In practical terms, to block outgoing Internet access for program X, but to also allow its LAN traffic: The solution I chose was to specify a single Windows firewall rule that uses multiple non-overlapping address ranges, which together cover the whole IP range. Block Internet access but allow LAN with Windows firewallĭue to Windows firewall not featuring rule prioritization, another solution is needed. Unfortunately, the Windows firewall does not support firewall rule prioritization, which is why rules cannot overlap each others address ranges (if they do, the outcome is undefined). As the 1st rule does not apply to any other traffic, the 2nd rule would subsequently match that other traffic, which results in it being blocked. This way, the 1st rule in the example would apply to traffic in the 192.168.0.0/16 subnet, which would hence be allowed. This allows for defining narrow high priority rules, like allow traffic from/to 192.168.0.0/16, and broader low priority rules, like block traffic from/to 0.0.0.0/0. With rule prioritization, firewall rules be cascaded with overlapping address ranges, and the highest priority rule that matches the traffic is applied. Unlike other firewalls, the Windows firewall does not have rule prioritization. ![]() Firewall rule prioritization (not supported by Windows firewall) A rule for incoming traffic is usually meant as an exception to this default, hence to allow that traffic. In contrast to this, the default for incoming traffic is “block”. A rule for outgoing traffic usually is meant as an exception to this default, hence to block that traffic. The default for outgoing traffic is “allow”. The Windows firewall distinguishes protocol (TCP, UDP), port, and incoming or outgoing traffic. Some firewall background info Windows firewall defaults As I couldn’t just deactivate the computer having Internet access altogether, or route all traffic through the tunnel in general, which didn’t have a default gateway attached, my quick solution for this was to block those games from having Internet access in general, but to still allow them LAN access. ![]() I ran into this problem when experimenting with WireGuard for playing LAN-only games together over the Internet: I found that some games showed weird network behavior when trying to find their Internet-based match-making services (which either don’t exist anymore, or which might report back that the service has been shut down, or something like this – I did not investigate what the exact cause was, as I was only interested in getting LAN gaming to work). This post covers how to configure the Windows firewall to block Internet access for a given program, but still allow it LAN access.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |