Windows Networking

Windows Firewall: inbound vs outbound rules

Practical Windows guide: windows Firewall: inbound vs outbound rules without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Understand inbound versus outbound Windows Firewall rules, create a rule correctly, and avoid opening more than you need.

1) Open Windows Defender Firewall with Advanced Security

  1. Press Win + R, type wf.msc, and press Enter.
  2. You see separate lists for Inbound Rules and Outbound Rules.
  3. Inbound controls traffic coming into the PC from the network or internet. Outbound controls traffic leaving the PC.

2) When each direction matters

  1. File sharing, RDP, or a local web server need inbound allow rules for the specific port and profile (Domain, Private, Public).
  2. Blocking outbound traffic is rare on client PCs — it can break apps that call cloud APIs. Use outbound rules mainly to restrict specific apps on managed machines.
  3. Default policy: inbound blocked unless allowed; outbound allowed unless blocked.

3) Create an inbound allow rule

  1. In wf.msc, click Inbound Rules → New Rule.
  2. Choose Port or Program, specify TCP/UDP and port (e.g. 3389 for RDP), allow the connection.
  3. Apply only to Private profile if the PC is on home networks — avoid enabling on Public unless required.

4) Verify with PowerShell

Get-NetFirewallRule -Direction Inbound | Where-Object {$_.Enabled -eq 'True' -and $_.Action -eq 'Allow'} | Select-Object DisplayName, Profile | Format-Table -AutoSize

5) Block an outbound app (managed scenarios)

  1. Outbound Rules → New Rule → Program → block badapp.exe.
  2. Test — many apps fail silently when outbound DNS or HTTPS is blocked.

6) Restore firewall defaults

netsh advfirewall reset
netsh advfirewall set allprofiles state on

7) Logging dropped packets

  1. wf.msc → Properties → Private profile → Log dropped packets → path C:\Temp\pfirewall.log.
  2. Use logs to debug why RDP or file share fails without disabling firewall entirely.

8) Profile awareness

Rules apply per profile (Domain, Private, Public). A rule enabled only on Domain does nothing on home Private Wi‑Fi — common misconfiguration.

  1. Set network category: Settings → Network & internet → Properties on active connection.
  2. Test with Get-NetConnectionProfile — Category should match where you enabled the rule.

Verification checklist

Test rule with telnet or Test-NetConnection to the port from another LAN PC. Disable rule temporarily to confirm traffic was actually blocked — avoids false confidence from wrong profile.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Related guides

firewall inbound outbound windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Set up a VPN using Windows built-in client
Practical Windows guide: set up a VPN using Windows built-in client without the usual guesswork.
Read guide
Networking
Fix network printer not found
Practical Windows guide: fix network printer not found without the usual guesswork.
Read guide