I'm currently working remotely and tightening outbound traffic settings on user workstations. For both Public and Private network profiles, I've limited allowed traffic to only HTTP (port 80) and HTTPS (port 443). Here's how I've set it up:
- **Private – Outbound:** Block by default
- **Public – Outbound:** Block by default
- **Domain – Outbound:** Allow (assuming there's already a corporate firewall in place)
I've created a very permissive Allow rule that permits all ports and programs for outgoing traffic to all IPs, while still enforcing the block on Public and Private profiles.
The problem I'm encountering is that when the client is connected to the corporate network (Domain profile), it fails to obtain an IP address through DHCP. Services essential for network connectivity like DHCP, DNS, and LDAP are being dropped despite my specific Allow rules. As a result, the client ends up with a 169.254.x.x (APIPA) address.
Using Wireshark shows no DHCP traffic, and upon checking Windows Defender's `pfirewall.log`, I can see UDP packets being dropped.
I suspect that Windows is applying the Public profile until it confirms the domain status. Since the Public outbound is fully blocked—even with essential services allowed—the initial essential communications like DHCP and DNS for domain detection fail.
So my question is: How can I configure these firewall rules to block all outbound traffic except for TCP ports 80 and 443 on Public and Private networks, yet still ensure that DHCP and DNS work correctly on corporate networks? How can I make sure essential services function properly on the Domain network while maintaining strict outbound restrictions for Public and Private?
2 Answers
You definitely need to keep port 53 open for DNS; it has to be both inbound and outbound for it to work properly. Without that, no DNS resolution and that's essential!
It seems like your network type profile might not set correctly until after you're already connected, which is a big issue here. Plus, there are more ports you need beyond just 80 and 443 when on a corporate network. DHCP and DNS are pretty safe to allow across all profiles. Just make sure both are allowed inbound too since they're typically UDP by default. Don't forget DNS over TCP for larger messages!
But I created an explicit rule to allow all ports for outgoing traffic just for testing. Even with that, it still doesn't work. What else can I try?
Yeah, I get that, but I thought I already had that rule set up. It seems like it's still being blocked.