5

I have a program that can communicate over IPv4 (TCP and UDP) and over IPv6 (TCP and UDP). I want to block the program from being able to use IPv4.

I tried the Windows Firewall:

enter image description here

Except it blocks IP sub-protocols (e.g. TCP, UDP, encapsulated IPv6, GRE), rather than blocking IPv4 itself.

In other words, I need to block IPv4:

  • IPv4/TCP
  • IPv4/UDP
  • IPv4/ICMPv4
  • IPv4/GRE
  • IPv4/L2TP

while allowing IPv6:

  • IPv6/TCP
  • IPv6/UDP
  • IPv6/ICMPv6
  • IPv6/GRE
  • IPv6/L2TP

Can I block a program from using IPv4?

Note: If it cannot be done, then don't be afraid to add that as an answer. There's no shame in giving the correct answer to a question.

Excellll
  • 12,627
  • 11
  • 51
  • 78
Ian Boyd
  • 21,642
  • 49
  • 139
  • 184
  • What other firewall software have you tested? – Ramhound Nov 19 '12 at 12:48
  • @Ramhound None; as far as i know Windows only has the one. And i can't do it at the firewall level, because i only want to block one application. – Ian Boyd Nov 19 '12 at 18:37
  • There are dozens of alternative firewall applications. Have you tried any of those? – Ramhound Nov 19 '12 at 20:07
  • @Ramhound i have not. – Ian Boyd Nov 19 '12 at 21:23
  • What program is it that you want to block? – Michael Hampton Dec 02 '12 at 00:12
  • @MichaelHampton Take your pick. Steam, Blizzard Launcher, WoW, uTorrent, Chrome, Photoshop, Flash. – Ian Boyd Dec 02 '12 at 17:10
  • 1
    If you don't want to use IPv4, then just don't give the computer an IPv4 address in the first place. Otherwise, please clarify your question and explain what you're really trying to do. – Michael Hampton Dec 02 '12 at 17:16
  • 2
    @MichaelHampton i want disallow certain **programs** from using IPv4. The corollary is that other programs i want to (continue) to be allowed to use IPv4. In the case of WoW i want it to only use the faster IPv6 connection. In the case of Flash i want to defeat geolocation. In the case of uTorrent i want to unlink my torrenting from my IPv4 address. In the case of Flash i want to be unblocked because i am in Canada. In the case of Steam i want to test IPv6-only connectivity. In the case of Visual Studio i want to test IPv6 connectivity. i am trying to block ***programs*** from using IPv4. – Ian Boyd Dec 02 '12 at 19:18
  • 2
    @MichaelHampton Or perhaps i don't want to do any of those things, and i am asking on behalf of a friend. Perhaps i'm writing a book. Perhaps i'm trying to further the knowledge of all man-kind. Pick whatever situation you like that will help convince you to answer the question. – Ian Boyd Dec 02 '12 at 19:19

2 Answers2

2

Note that the following doesn't work every time.

In Windows Firewall add a blocking rule for your program for the remote range 0.0.0.0 to 255.255.255.255 on any protocol.

If the program is designed to do so, it falls back on using ipv6.

If you want the inverse, to force the use of ipv4 you block the ipv6 range :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

For example this works for updating Visual Studio Community 2017 as the updater is using ipv6 by default and the download speed is sometimes seriously throttled down.

Sipertruk
  • 36
  • 4
  • This is a good idea but I don't see why it would not work all the time though if you set it up for a specific program to block all valid IPv4 ranges possible for any ports. I think maybe you put the `0.0.0.0-255.255.255.255` in both Local and Remote IP address fields. You could also get port specific too so I like this idea. Maybe test and add Local IP addresses to block that entire range and it'll be solid. Maybe add some screen shots if you get a chance. – Vomit IT - Chunky Mess Style Mar 09 '18 at 03:23
  • How do I prove that it works with every program out there without testing everyone of them ? I can imagine a program that test ipv6 connectivity using a tier tool (ping?) and then doesn't switch to ipv4 after it fails. – Sipertruk Mar 12 '18 at 17:54
  • There has to be both a local and remote so adding too 0.0.0.0-255.255.255.255 to local gives nothing more. You can block the local range **instead** if you want. – Sipertruk Mar 12 '18 at 17:58
  • Going port specific is **program** specific, it's an answer for another question I guess. – Sipertruk Mar 12 '18 at 18:00
  • I came across my own question today, while trying to answer the same question i asked 5 years ago. Today i want to block MSEdge.exe from accessing the Internet of IPv4 and this works! It would be nice if i could also convice [the application] to only request `AAAA` records; but i'll take it. – Ian Boyd Mar 22 '23 at 13:59
1

There's no way to do this with the Windows Firewall unless the client itself supports it. Most applications will use RFC 3484 to determine the best protocol to use if they are both available. A good explanation:

How do client applications know to use IPv4 or IPv6?

Your options would be either:

  • Force the protocol if the application supports doing so (eg. uTorrent supports IPV6-only mode)
  • Using a third party firewall that supports protocol preference per-application.
  • Using a third party firewall that supports protocol preference based on the port.

This is an unusual requirement, so I don't know of any third party firewalls off-hand that support it.

Community
  • 1