windows netsh ipsec 命令行控制安全策略

导出IP策略:netsh ipsec static exportpolicy file=d:\MyIPSec.ipsec

导入IP策略netsh ipsec static importpolicy file=d:\MyIPSec.ipsc

windows 2003 命令行ipsec 批量添加端口
我想批量添加端口,只好如此,参考windows 2003帮助

添加安全策略,名称
netsh ipsec static add policy name=我的安全策略

添加 IP筛选器列表
netsh ipsec static add filterlist name=允许列表
netsh ipsec static add filterlist name=拒绝列表

添加筛选器到IP筛选器列表(允许上网)
netsh ipsec static add filter filterlist=允许列表srcaddr=me dstaddr=any description=web访问 protocol=tcp mirrored=yes dstport=80
netsh ipsec static add filter filterlist=允许列表srcaddr=me dstaddr=any description=dns访问 protocol=tcp mirrored=yes dstport=53
netsh ipsec static add filter filterlist=允许列表srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yes dstport=53

添加筛选器到IP筛选器列表(不让别人访问)
netsh ipsec static add filter filterlist=拒绝列表srcaddr=any dstaddr=me description=别人到我任何访问 protocol=any mirrored=yes
netsh ipsec static add filter filterlist=拒绝列表srcaddr=me dstaddr=any description=我到任何访问 protocol=any mirrored=yes

添加筛选器操作
netsh ipsec static add filteraction name=可以action=permit
netsh ipsec static add filteraction name=不可以action=block


创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
netsh ipsec static add rule name=允许规则policy=我的安全策略 filterlist=允许列表 filteraction=可以
netsh ipsec static add rule name=拒绝规则policy=我的安全策略 filterlist=拒绝列表 filteraction=不可以

激活我的安全策略
netsh ipsec static set policy name=我的安全策略 assign=y

总结一下,策略policy(规则rule(筛选器列表filterlist(筛选器filter))—筛选器操作filteraction)

创建策略

netsh ipsec static add policy name="My Policy" description="Port accessed policy."

创建两个过滤器

netsh ipsec static add filterlist name="Trust" description="Permit accessed rules."

netsh ipsec static add filterlist name="Distrust" description="Block accessed rules."

分别为过滤器创建规则

netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=udp mirrored=yes description="Permit Any UDP(53) accessed Me UDP(All) ports."

netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(53) accessed Me TCP(all) ports."

netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=80 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(80) accessed Me TCP(all) ports."

netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=80 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(80) ports."

netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=3389 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(3389) ports."

netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=tcp mirrored=no description="Block Any TCP(all) accessed Me TCP(all) ports."

netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=udp mirrored=no description="Block Any(all) accessed Me UDP(all) ports."

创建过滤动作

netsh ipsec static add filteraction name="Permit" action=permit

netsh ipsec static add filteraction name="Block" action=block

将过滤器与过滤动作关联

netsh ipsec static add rule name="Trusted rules" policy="My Policy" filterlist="Trust" filteraction="Permit"

netsh ipsec static add rule name="Distrust rules" policy="My Policy" filterlist="Distrust" filteraction="Block"

启用和停止策略

netsh ipsec static set policy name="My Policy" assign=y

netsh ipsec static set policy name="My Policy" assign=n

本文转自:http://hi.baidu.com/lvkike/blog/item/ff0926126dfb7044f919b811.html

  • 0 用户发现这个很有用
此文章对您是否有帮助?

相关文章

VPS/独立服务器修改远程端口

远程连接端口修改:远程连接的默认端口是3389,使用默认端口连接远程桌面的服务器是黑客的首选目标,因此更换远程桌面连接端口是非常必要的。(特别提示:我司开通的服务器/VPS,默认都关闭了无关的端...

(zxsoft)金盾防火墙对搜索引擎的规则

最近很多购买了金盾软件防火墙的用户反应在打开启了防火墙的时候,网站后面会有一串字符,这个是无法去除的,但是搜索引擎也无法收录,这就很让人郁闷了,我们在同金盾技术沟通后,找到一个解决方法,在防护控...

尝试阻止通过php脚本发送的UDP DOS流量

原因 php脚本部分源码: $fp = fsockopen("udp://$ip", $rand, $errno, $errstr, 5);...

开源网页服务器Lighttpd再爆漏洞 影响所有版本

lighttpd(发音为lighty)是一套开放源代码的网页服务器,以BSD许可证发布。相较于其他的网页服务器,lighttpd仅需少量的存储器及CPU资源即可达到同样的性能。今天lighttp...

linux下IPTABLES配置详解

如果你的IPTABLES基础知识还不了解,建议先去看看. 开始配置 我们来配置一个filter表的防火墙. (1)查看本机关于IPTABLES的设置情况 [root@tp ~]#...