Move and fixup baseline rules

24 files changed, 270 insertions, 268 deletions

diff --git a/windows/winfw/src/winfw/rules/blockall.cpp b/windows/winfw/src/winfw/rules/baseline/blockall.cpp
index 7695ece765..ef5c82a0df 100644
--- a/windows/winfw/src/winfw/rules/blockall.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/blockall.cpp
@@ -1,10 +1,10 @@
 #include "stdafx.h"
 #include "blockall.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/nullconditionbuilder.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/nullconditionbuilder.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 bool BlockAll::apply(IObjectInstaller &objectInstaller)
@@ -12,16 +12,16 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 block outbound connections, ipv4
+	// #1 Block outbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterBlockAll_Outbound_Ipv4())
+		.key(MullvadGuids::Filter_Baseline_BlockAll_Outbound_Ipv4())
 		.name(L"Block all outbound connections (IPv4)")
 		.description(L"This filter is part of a rule that restricts inbound and outbound traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Min)
 		.block();
 
@@ -33,11 +33,11 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 block inbound connections, ipv4
+	// #2 Block inbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterBlockAll_Inbound_Ipv4())
+		.key(MullvadGuids::Filter_Baseline_BlockAll_Inbound_Ipv4())
 		.name(L"Block all inbound connections (IPv4)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
 
@@ -47,11 +47,11 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #3 block outbound connections, ipv6
+	// #3 Block outbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterBlockAll_Outbound_Ipv6())
+		.key(MullvadGuids::Filter_Baseline_BlockAll_Outbound_Ipv6())
 		.name(L"Block all outbound connections (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
@@ -61,11 +61,11 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #4 block inbound connections, ipv6
+	// #4 Block inbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterBlockAll_Inbound_Ipv6())
+		.key(MullvadGuids::Filter_Baseline_BlockAll_Inbound_Ipv6())
 		.name(L"Block all inbound connections (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
diff --git a/windows/winfw/src/winfw/rules/blockall.h b/windows/winfw/src/winfw/rules/baseline/blockall.h
index c60c43fa1d..23d5a0b1d2 100644
--- a/windows/winfw/src/winfw/rules/blockall.h
+++ b/windows/winfw/src/winfw/rules/baseline/blockall.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class BlockAll : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitdhcp.cpp b/windows/winfw/src/winfw/rules/baseline/permitdhcp.cpp
index d2d7292746..c067ac48e9 100644
--- a/windows/winfw/src/winfw/rules/permitdhcp.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitdhcp.cpp
@@ -1,17 +1,17 @@
 #include "stdafx.h"
 #include "permitdhcp.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/ipaddress.h"
-#include "libwfp/ipnetwork.h"
-#include "libwfp/conditions/conditionprotocol.h"
-#include "libwfp/conditions/conditionport.h"
-#include "libwfp/conditions/conditionip.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/ipaddress.h>
+#include <libwfp/ipnetwork.h>
+#include <libwfp/conditions/conditionprotocol.h>
+#include <libwfp/conditions/conditionport.h>
+#include <libwfp/conditions/conditionip.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 namespace
@@ -41,16 +41,16 @@ bool PermitDhcp::applyIpv4(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit outbound DHCPv4 request
+	// #1 Permit outbound DHCPv4 requests.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv4())
-		.name(L"Permit outbound DHCP request (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcp_Outbound_Request_Ipv4())
+		.name(L"Permit outbound DHCP requests (IPv4)")
 		.description(L"This filter is part of a rule that permits DHCP client traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -69,12 +69,12 @@ bool PermitDhcp::applyIpv4(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #2 permit inbound DHCPv4 response
+	// #2 Permit inbound DHCPv4 responses.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv4())
-		.name(L"Permit inbound DHCP response (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcp_Inbound_Response_Ipv4())
+		.name(L"Permit inbound DHCP responses (IPv4)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
@@ -93,12 +93,12 @@ bool PermitDhcp::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit outbound DHCPv6 request
+	// #1 Permit outbound DHCPv6 requests.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv6())
-		.name(L"Permit outbound DHCP request (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcp_Outbound_Request_Ipv6())
+		.name(L"Permit outbound DHCP requests (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	{
@@ -121,12 +121,12 @@ bool PermitDhcp::applyIpv6(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #2 permit inbound DHCPv6 response
+	// #2 Permit inbound DHCPv6 responses.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv6())
-		.name(L"Permit inbound DHCP response (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcp_Inbound_Response_Ipv6())
+		.name(L"Permit inbound DHCP responses (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
diff --git a/windows/winfw/src/winfw/rules/permitdhcp.h b/windows/winfw/src/winfw/rules/baseline/permitdhcp.h
index 5500829c0c..0e635bc184 100644
--- a/windows/winfw/src/winfw/rules/permitdhcp.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitdhcp.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitDhcp : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.cpp b/windows/winfw/src/winfw/rules/baseline/permitdhcpserver.cpp
index 2c765ecdea..1c5702f08a 100644
--- a/windows/winfw/src/winfw/rules/permitdhcpserver.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitdhcpserver.cpp
@@ -1,17 +1,17 @@
 #include "stdafx.h"
 #include "permitdhcpserver.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/ipaddress.h"
-#include "libwfp/conditions/conditionprotocol.h"
-#include "libwfp/conditions/conditionport.h"
-#include "libwfp/conditions/conditionip.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/ipaddress.h>
+#include <libwfp/conditions/conditionprotocol.h>
+#include <libwfp/conditions/conditionport.h>
+#include <libwfp/conditions/conditionip.h>
 #include <libcommon/error.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 namespace
@@ -41,18 +41,18 @@ bool PermitDhcpServer::apply(IObjectInstaller &objectInstaller)
 bool PermitDhcpServer::applyIpv4(IObjectInstaller &objectInstaller) const
 {
 	//
-	// #1 permit incoming DHCPv4 request
+	// #1 Permit inbound DHCPv4 requests.
 	//
 
 	wfp::FilterBuilder filterBuilder;
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcpServer_Inbound_Request_Ipv4())
-		.name(L"Permit inbound DHCP request (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcpServer_Inbound_Request_Ipv4())
+		.name(L"Permit inbound DHCP requests (IPv4)")
 		.description(L"This filter is part of a rule that permits DHCP server traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -71,12 +71,12 @@ bool PermitDhcpServer::applyIpv4(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #2 permit outbound DHCPv4 response
+	// #2 Permit outbound DHCPv4 responses.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcpServer_Outbound_Response_Ipv4())
-		.name(L"Permit outbound DHCP response (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitDhcpServer_Outbound_Response_Ipv4())
+		.name(L"Permit outbound DHCP responses (IPv4)")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.h b/windows/winfw/src/winfw/rules/baseline/permitdhcpserver.h
index 93879b21a7..14ccfcd9f7 100644
--- a/windows/winfw/src/winfw/rules/permitdhcpserver.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitdhcpserver.h
@@ -1,9 +1,9 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 #include <memory>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitDhcpServer : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
index e973bf29d8..b9a24cf038 100644
--- a/windows/winfw/src/winfw/rules/permitlan.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
@@ -1,15 +1,15 @@
 #include "stdafx.h"
 #include "permitlan.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/ipaddress.h"
-#include "libwfp/ipnetwork.h"
-#include "libwfp/conditions/conditionip.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/ipaddress.h>
+#include <libwfp/ipnetwork.h>
+#include <libwfp/conditions/conditionip.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 bool PermitLan::apply(IObjectInstaller &objectInstaller)
@@ -22,16 +22,16 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 locally-initiated traffic
+	// #1 Permit outbound connections on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLan_Outbound_Ipv4())
-		.name(L"Permit outbound LAN traffic (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitLan_Outbound_Ipv4())
+		.name(L"Permit outbound connections on LAN (IPv4)")
 		.description(L"This filter is part of a rule that permits LAN traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -48,12 +48,12 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #2 LAN to multicast
+	// #2 Permit outbound multicast on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv4())
-		.name(L"Permit outbound LAN multicast traffic (IPv4)");
+		.key(MullvadGuids::Filter_Baseline_PermitLan_Outbound_Multicast_Ipv4())
+		.name(L"Permit outbound multicast on LAN (IPv4)");
 
 	conditionBuilder.reset();
 
@@ -74,16 +74,16 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 locally-initiated traffic
+	// #1 Permit outbound connections on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLan_Outbound_Ipv6())
-		.name(L"Permit outbound LAN traffic (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitLan_Outbound_Ipv6())
+		.name(L"Permit outbound connections on LAN (IPv6)")
 		.description(L"This filter is part of a rule that permits LAN traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -99,12 +99,12 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #2 LAN to multicast
+	// #2 Permit outbound multicast on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv6())
-		.name(L"Permit outbound LAN multicast traffic (IPv6)");
+		.key(MullvadGuids::Filter_Baseline_PermitLan_Outbound_Multicast_Ipv6())
+		.name(L"Permit outbound multicast on LAN (IPv6)");
 
 	conditionBuilder.reset();
 
diff --git a/windows/winfw/src/winfw/rules/permitlan.h b/windows/winfw/src/winfw/rules/baseline/permitlan.h
index 7eb52a4956..e37814c6f6 100644
--- a/windows/winfw/src/winfw/rules/permitlan.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitlan.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitLan : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitlanservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
index 516aa3fcd7..7534e08462 100644
--- a/windows/winfw/src/winfw/rules/permitlanservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
@@ -1,15 +1,15 @@
 #include "stdafx.h"
 #include "permitlanservice.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/ipaddress.h"
-#include "libwfp/ipnetwork.h"
-#include "libwfp/conditions/conditionip.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/ipaddress.h>
+#include <libwfp/ipnetwork.h>
+#include <libwfp/conditions/conditionip.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 bool PermitLanService::apply(IObjectInstaller &objectInstaller)
@@ -22,16 +22,16 @@ bool PermitLanService::applyIpv4(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 incoming request
+	// #1 Permit inbound connections on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLanService_Inbound_Ipv4())
-		.name(L"Permit inbound LAN traffic (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitLanService_Inbound_Ipv4())
+		.name(L"Permit inbound connections on LAN (IPv4)")
 		.description(L"This filter is part of a rule that permits hosting services in a LAN environment")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -50,16 +50,16 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 incoming request
+	// #1 Permit inbound connections on LAN.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLanService_Inbound_Ipv6())
-		.name(L"Permit inbound LAN traffic (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitLanService_Inbound_Ipv6())
+		.name(L"Permit inbound connections on LAN (IPv6)")
 		.description(L"This filter is part of a rule that permits hosting services in a LAN environment")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
diff --git a/windows/winfw/src/winfw/rules/permitlanservice.h b/windows/winfw/src/winfw/rules/baseline/permitlanservice.h
index a99a71a25b..800ed83d4b 100644
--- a/windows/winfw/src/winfw/rules/permitlanservice.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitlanservice.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitLanService : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitloopback.cpp b/windows/winfw/src/winfw/rules/baseline/permitloopback.cpp
index 99ee977b86..123bed4b42 100644
--- a/windows/winfw/src/winfw/rules/permitloopback.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitloopback.cpp
@@ -1,13 +1,13 @@
 #include "stdafx.h"
 #include "permitloopback.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditionloopback.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditionloopback.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
@@ -15,16 +15,16 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit outbound connections, ipv4
+	// #1 Permit outbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLoopback_Outbound_Ipv4())
-		.name(L"Permit outbound on loopback (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitLoopback_Outbound_Ipv4())
+		.name(L"Permit outbound connections on loopback (IPv4)")
 		.description(L"This filter is part of a rule that permits all loopback traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -40,12 +40,12 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 permit inbound connections, ipv4
+	// #2 Permit inbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLoopback_Inbound_Ipv4())
-		.name(L"Permit inbound on loopback (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitLoopback_Inbound_Ipv4())
+		.name(L"Permit inbound connections on loopback (IPv4)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
 
 	{
@@ -60,12 +60,12 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #3 permit outbound connections, ipv6
+	// #3 Permit outbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLoopback_Outbound_Ipv6())
-		.name(L"Permit outbound on loopback (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitLoopback_Outbound_Ipv6())
+		.name(L"Permit outbound connections on loopback (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	{
@@ -80,12 +80,12 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #4 permit inbound connections, ipv6
+	// #4 Permit inbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitLoopback_Inbound_Ipv6())
-		.name(L"Permit inbound on loopback (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitLoopback_Inbound_Ipv6())
+		.name(L"Permit inbound connections on loopback (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
diff --git a/windows/winfw/src/winfw/rules/permitloopback.h b/windows/winfw/src/winfw/rules/baseline/permitloopback.h
index 71694c353d..4fb2eace2f 100644
--- a/windows/winfw/src/winfw/rules/permitloopback.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitloopback.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitLoopback : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitndp.cpp b/windows/winfw/src/winfw/rules/baseline/permitndp.cpp
index 2aca5d0d1b..52e6ec4693 100644
--- a/windows/winfw/src/winfw/rules/permitndp.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitndp.cpp
@@ -1,17 +1,17 @@
 #include "stdafx.h"
 #include "permitndp.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/ipaddress.h"
-#include "libwfp/ipnetwork.h"
-#include "libwfp/conditions/conditionprotocol.h"
-#include "libwfp/conditions/conditionicmp.h"
-#include "libwfp/conditions/conditionip.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/ipaddress.h>
+#include <libwfp/ipnetwork.h>
+#include <libwfp/conditions/conditionprotocol.h>
+#include <libwfp/conditions/conditionicmp.h>
+#include <libwfp/conditions/conditionip.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 bool PermitNdp::apply(IObjectInstaller &objectInstaller)
@@ -22,11 +22,11 @@ bool PermitNdp::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit outbound router solicitation
+	// #1 Permit outbound router solicitation.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitNdp_Outbound_Router_Solicitation())
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Router_Solicitation())
 		.name(L"Permit outbound NDP router solicitation")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
@@ -45,11 +45,11 @@ bool PermitNdp::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 permit inbound router advertisement
+	// #2 Permit inbound router advertisement.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitNdp_Inbound_Router_Advertisement())
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Router_Advertisement())
 		.name(L"Permit inbound NDP router advertisement")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
@@ -68,11 +68,11 @@ bool PermitNdp::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #3 permit inbound redirect message
+	// #3 Permit inbound redirect message.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitNdp_Inbound_Redirect())
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Redirect())
 		.name(L"Permit inbound NDP redirect")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
diff --git a/windows/winfw/src/winfw/rules/permitndp.h b/windows/winfw/src/winfw/rules/baseline/permitndp.h
index ebd53b62c2..fbe1c66862 100644
--- a/windows/winfw/src/winfw/rules/permitndp.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitndp.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitNdp : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitping.cpp b/windows/winfw/src/winfw/rules/baseline/permitping.cpp
index f6aed36bf2..0fb388a953 100644
--- a/windows/winfw/src/winfw/rules/permitping.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitping.cpp
@@ -1,24 +1,23 @@
 #include "stdafx.h"
 #include "permitping.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditionip.h"
-#include "libwfp/conditions/conditioninterface.h"
-#include "libwfp/conditions/conditionprotocol.h"
-
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditionip.h>
+#include <libwfp/conditions/conditioninterface.h>
+#include <libwfp/conditions/conditionprotocol.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 PermitPing::PermitPing
 (
-	const std::optional<std::wstring> &interfaceAlias,
+	std::optional<std::wstring> interfaceAlias,
 	const wfp::IpAddress &host
 )
-	: m_interfaceAlias(interfaceAlias)
+	: m_interfaceAlias(std::move(interfaceAlias))
 	, m_host(host)
 {
 }
@@ -38,16 +37,16 @@ bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 Permit outbound ICMPv4 to %host% on %interface%
+	// #1 Permit outbound ICMPv4 to %host% on %interface%.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitPing_Outbound_Icmpv4())
+		.key(MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv4())
 		.name(L"Permit outbound ICMP to specific host (ICMPv4)")
 		.description(L"This filter is part of a rule that permits ping")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -69,16 +68,16 @@ bool PermitPing::applyIcmpv6(IObjectInstaller &objectInstaller) const
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 Permit outbound ICMPv6 to %host% on %interface%
+	// #1 Permit outbound ICMPv6 to %host% on %interface%.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitPing_Outbound_Icmpv6())
+		.key(MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv6())
 		.name(L"Permit outbound ICMP to specific host (ICMPv6)")
 		.description(L"This filter is part of a rule that permits ping")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
diff --git a/windows/winfw/src/winfw/rules/permitping.h b/windows/winfw/src/winfw/rules/baseline/permitping.h
index c8238ceaa8..b7747296f7 100644
--- a/windows/winfw/src/winfw/rules/permitping.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitping.h
@@ -1,18 +1,18 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 #include <libwfp/ipaddress.h>
 #include <string>
 #include <optional>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitPing : public IFirewallRule
 {
 public:
 
-	PermitPing(const std::optional<std::wstring> &interfaceAlias, const wfp::IpAddress &host);
+	PermitPing(std::optional<std::wstring> interfaceAlias, const wfp::IpAddress &host);
 
 	bool apply(IObjectInstaller &objectInstaller) override;
 
diff --git a/windows/winfw/src/winfw/rules/permitvpnrelay.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.cpp
index 2c59c0ab99..daa21c3e35 100644
--- a/windows/winfw/src/winfw/rules/permitvpnrelay.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.cpp
@@ -1,16 +1,16 @@
 #include "stdafx.h"
 #include "permitvpnrelay.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditionprotocol.h"
-#include "libwfp/conditions/conditionip.h"
-#include "libwfp/conditions/conditionport.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditionprotocol.h>
+#include <libwfp/conditions/conditionip.h>
+#include <libwfp/conditions/conditionport.h>
 #include <libcommon/error.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 namespace
@@ -56,16 +56,16 @@ bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit connecting to relay
+	// #1 Permit outbound connections to relay.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitVpnRelay())
+		.key(MullvadGuids::Filter_Baseline_PermitVpnRelay())
 		.name(L"Permit outbound connections to VPN relay")
 		.description(L"This filter is part of a rule that permits communication with a VPN relay")
 		.provider(MullvadGuids::Provider())
 		.layer(LayerFromIp(m_relay))
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
diff --git a/windows/winfw/src/winfw/rules/permitvpnrelay.h b/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h
index c5ae8b024a..8dd2c630f4 100644
--- a/windows/winfw/src/winfw/rules/permitvpnrelay.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h
@@ -1,9 +1,9 @@
 #pragma once
 
-#include "ifirewallrule.h"
-#include "libwfp/ipaddress.h"
+#include <winfw/rules/ifirewallrule.h>
+#include <libwfp/ipaddress.h>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitVpnRelay : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
index e21a99c04d..c09f7b631c 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
@@ -1,13 +1,13 @@
 #include "stdafx.h"
 #include "permitvpntunnel.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditioninterface.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditioninterface.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 PermitVpnTunnel::PermitVpnTunnel(const std::wstring &tunnelInterfaceAlias)
@@ -20,16 +20,16 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 permit locally-initiated traffic on tunnel interface, ipv4
+	// #1 Permit outbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv4())
-		.name(L"Permit outbound on tunnel interface (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4())
+		.name(L"Permit outbound connections on tunnel interface (IPv4)")
 		.description(L"This filter is part of a rule that permits communications inside the VPN tunnel")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -45,12 +45,12 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 permit locally-initiated traffic on tunnel interface, ipv6
+	// #2 Permit outbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv6())
-		.name(L"Permit outbound on tunnel interface (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6())
+		.name(L"Permit outbound connections on tunnel interface (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnel.h b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h
index 49c1b028ab..9c9a7b14c1 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnel.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h
@@ -1,9 +1,9 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 #include <string>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitVpnTunnel : public IFirewallRule
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
index bbdf9a6e2b..d24830db8f 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
@@ -1,13 +1,13 @@
 #include "stdafx.h"
 #include "permitvpntunnelservice.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditioninterface.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditioninterface.h>
 
 using namespace wfp::conditions;
 
-namespace rules
+namespace rules::baseline
 {
 
 PermitVpnTunnelService::PermitVpnTunnelService(const std::wstring &tunnelInterfaceAlias)
@@ -20,16 +20,16 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 	wfp::FilterBuilder filterBuilder;
 
 	//
-	// #1 incoming request on Ipv4
+	// #1 Permit inbound connections, IPv4.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitVpnTunnelService_Ipv4())
-		.name(L"Permit inbound on tunnel interface (IPv4)")
+		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4())
+		.name(L"Permit inbound connections on tunnel interface (IPv4)")
 		.description(L"This filter is part of a rule that permits hosting services that listen on the tunnel interface")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
-		.sublayer(MullvadGuids::SublayerWhitelist())
+		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Max)
 		.permit();
 
@@ -43,12 +43,12 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 incoming request on IPv6
+	// #2 Permit inbound connections, IPv6.
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitVpnTunnelService_Ipv6())
-		.name(L"Permit inbound on tunnel interface (IPv6)")
+		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6())
+		.name(L"Permit inbound connections on tunnel interface (IPv6)")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	conditionBuilder.reset(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnelservice.h b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h
index adec88658b..8880c06328 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnelservice.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h
@@ -1,9 +1,9 @@
 #pragma once
 
-#include "ifirewallrule.h"
+#include <winfw/rules/ifirewallrule.h>
 #include <string>
 
-namespace rules
+namespace rules::baseline
 {
 
 class PermitVpnTunnelService : public IFirewallRule
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index 15da42ec0f..b2ba603aee 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -23,17 +23,17 @@
     <ClCompile Include="mullvadguids.cpp" />
     <ClCompile Include="mullvadobjects.cpp" />
     <ClCompile Include="objectpurger.cpp" />
-    <ClCompile Include="rules\blockall.cpp" />
-    <ClCompile Include="rules\permitdhcp.cpp" />
-    <ClCompile Include="rules\permitdhcpserver.cpp" />
-    <ClCompile Include="rules\permitlan.cpp" />
-    <ClCompile Include="rules\permitlanservice.cpp" />
-    <ClCompile Include="rules\permitloopback.cpp" />
-    <ClCompile Include="rules\permitndp.cpp" />
-    <ClCompile Include="rules\permitping.cpp" />
-    <ClCompile Include="rules\permitvpntunnelservice.cpp" />
-    <ClCompile Include="rules\permitvpnrelay.cpp" />
-    <ClCompile Include="rules\permitvpntunnel.cpp" />
+    <ClCompile Include="rules\baseline\blockall.cpp" />
+    <ClCompile Include="rules\baseline\permitdhcp.cpp" />
+    <ClCompile Include="rules\baseline\permitdhcpserver.cpp" />
+    <ClCompile Include="rules\baseline\permitlan.cpp" />
+    <ClCompile Include="rules\baseline\permitlanservice.cpp" />
+    <ClCompile Include="rules\baseline\permitloopback.cpp" />
+    <ClCompile Include="rules\baseline\permitndp.cpp" />
+    <ClCompile Include="rules\baseline\permitping.cpp" />
+    <ClCompile Include="rules\baseline\permitvpnrelay.cpp" />
+    <ClCompile Include="rules\baseline\permitvpntunnel.cpp" />
+    <ClCompile Include="rules\baseline\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\restrictdns.cpp" />
     <ClCompile Include="sessioncontroller.cpp" />
     <ClCompile Include="sessionrecord.cpp" />
@@ -52,19 +52,19 @@
     <ClInclude Include="mullvadguids.h" />
     <ClInclude Include="mullvadobjects.h" />
     <ClInclude Include="objectpurger.h" />
-    <ClInclude Include="rules\permitdhcpserver.h" />
-    <ClInclude Include="rules\permitndp.h" />
-    <ClInclude Include="rules\permitping.h" />
+    <ClInclude Include="rules\baseline\blockall.h" />
+    <ClInclude Include="rules\baseline\permitdhcp.h" />
+    <ClInclude Include="rules\baseline\permitdhcpserver.h" />
+    <ClInclude Include="rules\baseline\permitlan.h" />
+    <ClInclude Include="rules\baseline\permitlanservice.h" />
+    <ClInclude Include="rules\baseline\permitloopback.h" />
+    <ClInclude Include="rules\baseline\permitndp.h" />
+    <ClInclude Include="rules\baseline\permitping.h" />
+    <ClInclude Include="rules\baseline\permitvpnrelay.h" />
+    <ClInclude Include="rules\baseline\permitvpntunnel.h" />
+    <ClInclude Include="rules\baseline\permitvpntunnelservice.h" />
     <ClInclude Include="wfpobjecttype.h" />
-    <ClInclude Include="rules\blockall.h" />
     <ClInclude Include="rules\ifirewallrule.h" />
-    <ClInclude Include="rules\permitdhcp.h" />
-    <ClInclude Include="rules\permitlan.h" />
-    <ClInclude Include="rules\permitlanservice.h" />
-    <ClInclude Include="rules\permitloopback.h" />
-    <ClInclude Include="rules\permitvpntunnelservice.h" />
-    <ClInclude Include="rules\permitvpnrelay.h" />
-    <ClInclude Include="rules\permitvpntunnel.h" />
     <ClInclude Include="rules\restrictdns.h" />
     <ClInclude Include="sessioncontroller.h" />
     <ClInclude Include="sessionrecord.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index a758a1c9ec..9c5fed6328 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -8,43 +8,43 @@
     <ClCompile Include="sessioncontroller.cpp" />
     <ClCompile Include="mullvadguids.cpp" />
     <ClCompile Include="mullvadobjects.cpp" />
-    <ClCompile Include="rules\permitlan.cpp">
+    <ClCompile Include="sessionrecord.cpp" />
+    <ClCompile Include="rules\restrictdns.cpp">
       <Filter>rules</Filter>
     </ClCompile>
-    <ClCompile Include="rules\blockall.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="objectpurger.cpp" />
+    <ClCompile Include="rules\baseline\blockall.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitlanservice.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitdhcp.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitloopback.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitdhcpserver.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitdhcp.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitlan.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitvpnrelay.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitlanservice.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitvpntunnel.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitloopback.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="sessionrecord.cpp" />
-    <ClCompile Include="rules\restrictdns.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitndp.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitvpntunnelservice.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitping.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="objectpurger.cpp" />
-    <ClCompile Include="rules\permitdhcpserver.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitvpnrelay.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitndp.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitvpntunnel.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permitping.cpp">
-      <Filter>rules</Filter>
+    <ClCompile Include="rules\baseline\permitvpntunnelservice.cpp">
+      <Filter>rules\baseline</Filter>
     </ClCompile>
   </ItemGroup>
   <ItemGroup>
@@ -58,52 +58,55 @@
     <ClInclude Include="rules\ifirewallrule.h">
       <Filter>rules</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitlan.h">
-      <Filter>rules</Filter>
-    </ClInclude>
     <ClInclude Include="iobjectinstaller.h" />
-    <ClInclude Include="rules\blockall.h">
+    <ClInclude Include="sessionrecord.h" />
+    <ClInclude Include="rules\restrictdns.h">
       <Filter>rules</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitlanservice.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="wfpobjecttype.h" />
+    <ClInclude Include="guidhash.h" />
+    <ClInclude Include="objectpurger.h" />
+    <ClInclude Include="rules\baseline\blockall.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitloopback.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitdhcp.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitdhcp.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitdhcpserver.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitvpnrelay.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitlan.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitvpntunnel.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitlanservice.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="sessionrecord.h" />
-    <ClInclude Include="rules\restrictdns.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitloopback.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitvpntunnelservice.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitndp.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="wfpobjecttype.h" />
-    <ClInclude Include="guidhash.h" />
-    <ClInclude Include="objectpurger.h" />
-    <ClInclude Include="rules\permitdhcpserver.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitping.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitndp.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitvpnrelay.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permitping.h">
-      <Filter>rules</Filter>
+    <ClInclude Include="rules\baseline\permitvpntunnel.h">
+      <Filter>rules\baseline</Filter>
+    </ClInclude>
+    <ClInclude Include="rules\baseline\permitvpntunnelservice.h">
+      <Filter>rules\baseline</Filter>
     </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">
       <UniqueIdentifier>{3639a3ba-599e-400c-918b-8869654cdc1f}</UniqueIdentifier>
     </Filter>
+    <Filter Include="rules\baseline">
+      <UniqueIdentifier>{6f15853c-ccbb-49c0-98ec-add205bc5c2f}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <None Include="winfw.def" />