Firewall Outbound rules

Following this topic (Thanks @crossroads !)

This is for Windows Defender on Windows 11.

Following a recommendation from someone on PG forums, I already applied “Windows Spy Blocker” basic rules.

But I stumbled upon many “Allow” rules and I wonder if I can delete them or will this break stuff? For instance I have 3 allow rules for “Xbox Identity Provider”. I don’t have a Xbox account, can I delete those?

Thanks!

This is what it looks like:

image1565×962 405 KB

Pinging @Average_Joe as I know you’ve been playing with Firewalls in the last few months.

Would you or someone else know?

In my experience, you should not delete these rules. Rather, switch the Action from Allow to Deny in order to block the connection.
If your threat model allows for it, I find it personally more useful to go with a third party firewall solution where you can whitelist applications and connections rather than having to blacklist.

In my experience, you should not delete these rules. Rather, switch the Action from Allow to Deny in order to block the connection.

This is correct. Usually the outbound default action is to allow, so deleting outbound allow rules has no effect and you would need to deny the traffic explicitly for it to actually be blocked.

As for whether this should be done for a given rule, it really depends on if doing so would break any functionality you need. You may need to test and be prepared to undo your changes if necessary.

If your threat model allows for it, I find it personally more useful to go with a third party firewall solution where you can whitelist applications and connections rather than having to blacklist.

This can be done easily with the built-in firewall too. Just change the default outbound action to deny.

I’m assuming if I do that to all the rules in the image above, it would break my computer lol.

If I already applied the ‘Windows Spy Blocker’ basic rules, are those enough? Here’s the full list:

windowsSpyBlockerSpy-104.210.212.243
windowsSpyBlockerSpy-104.210.4.77
windowsSpyBlockerSpy-104.210.40.87
windowsSpyBlockerSpy-104.214.35.244
windowsSpyBlockerSpy-104.214.78.152
windowsSpyBlockerSpy-104.41.207.73
windowsSpyBlockerSpy-104.42.151.234
windowsSpyBlockerSpy-104.43.137.66
windowsSpyBlockerSpy-104.43.139.144
windowsSpyBlockerSpy-104.43.139.21
windowsSpyBlockerSpy-104.43.140.223
windowsSpyBlockerSpy-104.43.193.48
windowsSpyBlockerSpy-104.43.228.202
windowsSpyBlockerSpy-104.43.228.53
windowsSpyBlockerSpy-104.43.237.169
windowsSpyBlockerSpy-104.45.11.195
windowsSpyBlockerSpy-104.45.214.112
windowsSpyBlockerSpy-104.46.1.211
windowsSpyBlockerSpy-104.46.162.224
windowsSpyBlockerSpy-104.46.162.226
windowsSpyBlockerSpy-104.46.38.64
windowsSpyBlockerSpy-13.104.215.69
windowsSpyBlockerSpy-13.105.28.32
windowsSpyBlockerSpy-13.105.28.48
windowsSpyBlockerSpy-13.64.90.137
windowsSpyBlockerSpy-13.66.56.243
windowsSpyBlockerSpy-13.68.233.9
windowsSpyBlockerSpy-13.68.31.193
windowsSpyBlockerSpy-13.68.82.8
windowsSpyBlockerSpy-13.68.92.143
windowsSpyBlockerSpy-13.69.109.130
windowsSpyBlockerSpy-13.69.109.131
windowsSpyBlockerSpy-13.69.131.175
windowsSpyBlockerSpy-13.73.26.107
windowsSpyBlockerSpy-13.74.169.109
windowsSpyBlockerSpy-13.78.130.220
windowsSpyBlockerSpy-13.78.232.226
windowsSpyBlockerSpy-13.78.233.133
windowsSpyBlockerSpy-13.88.21.125
windowsSpyBlockerSpy-13.92.194.212
windowsSpyBlockerSpy-131.253.34.230
windowsSpyBlockerSpy-131.253.34.234
windowsSpyBlockerSpy-131.253.34.237
windowsSpyBlockerSpy-131.253.34.243
windowsSpyBlockerSpy-131.253.34.246
windowsSpyBlockerSpy-131.253.34.247
windowsSpyBlockerSpy-131.253.34.249
windowsSpyBlockerSpy-131.253.34.252
windowsSpyBlockerSpy-131.253.34.255
windowsSpyBlockerSpy-131.253.40.37
windowsSpyBlockerSpy-131.253.6.103
windowsSpyBlockerSpy-131.253.6.87
windowsSpyBlockerSpy-134.170.235.16
windowsSpyBlockerSpy-134.170.30.202
windowsSpyBlockerSpy-134.170.30.203
windowsSpyBlockerSpy-134.170.30.204
windowsSpyBlockerSpy-134.170.30.221
windowsSpyBlockerSpy-134.170.52.151
windowsSpyBlockerSpy-157.56.106.184
windowsSpyBlockerSpy-157.56.106.185
windowsSpyBlockerSpy-157.56.106.189
windowsSpyBlockerSpy-157.56.113.217
windowsSpyBlockerSpy-157.56.121.89
windowsSpyBlockerSpy-157.56.124.87
windowsSpyBlockerSpy-157.56.149.250
windowsSpyBlockerSpy-157.56.194.72
windowsSpyBlockerSpy-157.56.194.73
windowsSpyBlockerSpy-157.56.194.74
windowsSpyBlockerSpy-157.56.74.250
windowsSpyBlockerSpy-157.56.91.77
windowsSpyBlockerSpy-168.61.146.25
windowsSpyBlockerSpy-168.61.149.17
windowsSpyBlockerSpy-168.61.161.212
windowsSpyBlockerSpy-168.61.172.71
windowsSpyBlockerSpy-168.61.24.141
windowsSpyBlockerSpy-168.62.187.13
windowsSpyBlockerSpy-168.63.100.61
windowsSpyBlockerSpy-168.63.108.233
windowsSpyBlockerSpy-191.236.155.80
windowsSpyBlockerSpy-191.237.218.239
windowsSpyBlockerSpy-191.239.50.18
windowsSpyBlockerSpy-191.239.50.77
windowsSpyBlockerSpy-191.239.52.100
windowsSpyBlockerSpy-191.239.54.52
windowsSpyBlockerSpy-20.190.169.24
windowsSpyBlockerSpy-20.190.169.25
windowsSpyBlockerSpy-20.44.86.43
windowsSpyBlockerSpy-20.49.150.241
windowsSpyBlockerSpy-20.54.232.160
windowsSpyBlockerSpy-20.60.20.4
windowsSpyBlockerSpy-20.69.137.228
windowsSpyBlockerSpy-207.68.166.254
windowsSpyBlockerSpy-23.102.21.4
windowsSpyBlockerSpy-23.102.4.253
windowsSpyBlockerSpy-23.102.5.5
windowsSpyBlockerSpy-23.103.182.126
windowsSpyBlockerSpy-23.99.49.121
windowsSpyBlockerSpy-40.112.209.200
windowsSpyBlockerSpy-40.115.119.185
windowsSpyBlockerSpy-40.115.3.210
windowsSpyBlockerSpy-40.119.211.203
windowsSpyBlockerSpy-40.124.34.70
windowsSpyBlockerSpy-40.126.41.160
windowsSpyBlockerSpy-40.126.41.96
windowsSpyBlockerSpy-40.68.222.212
windowsSpyBlockerSpy-40.69.153.67
windowsSpyBlockerSpy-40.70.184.83
windowsSpyBlockerSpy-40.70.220.248
windowsSpyBlockerSpy-40.77.228.47
windowsSpyBlockerSpy-40.77.228.87
windowsSpyBlockerSpy-40.77.228.92
windowsSpyBlockerSpy-40.77.232.101
windowsSpyBlockerSpy-40.78.128.150
windowsSpyBlockerSpy-40.79.85.125
windowsSpyBlockerSpy-40.88.32.150
windowsSpyBlockerSpy-51.104.136.2
windowsSpyBlockerSpy-51.105.218.222
windowsSpyBlockerSpy-51.140.157.153
windowsSpyBlockerSpy-51.140.40.236
windowsSpyBlockerSpy-51.143.111.7
windowsSpyBlockerSpy-51.143.111.81
windowsSpyBlockerSpy-51.143.53.152
windowsSpyBlockerSpy-51.144.227.73
windowsSpyBlockerSpy-52.138.204.217
windowsSpyBlockerSpy-52.147.198.201
windowsSpyBlockerSpy-52.155.94.78
windowsSpyBlockerSpy-52.157.234.37
windowsSpyBlockerSpy-52.158.208.111
windowsSpyBlockerSpy-52.164.241.205
windowsSpyBlockerSpy-52.169.189.83
windowsSpyBlockerSpy-52.170.83.19
windowsSpyBlockerSpy-52.174.22.246
windowsSpyBlockerSpy-52.178.147.240
windowsSpyBlockerSpy-52.178.151.212
windowsSpyBlockerSpy-52.178.223.23
windowsSpyBlockerSpy-52.182.141.63
windowsSpyBlockerSpy-52.183.114.173
windowsSpyBlockerSpy-52.184.221.185
windowsSpyBlockerSpy-52.229.39.152
windowsSpyBlockerSpy-52.230.222.68
windowsSpyBlockerSpy-52.230.85.180
windowsSpyBlockerSpy-52.236.42.239
windowsSpyBlockerSpy-52.236.43.202
windowsSpyBlockerSpy-52.255.188.83
windowsSpyBlockerSpy-65.52.100.11
windowsSpyBlockerSpy-65.52.100.7
windowsSpyBlockerSpy-65.52.100.9
windowsSpyBlockerSpy-65.52.100.91
windowsSpyBlockerSpy-65.52.100.92
windowsSpyBlockerSpy-65.52.100.93
windowsSpyBlockerSpy-65.52.100.94
windowsSpyBlockerSpy-65.52.161.64
windowsSpyBlockerSpy-65.55.113.11
windowsSpyBlockerSpy-65.55.113.12
windowsSpyBlockerSpy-65.55.113.13
windowsSpyBlockerSpy-65.55.176.90
windowsSpyBlockerSpy-65.55.252.190
windowsSpyBlockerSpy-65.55.252.202
windowsSpyBlockerSpy-65.55.252.43
windowsSpyBlockerSpy-65.55.252.63
windowsSpyBlockerSpy-65.55.252.70
windowsSpyBlockerSpy-65.55.252.71
windowsSpyBlockerSpy-65.55.252.72
windowsSpyBlockerSpy-65.55.252.93
windowsSpyBlockerSpy-65.55.29.238
windowsSpyBlockerSpy-65.55.83.120
windowsSpyBlockerSpy-66.119.147.131

Well, no. It would if you changed the default outbound action to deny and disabled those rules (without replacing them with rules you define, at least), but those are two distinct actions. Tweaking any rules would come after setting the default outbound action and be a much more specific process. This is also how any firewall would work, so using a third-party one doesn’t change anything.

Depends what your goals are. They’re enough to block those IPs. They’re not enough to take an outbound allowlist approach.

Sorry, I only understand the basics of a Firewall and its purpose, please do educate me on specifics

My default connection is indeed set to “Outbound connections that do not match a rule are allowed”.

If that’s the case, why are there so many “allow” rules in my outbound connections. What’s the purpose of them being there if they’re already allowed by default?

They more or less exist to prevent breaking basic network functionality in the event you did switch the default outbound action to deny. They are defaults that most people (or at least Microsoft, in some cases) will always want allowed. You can/should definitely turn off anything you don’t need if you want a strict allowlist, but the point is that changing the default action itself shouldn’t entirely break your system because of those rules.

Aaaaaah ok I get it now.

My goal is to remove as much Telemetry as possible.

What would be your recommendation?

You can try a strict allowlist where only certain programs are allowed to establish connections but even that’s not 100% and could have varying degrees of success for the purpose of preventing telemetry. If that sounds like overkill and you’d prefer to only deny telemetry connections, I’d really recommend just using a DNS blocklist instead of blocking specific IPs with a firewall as the IPs used are probably not stable enough to rely on. You can also combine any of these approaches depending on your threat model.

I’d love to do this, but how would you build that list? Say I put my outbound connection to deny and delete the Microsoft Outbound rule, it would definitely break stuff like Windows Defender for instance. How do I build that list? Is there a program that would let me select the programs that I need and build the allow list for me?

If you want to that, Windows default firewall is not a good choice. Indeed, it has no function to warn or prombt about outgoing connections.

You should use a third party software firewall.

Then, you could block every outbound connection and when warned allow those you trust. For example, 1st time you receive a firewall warning about your browser try to connect to the internet, you choose yes.

After a couples of days you will have your sefl with a whitelist of sofware that you let outbound.

I’d love this. Would SimpleWall do what you said?

I hope so, because it seems to be the only one truly recommended here:

I am not familiar with simplewall. It seem it use windows firewall and add extra options. You would have to test it.

Worst case, it will block applications without notifications. You would have to figure it out and enables them when troubleshooting.

That’s exactly how it works. Every app (or every executable rather) is blocked from making any connections by default and you will get a notification when one tries to make a connection.
You can also silence these notifications on a per-app basis so that you won’t keep getting them for apps that you intend to keep blocked.

Would be interesting to hear what all you can/should block from Microsoft.

Thanks! Does simplewall replace completely windows defender? Should I run scripts to remove Windows Defender or run them in parallel?

You can use it as a complete replacement for Windows Defender but it does not replace it in the sense that it does not remove or override anything related to Windows Defender. Simplewall acts as a GUI to configure Windows Filtering Platform (WFP) which is already built into Windows.

When you first run simplewall and enable it you’ll see an option to turn off Windows Defender. By default that checkbox will be enabled, but I personally uncheck this. Windows Defender and simplewall don’t interfere with each other so there’s no harm in having both enabled. I certainly wouldn’t run any scripts to strip out Windows Defender.

Also note that by default Windows Update will be blocked. To enable this, click Settings > Rules > Allow Windows Update. Then, when Windows tries to connect to the update servers, you’ll get a notification that wusvc.exe wants to connect to the internet. Allow this.

You might want to enable SMB and RDP if you use those. You can find those in the ‘System rules’ tab.

Aside from these changes, I leave everything else blocked except for the programs that I use.