Windows Firewall Hardening.bat

1. @echo off
2. setlocal enabledelayedexpansion
3. title Windows Firewall Hardening V8
4. color 0A
5.  
6. echo.
7. echo ======================================================
8. echo    WINDOWS FIREWALL HARDENING - SIMPLEWALL COMPATIBLE
9. echo           Press SPACEBAR after each section
10. echo ======================================================
11. echo.
12.  
13. :: Admin check
14. echo [1/6] CHECKING Admin privileges...
15. net session >nul 2>&1
16. if %errorlevel% neq 0 (
17.     echo [ERROR] Admin required!
18.     pause
19.     exit /b 1
20. )
21. echo [SUCCESS] Admin CONFIRMED! ✓
22. echo.
23.  
24. :: Create logs
25. set "logdir=%~dp0logs"
26. if not exist "%logdir%" mkdir "%logdir%"
27. set "logfile=%logdir%\firewall_blocks_%date:~-4,4%%date:~-7,2%%date:~-10,2%_%time:~0,2%%time:~3,2%.log"
28. echo TEST LINE 1 > "%logfile%"
29. echo [2/6] LOGGING to: %logfile% ✓
30. echo.
31.  
32. echo [PRESS SPACEBAR to continue...]
33. pause >nul
34.  
35. :: IP BLOCKING (24 IPs)
36. echo.
37. echo ======================================================
38. echo          BLOCKING 24 IP ADDRESSES
39. echo ======================================================
40. echo.
41.  
42. set /a ip_count=0
43. for %%i in (
44.     172.172.255.216 172.172.255.217 172.172.255.218
45.     20.165.94.63 20.190.142.167 20.242.39.171
46.     23.210.65.236 23.37.136.134 52.123.128.14 52.123.129.14
47.     2600:1415:10:387::2c1a 2600:1415:10:3a1::2c1a
48.     2600:1415:10:48f::40dc 2600:1415:10:491::40dc
49.     2603:1020:5:12::510 2603:1030:210:f::
50.     2603:1030:210:f::1 2603:1030:210:f::2
51.     2603:1030:800:5::bfee:a08d 2603:1030:807:e::358
52.     2603:1030:c06:15::4a5 2603:1063:27:1::14
53.     2603:1063:27:2::14
54. ) do (
55.     set /a ip_count+=1
56.     echo [%ip_count%/24] BLOCKING %%i...
57.     netsh advfirewall firewall add rule name="Block_%%i" dir=out action=block remoteip=%%i >nul 2>&1
58.     netsh advfirewall firewall add rule name="Block_%%i" dir=in action=block remoteip=%%i >nul 2>&1
59.     echo          [✓] %%i BLOCKED!
60.     echo BLOCKED %%i >> "%logfile%"
61. )
62.  
63. echo [COMPLETE] 24 IPs BLOCKED! ✓
64. echo.
65. echo [PRESS SPACEBAR to continue...]
66. pause >nul
67.  
68. :: DOMAIN BLOCKING (29 domains)
69. echo.
70. echo ======================================================
71. echo           BLOCKING 29 DOMAINS
72. echo ======================================================
73. echo.
74.  
75. set /a domain_count=0
76. for %%d in (
77.     client.wns.windows.com connect.facebook.net
78.     crl3.digicert.com crl4.digicert.com ct.facebook.net
79.     detectportal.firefox.com dns.msftncsi.com ecs.office.com
80.     fe3cr.delivery.mp.microsoft.com fs.microsoft.com
81.     go.microsoft.com googleads.g.doubleclick.net
82.     login.live.com ocsp.digicert.com
83.     settings-win.data.microsoft.com slscr.update.microsoft.com
84.     web-sdk-cdn.singular.net wpad.net
85.     vortex.data.microsoft.com watson.telemetry.microsoft.com
86.     diagnostics.support.microsoft.com corp.sts.microsoft.com
87.     statsfe2.ws.microsoft.com sqm.telemetry.microsoft.com
88.     watson.ppe.telemetry.microsoft.com telemetry.appex.bing.net
89.     telemetry.urs.microsoft.com cs1.wpc.v0cdn.net
90.     statsfe1.ws.microsoft.com statsfe3.ws.microsoft.com
91.     banggood.com aliexpress.com temu.com ebay.com
92. ) do (
93.     set /a domain_count+=1
94.     echo [%domain_count%/29] RESOLVING %%d...
95.     for /f "tokens=2 delims= " %%a in ('nslookup %%d 2^>nul ^| findstr "Address" ^| findstr "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"') do (
96.         echo          [✓] %%d -^> %%a BLOCKED!
97.         netsh advfirewall firewall add rule name="Block_%%d" dir=out action=block remoteip=%%a >nul 2>&1
98.         echo BLOCKED %%d - %%a >> "%logfile%"
99.     )
100. )
101.  
102. echo [COMPLETE] 29 DOMAINS BLOCKED! ✓
103. echo.
104. echo [PRESS SPACEBAR to continue...]
105. pause >nul
106.  
107. :: ONLY BLOCK SPECIFIC TRAFFIC (NO DEFAULT DENY)
108. echo.
109. echo ======================================================
110. echo    BLOCKING SPECIFIC TRAFFIC ONLY
111. echo    (LEAVING GENERAL INTERNET ACCESS UNTOUCHED)
112. echo ======================================================
113. echo.
114.  
115. echo [3/6] BLOCKING TELEMETRY PORTS...
116. netsh advfirewall firewall add rule name="Block_Telemetry_UDP" dir=out action=block protocol=UDP remoteport=443 >nul 2>&1
117. echo          [✓] TELEMETRY UDP BLOCKED!
118.  
119. echo [4/6] BLOCKING TRACKING SERVICES...
120. netsh advfirewall firewall add rule name="Block_Tracking" dir=out action=block program="%SystemRoot%\System32\svchost.exe" service="diagnosticshub.standardcollector.service" >nul 2>&1
121. echo          [✓] TRACKING SERVICES BLOCKED!
122.  
123. echo [5/6] BLOCKING WINDOWS UPDATE METADATA...
124. netsh advfirewall firewall add rule name="Block_WU_Metadata" dir=out action=block remoteip=134.170.58.121,134.170.58.123,134.170.53.29,134.170.53.31 >nul 2>&1
125. echo          [✓] WINDOWS UPDATE METADATA BLOCKED!
126.  
127. echo [6/6] BLOCKING EXTRA TELEMETRY...
128. netsh advfirewall firewall add rule name="Block_Extra_Telemetry" dir=out action=block remoteip=2.22.61.43,2.22.61.66,65.52.108.29,65.55.108.23 >nul 2>&1
129. echo          [✓] EXTRA TELEMETRY BLOCKED!
130.  
131. echo.
132. echo [COMPLETE] SPECIFIC TRAFFIC BLOCKED! ✓
133. echo.
134. echo [PRESS SPACEBAR to continue...]
135. pause >nul
136.  
137. :: FINAL SUMMARY
138. echo.
139. echo ======================================================
140. echo                FINAL SUMMARY
141. echo ======================================================
142. echo [✓] 24 IPs BLOCKED
143. echo [✓] 29 DOMAINS BLOCKED  
144. echo [✓] SPECIFIC TRAFFIC BLOCKED
145. echo [✓] GENERAL INTERNET ACCESS PRESERVED
146. echo [LOG] %logfile%
147. echo.
148. echo NOTE: This version is compatible with SimpleWall
149. echo SimpleWall can handle general filtering while this script
150. echo blocks specific telemetry and e-commerce domains
151. echo.
152. pause