I want to block all inbound traffic to a Windows 2008 R2 server and allow only configured ports (with allow rules).
I've created a rule to block all inbound ports and it works, but it has priority over the allow rules.
How can I achieve that?
Windows firewall has the ability to set a "default action" of inbound connections to "Block" or "Allow."
For your desired configuration, you want to change the default inbound action to "Block" and then add your "Allow" rules.
WARNING: these changes take affect immediately. If you are connecting remotely, and you do not have the needed allow rules in place, you may lose your ability to connect remotely to this machine.
You can change the default inbound action to "Block" in 2008R2 by running the following command:
netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound
Alternately, this can also be set in the "Windows Firewall with Advanced Security" snap-in (run wf.msc from cmd.exe), select "Windows Firewall Properties", choose the correct profile tab, and change "Inbound Connections" to "Block"
NOTE: in the above snap-in instructions, I'm assuming that you understand how to detect which profile (domain, public, or private) is associated with your network. You can open the network and sharing center if you are unsure.