the event viewer: Run (Windows+R) > eventvwr.msc
go to "Windows logs" > "Security"
in the list, identify the dropping packet log (hint: use the Search feature on the right menu, searching for items (source IP, destination port, etc.) specific to your issue)
in the log details, scroll down and note the filter ID used to block the packet
Open the generated XML file:
search for the noted filterID, and check out the rule name (element "displayData > name" on the corresponding XML node)

This will give you a good start to find the blocking rule.

When you're done, don't forget to turn off the audit:

run command:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
run command:
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

Note: depending on your Windows language setting, the auditing service might use different non-English names. To find the subcategory names, run command: auditpol /get /category:* and find subcategories which correspond to "Filtering Platform Packet Drop" and "Filtering Platform Connection" in the system language.

Related Solutions

Windows – How to block all traffic but one IP in Windows Firewall

The proper way to accomplish this is to configure Windows Firewall to block all outgoing traffic by default, and then only allow the incoming connection(s) you want.

To do that, click on Windows Firewall with Advanced Security in the left pane, and choose Windows Firewall Properties from the right pane. Next to Outbound connections, choose Block. Then, click OK.

Windows Firewall block outbound by default

Once you've done that, just delete the block all outgoing traffic rule and you should be all set.

Windows – How to configure Windows Firewall to allow all ports in use by IIS Express

There are a couple problems you're running into here. One is that iisexpress.exe isn't actually the process responsible for listening to HTTP traffic. That functionality is implemented in http.sys as a kernel-mode part of the Windows networking stack. (This was done for performance reasons. For more information, see Introduction to IIS Architectures.) Therefore, creating a rule for iisexpress.exe won't do anything.

Secondly, http.sys by default doesn't allow programs running as non-admins listen to other computers. According to Serving External Traffic with WebMatrix, you need to run this command in an administrative command prompt to allow all users to listen to other machines via http.sys:

netsh http add urlacl url=http://MACHNAME:PORT/ user=everyone

Replace MACHNAME with the hostname that will be used to contact the site and PORT with the traffic's port. I have read that using * instead of a specific hostname lets it listen on all names/interfaces, but I have not personally tested that, and some documentation uses + instead. Either way, once you've set the ACL, you can then create an inbound firewall rule for the port.

Further reading: Configuring HTTP and HTTPS.

Side comment: There's an actual environment variable that points to the 32-bit version of Program Files: %PROGRAMFILES(X86)%. (The path wasn't your problem, though.)

Best Answer

Related Solutions

Windows – How to block all traffic but one IP in Windows Firewall

Windows – How to configure Windows Firewall to allow all ports in use by IIS Express

Related Question