How to block all outbound connections except web browser using Windows Firewall?

Question

goal

By default, the integrated Windows 10 Firewall allows ALL outbound connections. This seems crazy to me.

I want to block ALL outbound traffic and whitelist only those few programs which really need Internet access (mainly Thunderbird and Firefox).

what I have done so far

• I have obviously made sure that firefox.exe can connect using the default settings (allow all outbound traffic).
• Subsequently, I have set the outbound connections in "domain profile", "public profile", and "private profile" to block – as depicted here:
• I have created allow rules for firefox.exe and ping.exe, allowing all outbound traffic (all protocols and ports) for both applications:
• I have made sure that all seemingly network-related predefined/preconfigured allow rules are active (enabled), particularly "Core Networking - DNS", etc.
• I have chatted with reasoning AI chatbots to troubleshoot.
• As suggested in https://superuser.com/a/454770 I have run this:

  netsh wfp capture start
  netsh wfp capture stop
  

  The output is an 8 MB .xml file. I was unable to find the culprit in it.
  But this part seems interesting:

  <name>WSH Default Outbound Block</name>
  <description>Blocks all outbound traffic for services who have been network hardened</description>
       [...]
  <action>
  <type>FWP_ACTION_BLOCK</type>
  

  "WSH default outbound block" is not listed in the Windows Firewall outbound rules. I don't know where this rule is stored/located and whether or not it has any bearing on this problem, but the same rule seems to have been the culprit in Q451862.

result

Despite all of these steps, both firefox.exe and ping.exe fail to connect.

potential culprit

Maybe I need to whitelist some Windows component essential for networking. But as I said above, I have enabled all the predefined allow-rules that sound important for networking.

Answer 1

I made some tests in my computer through a Win VM and I managed only allowing Firefox and ping applications access the internet. I suggest you to make some tests in a VM if you can.

How did I make this?

1. Well, I simply disabled all the firewall rules located in Outbound Rules apart from all the ones related to Core Networking.

2. I enabled all the firewall rules located in Outbound Rules related to Core Networking not enabled yet.

3. I modified all the firewall rules located in Outbound Rules related to Core Networking Diagnostics - ICMP Echo Request* to allow any Local and Remote Address.

4. I created specific firewall rule in Outbound Rules for the Firefox application (Program path: %ProgramFiles%\Mozilla Firefox\firefox.exe) applied to the profiles (Domain, Private, Public) allowing any Protocol and any Local and Remote Address.

Ready! Now only Firefox and Ping are accessing the internet.

Futher Information

In a Windows 10 VM created from scratch and totally upgraded today (05/31/2025 - 01:11PM). The only application I installed was Firefox.

Windows version: Windows 10 Enterprise 22H2 (OS Build 19045.59.17)

Answer 2

I finally solved the problem using a 3rd party freeware tool: Firewall App Blocker
(I am unaffiliated with it.)

To my understanding, this is an external front-end for the internal Windows Firewall, meaning that the tool simplifies the process of setting up the allow/block rules, but the rules themselves are then implemented/executed by the internal Windows Firewall.

In the tool, I set the mode to whitelist mode:

« it will block everything except [for] the white listed items »

Subsequently, I whitelist apps using the "add process" button:

The button opens a list of all currently running processes, which you can select to whitelist. This makes it very easy to identify the actually running executables (which may require Internet access).

I tried to but was unable to track down what went wrong initially when I attempted to define the rules myself in the Windows Firewall directly. I would have preferred to find a native solution instead of adding yet another tool. But in the end, I gave up finding the culprit, as I grew to like the added comfort of adding exceptions very easily and quickly.

I am incredibly happy that I finally managed to solve this problem, since as said in the question, the internal Windows 10 Firewall allows ALL outbound connections, which I find crazy.