ElliotKillick/spyless-firewall.ps1

## spyless-firewall.ps1
<#
.SYNOPSIS
Configure Windows telemetry connections to respect privacy at the firewall

Any desired IP list can be used. Ideally, it should abide by this official Microsoft documentation:
https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints
See the table of contents for information on the connections made by all modern Windows versions.
Probably the best solution is to extract the HTML table from this website using a Pandas DataFrame then use that.
Resolve the hosts to create an IP list from the domains.

Blocking with the firewall (IP-based) is sometimes better than with the hosts file (domain-based):
    - Windows may connect directly with the IP (as opposed to the domain name) effectively bypassing the hosts file
    - The IPs of some domains used by Windows are hardcoded: https://petri.com/windows-10-ignoring-hosts-file-specific-name-resolution
    - However, domains can change IPs and some domains may resolve to multiple IPs (like a CDN)
    - Ideally, use both approaches (IP and domain) for the maximum coverage
        - On Qubes OS, do this blocking in an upstream NetVM to make sure Windows can't bypass it

As with any network blocking approach, there is a chance of false positives and false negatives.
#>

Write-Host Blocking telemetry IPs...

# Force Powershell 2 to use TLS 1.2
if ([System.Net.SecurityProtocolType]::Tls12 -eq $null) {
    Write-Host "Enabling TLS 1.2 for PowerShell 2..."
    [System.Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072)
}

# Get bad IP list and split it into an array using newline (LF) as the delimiter
# It's *much* better to read this from disk but here's how it can be downloaded too
$ips = (New-Object System.Net.WebClient).DownloadString('<URL_TO_DOWNLOAD_IP_LIST_FROM>') -Split '\n'

# Remove comments
$ips = $ips | Where-Object { $_ -notmatch '^#' }

# Trim remaining leading and trailing empty lines
$ips = $ips | Where-Object { $_ }

# Sanatize input to be extra safe

# Allow 0-9, . (dot) and newline (LF) for IPv4 address list
$ips = $ips -replace '[^0-9.\n]', ''

# Remove all previously allowed newline characters leaving just one space between each address
$ips = $ips -replace '\n', ''

# Put IPs into comma-separated format for consumption by netsh
$ips = $ips -join ','

# Block all IPs with one rule
# New-NetFirewallRule cmdlet is not available on PowerShell 2 so use the command
netsh advfirewall firewall add rule name=spyless dir=out action=block remoteip=$ips
	<#
	.SYNOPSIS
	Configure Windows telemetry connections to respect privacy at the firewall

	Any desired IP list can be used. Ideally, it should abide by this official Microsoft documentation:
	https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints
	See the table of contents for information on the connections made by all modern Windows versions.
	Probably the best solution is to extract the HTML table from this website using a Pandas DataFrame then use that.
	Resolve the hosts to create an IP list from the domains.

	Blocking with the firewall (IP-based) is sometimes better than with the hosts file (domain-based):
	- Windows may connect directly with the IP (as opposed to the domain name) effectively bypassing the hosts file
	- The IPs of some domains used by Windows are hardcoded: https://petri.com/windows-10-ignoring-hosts-file-specific-name-resolution
	- However, domains can change IPs and some domains may resolve to multiple IPs (like a CDN)
	- Ideally, use both approaches (IP and domain) for the maximum coverage
	- On Qubes OS, do this blocking in an upstream NetVM to make sure Windows can't bypass it

	As with any network blocking approach, there is a chance of false positives and false negatives.
	#>

	Write-Host Blocking telemetry IPs...

	# Force Powershell 2 to use TLS 1.2
	if ([System.Net.SecurityProtocolType]::Tls12 -eq $null) {
	Write-Host "Enabling TLS 1.2 for PowerShell 2..."
	[System.Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072)
	}

	# Get bad IP list and split it into an array using newline (LF) as the delimiter
	# It's much better to read this from disk but here's how it can be downloaded too
	$ips = (New-Object System.Net.WebClient).DownloadString('<URL_TO_DOWNLOAD_IP_LIST_FROM>') -Split '\n'

	# Remove comments
	$ips = $ips \| Where-Object { $_ -notmatch '^#' }

	# Trim remaining leading and trailing empty lines
	$ips = $ips \| Where-Object { $_ }

	# Sanatize input to be extra safe

	# Allow 0-9, . (dot) and newline (LF) for IPv4 address list
	$ips = $ips -replace '[^0-9.\n]', ''

	# Remove all previously allowed newline characters leaving just one space between each address
	$ips = $ips -replace '\n', ''

	# Put IPs into comma-separated format for consumption by netsh
	$ips = $ips -join ','

	# Block all IPs with one rule
	# New-NetFirewallRule cmdlet is not available on PowerShell 2 so use the command
	netsh advfirewall firewall add rule name=spyless dir=out action=block remoteip=$ips