Host Based Dynamic Firewalls

Dynamic firewalls for Windows based systems

I've got to give acknowledgement to the SANS course Offensive Countermeasures for this neat little trick.  This "how to" will instruct you how to set up a listener on a specific port that when scanned with a port scanner will immediately create a firewall rule to block any traffic from the IP conducting the scan.  You will need to download netcat for Windows, and depending on the distribution of linux you are running you may need to download it there as well.

Create a directory called C:\Tools\

Copy your Netcat download ( over to the Tools folder.

Unzip the Zip file here.

Open up notepad and copy the following into it:

@echo off

echo Started

 for /f "delims=[] tokens=4" %%i IN ('nc -l -p 4444 -n -v 2^>^&1 ^| find ^"from^"') do set IP=%%i
 echo %IP%
 netsh advfirewall firewall add rule name="Deny" dir=in remoteip=%IP% localport=any protocol=TCP
action=block > NUL
goto while

(Windows Vista, 7, and Server 2008 have a command line firewall feature built in known as netsh advfirewall firewall.  You can create firewall rules using this command to deny IP's from connecting over specific protocols or you can explicitly deny them. For more info on netsh advfirewall firewall follow:

Save this file as dyn_firewall.bat in the C:\Tools\nc11nt directory.  Open a command prompt as Administrator and change directories to C:\Tools\nc11nt. Run dyn_firewall.bat.
The batch file has opened up a netcat session on port 4444 in listen mode.  If anyone runs a port scan against us and hits port 4444 our netsh advfirewall batch job will automatically deny their IP in our firewall.
They will be able see our open ports the first time they scan but any proceeding attacks will be dropped by our firewall.
You can see the IP of the attacking system in your command window                                       :

If the attacker tries to scan us again or run exploits against us they will fail because of our newly generated firewall rule.


The gadget spec URL could not be found