防⽕墙出⼊站规则
本⽂章主要介绍出⼊站规则及其原理和设置⽅法(批处理设置和⼿动设置)。
⼀、什么是出⼊站规则:
出站就是你访问外⽹,⼊站就是外⽹访问你,⽤户可以创建⼊站和出站规则,从⽽阻挡或者允许特定程序或者端⼝进⾏连接;可以阻挡某个软件进⾏所有连接、允许所有连接,或者只允许安全连接,并要求使⽤加密来保护通过该连接发送的数据的安全性; 可以为⼊站和出站流量配置源IP地址及⽬的地IP地址,同样还可以为源TCP和UDP端⼝及⽬的地TCP和UPD端⼝配置规则。
⼊站规则和出站规则的本质区别,最关键是要看这个连接是由谁发起的,如果这个连接是本地发起的,影响该链路的就是出站规则,那仅设置⼊站规则是⽆效的。
举个例⼦:在iis上部署⼀个端⼝号为81的web程序,结果外⽹访问不到,但是能ping通IP却telnet不通端⼝。当关闭防⽕墙时,即可访问,但当开启防⽕墙时⼜失败。原因在于防⽕墙的出站⼊站规则。
⼆、出⼊站规则的原理
Windows防⽕墙的规则扫描有它⾃⼰特定的顺序,其优先级为:
telnet ip 端口号
1、只允许安全连接
2、阻⽌连接
3、允许连接
4. 默认规则(如果没有设置,那就是默认阻⽌)
⼀旦⽹络数据包与规则匹配,该规则即被应⽤,并且处理停⽌。例如,⾸先将到达的⽹络数据包与经过⾝份验证的旁路规则进⾏⽐较。如果匹配,则将应⽤该规则并停⽌处理。数据包不会与阻⽌,允许或默认配置⽂件规则进⾏⽐较。如果数据包与经过⾝份验证的旁路规则不匹配,则将其与阻⽌规则进⾏⽐较。如果匹配,则该数据包被阻⽌,处理停⽌,依此类推。
三、出⼊站规则设置
(⼀)⼿动设置出⼊站规则
1.控制⾯板中进⼊防⽕墙:
2.进⼊防⽕墙后点⾼级设置:
3.在左上⾓点击“⼊站规则”,然后去右上⾓“新建规则”:
4.进去新建⼊站规则,点端⼝,输如所需要限制(开放)的端⼝:
5.根据具体需求选择允许或禁⽌:
6.然后去到下⼀步,选择勾选应⽤规则,⼀般三个都勾选
7.最后点击下⼀步,给你的规则命名,然后点击完成:
(⼆)批处理设置
1.⼊站规则
将以下端⼝及名称修改后放⼊.bat中执⾏即可:
@echo off
rem 启⽤防⽕墙常规端⼝
netsh advfirewall firewall add rule name="4089" protocol=TCP dir=in localport=4089 action=allow nets
h advfirewall firewall add rule name="4090" protocol=TCP dir=in localport=4090 action=allow netsh advfirewall firewall add rule name="4088" protocol=TCP dir=in localport=4088 action=allow netsh advfirewall firewall add rule name="3030" protocol=TCP dir=in localport=3030 action=allow netsh advfirewall firewall add rule name="3032" protocol=TCP dir=in localport=3032 action=allow netsh advfirewall firewall add rule name="33030" protocol=TCP dir=in localport=33030 action=allow netsh advfirewall firewall add rule name="12345" protocol=TCP dir=in localport=12345 action=allow netsh advfirewall firewall add rule name="23456" protocol=TCP dir=in localport=23456 action=allow netsh advfirewall firewall add rule name="8088" protocol=TCP dir=in localport=8088 action=allow netsh advfirewall firewall add rule name="215" protocol=TCP dir=in localport=215 action=allow netsh advfirewall firewall add rule name="86" protocol=TCP dir=in localport=86 action=allow netsh advfirewall firewall add rule name="81" protocol=TCP dir=in localport=81 action=allow netsh advfirewall firewall add rule name="82" protocol=TCP dir=in localport=82 action=allow netsh advfirewall firewall add rule name="83" protocol=TCP dir=in localport=83 action=allow netsh advfirewall firewall add rule name="84" protocol=TCP dir=in localport=84 action=allow netsh advfirewall firewall add rule name="85" protocol=TCP dir=in localport=85 action=allow netsh advfirewall firewall add rule name="1521" protocol=TCP dir=in localport=1521 action=allow netsh advfirewall firewall add rule name="27017" protocol=TCP dir=in localport=27017 action=allow netsh ad
vfirewall firewall add rule name="3306" protocol=TCP dir=in localport=3306 action=allow netsh advfirewall firewall add rule name="6379" protocol=TCP dir=in localport=6379 action=allow netsh advfirewall firewall add rule name="5672" protocol=TCP dir=in localport=5672 action=allow netsh advfirewall firewall add rule name="15672" protocol=TCP dir=in localport=15672 action=allow netsh advfirewall firewall add rule name="8080" protocol=TCP dir=in localport=8080 action=allow
2.删除规则
当我们对配置的规则不需要的时候可执⾏批处理删除配置的规则:
netsh advfirewall firewall delete rule name="4089" protocol=TCP dir=in localport=4089
netsh advfirewall firewall delete rule name="4090" protocol=TCP dir=in localport=4090
netsh advfirewall firewall delete rule name="4088" protocol=TCP dir=in localport=4088
netsh advfirewall firewall delete rule name="3030" protocol=TCP dir=in localport=3030
netsh advfirewall firewall delete rule name="3032" protocol=TCP dir=in localport=3032
netsh advfirewall firewall delete rule name="33030" protocol=TCP dir=in localport=33030
netsh advfirewall firewall delete rule name="12345" protocol=TCP dir=in localport=12345
netsh advfirewall firewall delete rule name="23456" protocol=TCP dir=in localport=23456
netsh advfirewall firewall delete rule name="8088" protocol=TCP dir=in localport=8088
netsh advfirewall firewall delete rule name="215" protocol=TCP dir=in localport=215
netsh advfirewall firewall delete rule name="86" protocol=TCP dir=in localport=86
netsh advfirewall firewall delete rule name="81" protocol=TCP dir=in localport=81
netsh advfirewall firewall delete rule name="82" protocol=TCP dir=in localport=82
netsh advfirewall firewall delete rule name="83" protocol=TCP dir=in localport=83
netsh advfirewall firewall delete rule name="84" protocol=TCP dir=in localport=84
netsh advfirewall firewall delete rule name="85" protocol=TCP dir=in localport=85
netsh advfirewall firewall delete rule name="1521" protocol=TCP dir=in localport=1521
netsh advfirewall firewall delete rule name="27017" protocol=TCP dir=in localport=27017
netsh advfirewall firewall delete rule name="3306" protocol=TCP dir=in localport=3306
netsh advfirewall firewall delete rule name="6379" protocol=TCP dir=in localport=6379
netsh advfirewall firewall delete rule name="5672" protocol=TCP dir=in localport=5672
netsh advfirewall firewall delete rule name="15672" protocol=TCP dir=in localport=15672
netsh advfirewall firewall delete rule name="8080" protocol=TCP dir=in localport=8080
3.关闭端⼝
有⼀些危险端⼝很容易被攻击,导致计算机中毒,我们可以选择关闭那些危险端⼝:@echo off
title 创建IP安全策略,屏蔽135、139 . . . 等端⼝ (win7)
echo “正在关闭,请等待”
netsh ipsec static add policy name=qianye
netsh ipsec static add filterlist name=Filter1
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP echo “135端⼝已经关闭”
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP echo “139端⼝已经关闭”
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
echo “445端⼝已经关闭”
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1443 protocol=TCP
echo “1443端⼝已经关闭”
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1444 protocol=TCP
echo “1444端⼝已经关闭”
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1443 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1444 protocol=UDP
netsh ipsec static add filteraction name=FilteraAtion1 action=block
netsh ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
netsh ipsec static set policy name=qianye assign=y
echo “恭喜您,危险端⼝已经关闭”
echo “按任意键退出 ”
Pause
四、测试是否设置成功:
在局域⽹内的其他电脑进⾏测试,是否能访问对⽅电脑部署的Oracle或者MongoDB数据库。其他服务端⼝:例
如WCF——192.168.1.231:81,直接访问地址即可测试。
或者直接telnet端⼝号:在cmd窗⼝:telnet+空格+IP地址+空格+端⼝号,例如:telnet 192.168.1.34 81
注:最好是将端⼝禁⽤和开放分别测试,以达到效果。
如果执⾏时显⽰telnet不是内部或外部命令的话,需要前往“打开或关闭Windows功能”中开启Telnet功能,如图,勾选Telnet客户端和Telnet服务端即可。

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。