How to block a network port in Windows Firewall

Blocking a network port in Windows Firewall limits unsolicited traffic and reduces exposure to scans, worms, and opportunistic attacks. Port blocks are commonly used to harden servers, lock down shared workstations, and prevent accidental service publishing on untrusted networks.

Windows Defender Firewall enforces policy using inbound and outbound rules that match protocol, ports, programs, services, and network profiles. A port-based rule is evaluated by the filtering platform before traffic reaches an application, so the block can apply even when the listening service remains running.

Creating or changing rules requires administrative privileges and the selected Domain, Private, and Public profiles control where the block is active. Blocking ports used for remote administration (for example 3389 for RDP or 22 for SSH) can immediately disrupt access, so confirm an alternate management path before applying a block. A port rule filters network traffic but does not stop the local process from listening on the port.

Related: How to block an IP address in Windows
Related: How to configure Windows Defender Firewall from the command line

Steps to block a network port in Windows Firewall:

  1. Open Control Panel from the Start menu search.
  2. Select System and Security.
  3. Select Windows Defender Firewall.
  4. Click Advanced settings to open Windows Defender Firewall with Advanced Security.

    Run wf.msc from the Run dialog to open the same console directly.

  5. Select Inbound Rules in the left pane.

    Inbound Rules block traffic arriving at the computer; use Outbound Rules to restrict traffic leaving the computer.

  6. Click New Ruleā€¦ in the Actions pane.
  7. Select Port as the rule type and click Next.
  8. Select either TCP or UDP.

    TCP covers connection-oriented traffic (for example HTTP), while UDP covers connectionless traffic (for example DNS).

  9. Select Specific local ports.
  10. Enter the port number or range to block and click Next.

    Comma-separated lists (80,443,8080) and ranges (5000-5010) are supported.

  11. Select Block the connection and click Next.

    Blocking management ports such as 3389 (RDP) can immediately disconnect remote sessions.

  12. Select the profiles where the rule should apply and click Next.

    Public typically applies on untrusted networks; Domain and Private are common for internal networks.

  13. Enter a descriptive rule name and click Finish.

    Including direction, protocol, and port (example: Block inbound TCP 80) keeps rule lists readable.

  14. Confirm the new rule is Enabled and the Action column shows Block.
  15. Verify the port is blocked from another host by testing connectivity. 
    PS C:\> Test-NetConnection -ComputerName 192.0.2.10 -Port 80

ComputerName     : 192.0.2.10
RemoteAddress    : 192.0.2.10
RemotePort       : 80
InterfaceAlias   : Ethernet
SourceAddress    : 192.0.2.25
PingSucceeded    : True
TcpTestSucceeded : False

    Ensure the target port is listening during the test; Test-NetConnection validates TCP ports, while UDP verification is typically application-specific.