How to Add Outbound Windows Firewall Exception?

Ryan Smyth picture Ryan Smyth · Oct 9, 2011 · Viewed 26.4k times · Source

I need to open up the Windows Firewall for outbound connections for an application I'm writing.

The best answers I've been able to locate are here:

http://www.shafqatahmed.com/2008/01/controlling-win.html

http://www.vincenzo.net/isxkb/index.php?title=Adding_a_rule_to_the_Windows_firewall

The problem is that method only creates an inbound rule, and not an outbound rule. (Both the C# and InnoSetup script use the same method.) This is entirely useless for me.

The default behaviour for the Windows Firewall is to allow outbound traffic, but that doesn't guarantee that someone won't change that.

I would prefer to do this in the installer (using InnoSetup) rather than doing it in C#.

Did I miss something?

Does anyone know how to create an outbound rule?

Answer

xiaose picture xiaose · Feb 1, 2012

You can use netsh if you need add some exceptions for your application.

write in command line (for XP):

netsh firewall add allowedprogram ?

write in command line (for W7):

netsh advfirewall firewall add rule ?

This difference becouse netsh firewall command is deprecated. Instead, we have to use the command netsh advfirewall firewall.

More information about using the command netsh advfirewall firewall instead of the netsh firewall command we can see in Knowledge Base there: http://go.microsoft.com/fwlink/?linkid=121488

Examples:

Adding a rule for incoming traffic without security encapsulation for messenger.exe:

netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe" security=authnoencap action=allow

Adding a rule for outgoing traffic at the port 80:

netsh advfirewall firewall add rule name="allow80" protocol=TCP dir=out localport=80 action=block

Adding rules to inbound traffic with safety & traffic encryption for TCP through port 80:

netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow