Block individual ports.

Hi, how do i set up a rule to block individual ports that are not associated with an executable?

to rephrase, how do i block all traffic on a specific port or port range for any executable?

my second question is that i see in my firewall policy list that there is something known simply as “system”
i know its used for dhcp because when i blocked it i was no longer able to be assigned an IP.
i know how to edit the rule, but what kind of rule should i setup to make it safe? preferably so it only communicates with my subnet.

yes i know im behind a router but i would still like to set a specific rule for piece of mind.