#防火墙#分享一套Windows server 2008R2的防火墙设置

很多人需要这种东西,毕竟大家对于服务器安全很注意,具体使用方法.创建一个Bat文件 之后运行就好

rem windows 防火墙匹配原则 
rem 1 优先匹配安全连接规则 
rem 2 匹配阻止的规则 
rem 3 匹配允许的规则 
rem 4 按照默认策略匹配,一般是阻止,除非做了修改 
rem 所有如果有端口有些ip允许,有些不允许,应该写一个允许规则,然后将允许的ip加入到规则中,不需要再添加一个阻止规则! 
rem 负责会造成对这个端口的访问全部被阻止! 
 
rem 恢复防火墙到默认值 
netsh advfirewall reset 
rem 防火墙日志位置 %systemroot%\system32\LogFiles 
 
rem 如何避免很长的一行,使用变量! 
set innet_ip=10.0.0.0/255.0.0.0,172.16.0.0/255.255.0.0,192.168.0.0/255.255.0.0 
set in_common_tcp_port=135,139,445,23,80,21 
set in_common_udp_port=137,138 
 
rem 用法: add rule name=<string> 
rem dir=in|out 
rem action=allow|block|bypass 
rem [program=<program path>] 
rem [service=<service short name>|any] 
rem [description=<string>] 
rem [enable=yes|no (default=yes)] 
rem [profile=public|private|domain|any[,...]] 
rem [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] 
rem [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| 
rem <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] 
rem [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)] 
rem [remoteport=0-65535|<port range>[,...]|any (default=any)] 
rem [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| 
rem tcp|udp|any (default=any)] 
rem [interfacetype=wireless|lan|ras|any] 
rem [rmtcomputergrp=<SDDL string>] 
rem [rmtusrgrp=<SDDL string>] 
rem [edge=yes|deferapp|deferuser|no (default=no)] 
rem [security=authenticate|authenc|authdynenc|authnoencap|notrequired 
rem (default=notrequired)] 
rem 例子 
rem 为不具有封装的 messenger.exe 添加入站规则: 
rem netsh advfirewall firewall add rule name="allow messenger" 
rem dir=in program="c:\programfiles\messenger\msmsgs.exe" 
rem security=authnoencap action=allow 
 
rem 为端口 80 添加出站规则: 
rem netsh advfirewall firewall add rule name="allow80" 
rem protocol=TCP dir=out localport=80 action=block 
 
rem 为 TCP 端口 80 通信添加需要安全和加密的入站规则: 
rem netsh advfirewall firewall add rule 
rem name="Require Encryption for Inbound TCP/80" 
rem protocol=TCP dir=in localport=80 security=authdynenc 
rem action=allow 
rem 修改规则set rule name=<string> 规则属性 
 
rem 关闭网络共享和常用端口,但是允许内网访问 
netsh advfirewall firewall add rule name="deny smb common tcp" description="deny smb common and tcp port" protocol=TCP dir=in remoteip=%innet_ip% localport=%in_common_tcp_port% action=allow enable=yes 
netsh advfirewall firewall add rule name="deny smb common udp" description="deny smb common and udp port" protocol=UDP dir=in remoteip=%innet_ip% localport=%in_common_udp_port% action=allow enable=yes 
 
rem 允许内网访问 
netsh advfirewall firewall add rule name="allow in net" description="permit in net" protocol=any dir=in remoteip=%innet_ip% action=allow 
 
rem 允许远程桌面 
netsh advfirewall firewall add rule name="permitT3389 (RDP Access)" protocol=TCP dir=in remoteip=%snda_ip% localport=3389 action=allow 
 
 
rem 允许icmp
netsh advfirewall firewall add rule name="permit_icmp" protocol=ICMPv4 dir=in remoteip=any action=allow 
 
 
rem 多个ip段 
netsh advfirewall firewall add rule name="nets" description="innet B class" dir=in action=allow 
 
rem Ip段1 128.1.0.0/16 
set net_ip=128.1.0.0/255.255.0.0 
rem Ip段2 128.2.0.0/16 
set net_ip=%net_ip%,128.2.0.0/255.255.0.0 
netsh advfirewall firewall set rule name="nets" new remoteip=%net_ip%
VPS评审,版权所有丨如未注明,均为原创丨本网站采用BY-NC-SA协议进行授权.
转载请注明转自:https://vpsps.com/555.html
「点点赞赏,手留余香」

    还没有人赞赏,快来当第一个赞赏的人吧!
2 条回复 A 作者 M 管理员
  1. 不错,我感觉开启默认防火墙就OK了

    • 对于企业或者严格要求的肯定是有用的