Subscribe

Get the Network Administrators tool pack

Subscribe to our newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them.

Click Here to get your free tools

Recent Posts

Search

Archives

Block ports from the command line

Post image for Block ports from the command line

by Steve Wiseman on October 6, 2011 · 4 comments

in Tips,Tools,Windows


This week I received a question from Scott:

“Hi Steve,

Management at my company wants to block AIM (AOL Messenger) on all computers. Because some of the machines are not joined to the domain I want a way to do this from a script. The port is 4099 TCP btw. Thanks!”

I spoke with Scott, and I determined that all of his systems are running Vista or Windows 7 (Important since this tip won’t work on XP).

This can be done by adding an outbound rule to the built in firewall.

Outbound rules

But like Scott said, he wants to do it from the command line.

This is easy using the ‘netsh’ command.

To block it we would call it like this:

netsh advfirewall firewall add rule name="BlockAIM" protocol=TCP
dir=out remoteport=4099 action=block

Let me explain each setting:

name = The name of the rule. (Pick something descriptive)
protocol = The protocol we are going to block (UDP or TCP for most cases)
dir = The direction of the block. Can be IN or OUT
remoteport = The port of the remote host that is going to be blocked
action = Could be block or allow. In our case we want to block the connection

Once you execute the above code, all outbound requests to any host on port 4099 will be blocked, and it adds an entry to the Windows firewall:

Outbound rule to block AIM

If you want to remove the rule from the command line, you can call netsh like this:

netsh advfirewall firewall delete rule name="BlockAIM"

That is all there is to it. One line to add a rule, and one line to remove.

One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools

Related Articles:

{ 4 comments… read them below or add one }

1 Mike Lundquist October 7, 2011 at 8:12 am

I think a firewall would be a much more robust solution steve.

2 Steve Wiseman October 7, 2011 at 8:14 am

Hello Mike,

Yes a firewall would be better. But in Scott’s case, he did not have control over the network these computers would reside on (They are laptops). In addition, they are not joined to the domain – so he could not use group policy

Finally, I did not write it in the article…he was asked by management to make this happen without spending any money on hardware or software.

So I think with those conditions in place, it is an ideal solution. True it will never stop the technical users…but at least you have something in place.

3 Bobby October 8, 2011 at 9:44 pm

Thanks for the tip steve. Like you said there are more ideal solutions, but hey when your options are limited this is better than nothing.

4 Philip September 11, 2013 at 6:52 am

i was wondering if you can do this, on a LAN and block TCP Port 80.but Block the MAC Address instead?

Leave a Comment

Category Links - Windows Forum - Exchange Forum