Windows Firewall (inbound rules)

Windows Firewall with Advanced Security filters inbound traffic to your VPS. On a server exposed to the Internet, precise inbound rules reduce the attack surface while allowing required services (RDP, HTTP, SQL, etc.).

Prerequisites

• Windows Server VPS with Administrator rights
• List of ports and protocols to allow (TCP/UDP)
• Fixed source IPs if possible (office, another VPS)

The HolyCloud network firewall (client area) complements the OS firewall: configure both consistently.

Understand profiles

| Profile | Typical use |

|--------|----------------|

| Domain | Machine joined to an AD domain |

| Private | Trusted network |

| Public | Internet — default profile on VPS |

Check the active profile on interfaces:

Get-NetConnectionProfile | Select-Object InterfaceAlias, NetworkCategory

To force Private on an adapter (if appropriate):

Set-NetConnectionProfile -InterfaceAlias 'Ethernet' -NetworkCategory Private

GUI: simple inbound rule

1. wf.msc → Inbound Rules → New Rule.
2. Type: Port → TCP → specific ports (e.g. 80,443).
3. Action: Allow the connection.
4. Profiles: check per your policy (often Public on VPS).
5. Name: HTTP HTTPS Web.

PowerShell: allow HTTP and HTTPS

New-NetFirewallRule -DisplayName 'HTTP Inbound' -Direction Inbound `
  -Protocol TCP -LocalPort 80 -Action Allow -Profile Public

New-NetFirewallRule -DisplayName 'HTTPS Inbound' -Direction Inbound `
  -Protocol TCP -LocalPort 443 -Action Allow -Profile Public

Restrict RDP to a source IP

New-NetFirewallRule -DisplayName 'RDP Admin Bureau' -Direction Inbound `
  -Protocol TCP -LocalPort 3389 -RemoteAddress 198.51.100.42 -Action Allow -Profile Any

New-NetFirewallRule -DisplayName 'RDP Block Others' -Direction Inbound `
  -Protocol TCP -LocalPort 3389 -Action Block -Profile Any

Evaluation order uses priority and specificity; verify in wf.msc that the Allow rule is not overridden by a conflicting broader rule.

Rule for a program (executable)

New-NetFirewallRule -DisplayName 'IIS Worker' -Direction Inbound `
  -Program 'C:\Windows\System32\inetsrv\w3wp.exe' -Action Allow -Profile Public

Useful when the port is dynamic or to limit to a specific binary.

List and audit inbound rules

Get-NetFirewallRule -Direction Inbound -Enabled True |
  Select-Object DisplayName, Action, Profile |
  Sort-Object DisplayName

Detail with ports:

Get-NetFirewallPortFilter | Get-NetFirewallRule -Direction Inbound |
  Where-Object { $_.Enabled -eq 'True' } |
  ForEach-Object {
    [PSCustomObject]@{
      Name = $_.DisplayName
      Ports = (Get-NetFirewallPortFilter -AssociatedNetFirewallRule $_).LocalPort
    }
  }

Disable or remove a rule

Disable-NetFirewallRule -DisplayName 'HTTP Inbound'
Remove-NetFirewallRule -DisplayName 'HTTP Inbound'

Log blocked connections

Enable firewall logging for diagnostics:

Set-NetFirewallProfile -Profile Public -LogAllowed False -LogBlocked True `
  -LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log' -LogMaxSizeKilobytes 16384

View recent blocks:

Get-Content $env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log -Tail 30

Best practices on a HolyCloud VPS

• Least privilege: one port = one explicit named rule.
• Do not duplicate Allow Any rules on 0.0.0.0/0 if a source IP is enough.
• After installing a role (IIS, SQL), review rules created automatically by the role.
• Test from outside:

# from another machine
Test-NetConnection -ComputerName IP_VPS -Port 443

Troubleshooting

| Symptom | Action |

|----------|--------|

| Local service OK, unreachable from Internet | HolyCloud firewall + Windows rule; Test-NetConnection |

| RDP OK then blocked | New Block rule; rule order |

| IIS unreachable | Port 80/443 rule; Public profile; IIS binding |

| Too many rules | Export then cleanup: Get-NetFirewallRule → disable duplicates |

Export rules (backup):

netsh advfirewall export "C:\Backup\fw-rules-$(Get-Date -Format yyyyMMdd).wfw"

Import:

netsh advfirewall import "C:\Backup\fw-rules-20260619.wfw"

Need help?

If traffic is blocked despite correct OS rules, tell support the VPS IP, port, and Test-NetConnection result from outside.