- Create new firewall policy.
- Wipe all the rules; thus blocking all trafiic (objective 1 met).
* Next we create our SEPM communications policy.
- Choose to "allow connections".
- Choose to "allow all applications" (this can be changed later)
- Choose the destination "only the computer or sites listed below". In this case I would suggest specifying only the SEPM server by IP address.
Why by IP? Because we will be limiting all traffic. Thus Netbios traffic on ports 137, 138 and 139 as well as DNS port 53 will be blocked (unless you create rules to allow them, which is going beyond this writing - but wil be possible if you follow the steps included).
-- Select "only the communications selected below". (Screenshot above)
-- Click on ADD to create your protocol and port: (Other screenshot above)
--- TCP, local port 8014, remote port 8014 - Direction BOTH.
--- Up to you to choose to log or not.
- Your first rule is created.
* * * * * * * *
You can do the same for all the traffic you deem necessary, always evaluate what you may need.
The last screen capture above, shows Incoming or Outgoing or both.
For the rest of your rules, you can specify port ranges or multiple single ports, separated by a comma or a dash, notice there are no spaces between port numbers.
And you choose the direction of traffic, from what you were saying "Inbound only", so that is what you choose in the drop down menu.
And you will have met your second criteria. A segregated, isolated machine.
Hope that helps.