diff --git a/codex-rs/windows-sandbox-rs/src/firewall.rs b/codex-rs/windows-sandbox-rs/src/firewall.rs
index c0caa165fc..45cd215b88 100644
--- a/codex-rs/windows-sandbox-rs/src/firewall.rs
+++ b/codex-rs/windows-sandbox-rs/src/firewall.rs
@@ -317,14 +317,16 @@ fn configure_rule(rule: &INetFwRule3, spec: &BlockRuleSpec<'_>) -> Result<()> {
                     format!("SetRemoteAddresses failed: {err:?}"),
                 ))
             })?;
-        let remote_ports = spec.remote_ports.unwrap_or("*");
-        rule.SetRemotePorts(&BSTR::from(remote_ports))
-            .map_err(|err| {
-                anyhow::Error::new(SetupFailure::new(
-                    SetupErrorCode::HelperFirewallRuleCreateOrAddFailed,
-                    format!("SetRemotePorts failed: {err:?}"),
-                ))
-            })?;
+        if should_set_remote_ports(spec.protocol, spec.remote_ports) {
+            let remote_ports = spec.remote_ports.unwrap_or("*");
+            rule.SetRemotePorts(&BSTR::from(remote_ports))
+                .map_err(|err| {
+                    anyhow::Error::new(SetupFailure::new(
+                        SetupErrorCode::HelperFirewallRuleCreateOrAddFailed,
+                        format!("SetRemotePorts failed: {err:?}"),
+                    ))
+                })?;
+        }
         rule.SetLocalUserAuthorizedList(&BSTR::from(spec.local_user_spec))
             .map_err(|err| {
                 anyhow::Error::new(SetupFailure::new(
@@ -354,6 +356,10 @@ fn configure_rule(rule: &INetFwRule3, spec: &BlockRuleSpec<'_>) -> Result<()> {
     Ok(())
 }
 
+fn should_set_remote_ports(protocol: i32, remote_ports: Option<&str>) -> bool {
+    remote_ports.is_some() || protocol != NET_FW_IP_PROTOCOL_ANY.0
+}
+
 fn blocked_loopback_tcp_remote_ports(proxy_ports: &[u16]) -> Option<String> {
     let mut allowed_ports = proxy_ports
         .iter()
@@ -400,3 +406,20 @@ fn log_line(log: &mut File, msg: &str) -> Result<()> {
     writeln!(log, "[{ts}] {msg}")?;
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::should_set_remote_ports;
+    use windows::Win32::NetworkManagement::WindowsFirewall::NET_FW_IP_PROTOCOL_ANY;
+    use windows::Win32::NetworkManagement::WindowsFirewall::NET_FW_IP_PROTOCOL_TCP;
+
+    #[test]
+    fn remote_ports_are_skipped_for_any_protocol_without_port_filter() {
+        assert!(!should_set_remote_ports(NET_FW_IP_PROTOCOL_ANY.0, None));
+        assert!(should_set_remote_ports(
+            NET_FW_IP_PROTOCOL_ANY.0,
+            Some("1-65535")
+        ));
+        assert!(should_set_remote_ports(NET_FW_IP_PROTOCOL_TCP.0, None));
+    }
+}