3

My IT department has just changed from F-Secure firewall to the built-in Windows Defender Firewall (Windows 10). And it's quite properly, enforced by the group policy so ic an't turn it off.

However, I have a number of virtual machines running on my laptop (using VirtualBox). Each has a "Host-Only" virtual network adapter which only connects between the host (my laptop) and the VM. I need services running on the VM to call ones I run on the host. With the F-Secure one I could simply tell the firewall to ignore these connections. Now, since the group policy controls that, I can't.

I can create custom firewall rules. But can I create one that only applies to certain adapters/interfaces? I can only see how to apply to an interface type (public/private/domain) which doesn't really cover this use case. (Plus Windows makes it so damn hard to find out what type those are that it's a pain).

Improve this question
1
  • I believe you can assign a rule to a specific local IP Address, but not to a specific adapter. Although that might effectively be the same thing.
    – Neil Weicher
    Commented Jul 1, 2019 at 16:15

2 Answers 2

Reset to default
5

This is possible with New-NetFirewallRule. For example, I used this command to allow all inbound connections originating from WSL2 (source):

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

I couldn't find the interface filter in Windows Defender Firewall GUI (closest thing is interface type), but I verified with this:

>> Get-NetFirewallRule -DisplayName "WSL" | Get-NetFirewallInterfaceFilter
InterfaceAlias : vEthernet (WSL)

and by testing that LAN connections were still blocked by the firewall.

Improve this answer
2

I think you can achieve this in the advanced security firewall by setting the Local IP in a custom rule.

If you create a new rule, and choose 'Custom' as the rule type, click next

Leave 'All' Programs, click next

Choose the protocols/ports as necessary, click next

The next screen 'Scope' is where you should be able to do this. Set the local IP as the one on the adapter you wish to allow it on

Scope

on the next page choose "allow" or "allow if secure"

Pick the profile (you could probably leave all 3 ticked if you're unsure which profile it is, but better to find out - this should be in network connections)

Give it a name, and it should be good to go

NB: please test this, as I have not :P

P.S. While not strictly choosing the adapter, you can choose all the IP addresses on that adapter, which is basically the same thing.

Improve this answer
3
  • Yeah. i had considered that. It's almost the same thing, unless you end up on a public WiFi which assigns the same subnet and have to turn off the VM. i guess combination of private/domain network and IP address would be Ok though. just need to find out which network type it treats them as, which Windows seems to want to hide (it shows it for the main connected network, but not for the VM adapters since they aren't a "network" from it's point of view)
    – Adam
    Commented Jul 1, 2019 at 16:31
  • Ah so it's more that you don't want any network traffic from your VM's to go any further than the host? To avoid public wifi maybe use a higher number in the 3rd octet like 192.168.139.x or something, although it's still possible that could be used by public wifi I guess. Then, it might be quick and dirty, but you could just remove the gateway addresses from the config of that range - that will stop traffic trying to get out from that range (anything outside will be unroutable). You should be able to add a second IP onto the host NIC with an IP in that range.
    – Smock
    Commented Jul 2, 2019 at 8:36
  • No, it's more like I don't want to open that wide on something that could, potentially, end up being outside on the network. I want it wide open between my laptop (host) and it's VM. With the connection-specific settings in F-Secure i could do that, because I know the host only adapter isn't exposed outside I could just tell the firewall to ignore it totally.
    – Adam
    Commented Jul 2, 2019 at 11:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .