How to block range of incoming IPs in Windows Advanced Firewall
Sebastian Wright 
I wanna block incoming connections from 13.54.X.X. Under the "Scope" > "This IP address range input" input boxes (From and To), do i write:
13.54.0.0 to 13.54.255.255
OR do i have to create individual rules:
13.54.0.0 to 13.54.0.255
13.54.1.0 to 13.54.1.255
13.54.2.0 to 13.54.2.255
13.54.3.0 to 13.54.3.255 ?
04 Answers
First calculate the sub-network CIDR notation. In 13.54.0.0 to 13.54.255.255 IPv4 range, the first two octates are constant (the network prefix) and the remaining last two octates are variable (host addressing). So the bit-length of the prefix is (32-16)=16. And the CIDR notation is 13.54.0.0/16.
There are three ways to block that IP range.
- With Firewall Control Panel:: Open Windows Firewall control panel with Win+R and type WF.msc. Click on Inbound Rules > New Rules > Custom > All Programs > Protocol type: Any > Add remote IP address (see below) > Check Block the Connection > Profile: select all > Name.
Add remote IP addresses:: Click on 'This IP address' radio button in remote IP section. Type 13.54.0.0/16 below 'this IP address or subnet' and then OK. Now your inbound rule is ready.
- With Administrator Command Prompt:: Type this command
netsh advfirewall firewall add rule name="New_Rule" Dir=In Action=Block RemoteIP=13.54.0.0/16
- With Administrator Powershell:: Type this command
New-NetFirewallRule -Direction Inbound -DisplayName "New_Rule" -Name "New_Rule" -RemoteAddress 13.54.0.0/16 -Action Block
Further reading::
- Wikipedia:Subnetwork
- Wikipedia:Classless Inter-Domain Routing (CIDR)
- Technet:New-NetFirewallRule
- Technet:netsh advfirewall
PowerShell also supports ranges and lists if it doesn't fall into a certain subnet mask.
New-NetFirewallRule -Name "Block Rule (in)" ` -Description "Bad IP'S" ` -DisplayName "Block Rule (in)" ` -Enabled True ` -Profile Any ` -Direction Inbound ` -Action Block ` -RemoteAddress ("13.54.0.0-13.54.0.255", "13.54.1.0-13.54.1.255", "13.54.2.0-13.54.2.255", "13.54.3.0-13.54.3.255" )Create a Single Firewall Rule Using a Subnet Mask
You can create a single firewall rule to block the IP range 13.54.0.0 to 13.54.255.255 using the /16 mask like this:
13.54.0.0/16The portion after the / is the subnet mask which specifies how many bits of the specified address should be examined to determine if a connection's IP address matches the rule.
In your case it's easy to figure this out. You want to match addresses based only on the first two octets (13.54.x.x) of the IP address. An octet contains 8 bits, so two octets equals 16 bits or a mask of /16.
Find out more on Wikipedia about using a mask of bits to indicate which parts of an IP are matched.
0Scope > Remote IP address > This IP Range > From: 13.54.0.0 > To: 13.54.0.255
Then add the rest of them in the same rule.
This will work in windows firewall, however it would take a long time to add each one. Definitely not efficient. In this scenario Twisty's CIDR solution would be best.
