本文章主要介紹出入站規則及其原理和設置方法(批處理設置和手動設置)。
一、什么是出入站規則:
出站就是你訪問外網,入站就是外網訪問你,用戶可以創建入站和出站規則,從而阻擋或者允許特定程序或者端口進行連接;可以阻擋某個軟件進行所有連接、允許所有連接,或者只允許安全連接,並要求使用加密來保護通過該連接發送的數據的安全性; 可以為入站和出站流量配置源IP地址及目的地IP地址,同樣還可以為源TCP和UDP端口及目的地TCP和UPD端口配置規則。
入站規則和出站規則的本質區別,最關鍵是要看這個連接是由誰發起的,如果這個連接是本地發起的,影響該鏈路的就是出站規則,那僅設置入站規則是無效的。
舉個例子:在iis上部署一個端口號為81的web程序,結果外網訪問不到,但是能ping通IP卻telnet不通端口。當關閉防火牆時,即可訪問,但當開啟防火牆時又失敗。原因在於防火牆的出站入站規則。
二、出入站規則的原理
Windows防火牆的規則掃描有它自己特定的順序,其優先級為:
1、只允許安全連接
2、阻止連接
3、允許連接
4. 默認規則(如果沒有設置,那就是默認阻止)
一旦網絡數據包與規則匹配,該規則即被應用,並且處理停止。例如,首先將到達的網絡數據包與經過身份驗證的旁路規則進行比較。如果匹配,則將應用該規則並停止處理。數據包不會與阻止,允許或默認配置文件規則進行比較。如果數據包與經過身份驗證的旁路規則不匹配,則將其與阻止規則進行比較。如果匹配,則該數據包被阻止,處理停止,依此類推。
三、出入站規則設置
(一)手動設置出入站規則
1.控制面板中進入防火牆:
2.進入防火牆后點高級設置:
3.在左上角點擊“入站規則”,然后去右上角“新建規則”:
4.進去新建入站規則,點端口,輸如所需要限制(開放)的端口:
5.根據具體需求選擇允許或禁止:
6.然后去到下一步,選擇勾選應用規則,一般三個都勾選
7.最后點擊下一步,給你的規則命名,然后點擊完成:
(二)批處理設置
1.入站規則
將以下端口及名稱修改后放入.bat中執行即可:
@echo off rem 啟用防火牆常規端口 netsh advfirewall firewall add rule name="4089" protocol=TCP dir=in localport=4089 action=allow netsh advfirewall firewall add rule name="4090" protocol=TCP dir=in localport=4090 action=allow netsh advfirewall firewall add rule name="4088" protocol=TCP dir=in localport=4088 action=allow netsh advfirewall firewall add rule name="3030" protocol=TCP dir=in localport=3030 action=allow netsh advfirewall firewall add rule name="3032" protocol=TCP dir=in localport=3032 action=allow netsh advfirewall firewall add rule name="33030" protocol=TCP dir=in localport=33030 action=allow netsh advfirewall firewall add rule name="12345" protocol=TCP dir=in localport=12345 action=allow netsh advfirewall firewall add rule name="23456" protocol=TCP dir=in localport=23456 action=allow netsh advfirewall firewall add rule name="8088" protocol=TCP dir=in localport=8088 action=allow netsh advfirewall firewall add rule name="215" protocol=TCP dir=in localport=215 action=allow netsh advfirewall firewall add rule name="86" protocol=TCP dir=in localport=86 action=allow netsh advfirewall firewall add rule name="81" protocol=TCP dir=in localport=81 action=allow netsh advfirewall firewall add rule name="82" protocol=TCP dir=in localport=82 action=allow netsh advfirewall firewall add rule name="83" protocol=TCP dir=in localport=83 action=allow netsh advfirewall firewall add rule name="84" protocol=TCP dir=in localport=84 action=allow netsh advfirewall firewall add rule name="85" protocol=TCP dir=in localport=85 action=allow netsh advfirewall firewall add rule name="1521" protocol=TCP dir=in localport=1521 action=allow netsh advfirewall firewall add rule name="27017" protocol=TCP dir=in localport=27017 action=allow netsh advfirewall firewall add rule name="3306" protocol=TCP dir=in localport=3306 action=allow netsh advfirewall firewall add rule name="6379" protocol=TCP dir=in localport=6379 action=allow netsh advfirewall firewall add rule name="5672" protocol=TCP dir=in localport=5672 action=allow netsh advfirewall firewall add rule name="15672" protocol=TCP dir=in localport=15672 action=allow netsh advfirewall firewall add rule name="8080" protocol=TCP dir=in localport=8080 action=allow
2.刪除規則
當我們對配置的規則不需要的時候可執行批處理刪除配置的規則:
netsh advfirewall firewall delete rule name="4089" protocol=TCP dir=in localport=4089 netsh advfirewall firewall delete rule name="4090" protocol=TCP dir=in localport=4090 netsh advfirewall firewall delete rule name="4088" protocol=TCP dir=in localport=4088 netsh advfirewall firewall delete rule name="3030" protocol=TCP dir=in localport=3030 netsh advfirewall firewall delete rule name="3032" protocol=TCP dir=in localport=3032 netsh advfirewall firewall delete rule name="33030" protocol=TCP dir=in localport=33030 netsh advfirewall firewall delete rule name="12345" protocol=TCP dir=in localport=12345 netsh advfirewall firewall delete rule name="23456" protocol=TCP dir=in localport=23456 netsh advfirewall firewall delete rule name="8088" protocol=TCP dir=in localport=8088 netsh advfirewall firewall delete rule name="215" protocol=TCP dir=in localport=215 netsh advfirewall firewall delete rule name="86" protocol=TCP dir=in localport=86 netsh advfirewall firewall delete rule name="81" protocol=TCP dir=in localport=81 netsh advfirewall firewall delete rule name="82" protocol=TCP dir=in localport=82 netsh advfirewall firewall delete rule name="83" protocol=TCP dir=in localport=83 netsh advfirewall firewall delete rule name="84" protocol=TCP dir=in localport=84 netsh advfirewall firewall delete rule name="85" protocol=TCP dir=in localport=85 netsh advfirewall firewall delete rule name="1521" protocol=TCP dir=in localport=1521 netsh advfirewall firewall delete rule name="27017" protocol=TCP dir=in localport=27017 netsh advfirewall firewall delete rule name="3306" protocol=TCP dir=in localport=3306 netsh advfirewall firewall delete rule name="6379" protocol=TCP dir=in localport=6379 netsh advfirewall firewall delete rule name="5672" protocol=TCP dir=in localport=5672 netsh advfirewall firewall delete rule name="15672" protocol=TCP dir=in localport=15672 netsh advfirewall firewall delete rule name="8080" protocol=TCP dir=in localport=8080
3.關閉端口
有一些危險端口很容易被攻擊,導致計算機中毒,我們可以選擇關閉那些危險端口:
@echo off title 創建IP安全策略,屏蔽135、139 . . . 等端口 (win7) echo “正在關閉,請等待” netsh ipsec static add policy name=qianye netsh ipsec static add filterlist name=Filter1 netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP echo “135端口已經關閉” netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP echo “139端口已經關閉” netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP echo “445端口已經關閉” netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1443 protocol=TCP echo “1443端口已經關閉” netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1444 protocol=TCP echo “1444端口已經關閉” netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1443 protocol=UDP netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=1444 protocol=UDP netsh ipsec static add filteraction name=FilteraAtion1 action=block netsh ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1 netsh ipsec static set policy name=qianye assign=y echo “恭喜您,危險端口已經關閉” echo “按任意鍵退出 ” Pause
四、測試是否設置成功:
在局域網內的其他電腦進行測試,是否能訪問對方電腦部署的Oracle或者MongoDB數據庫。其他服務端口:例如WCF——http://192.168.1.231:81,直接訪問地址即可測試。
或者直接telnet端口號:在cmd窗口:telnet+空格+IP地址+空格+端口號,例如:telnet 192.168.1.34 81
注:最好是將端口禁用和開放分別測試,以達到效果。
如果執行時顯示telnet不是內部或外部命令的話,需要前往“打開或關閉Windows功能”中開啟Telnet功能,如圖,勾選Telnet客戶端和Telnet服務端即可。
