分享winsows server 2008 R2的防火牆設置

 

rem windows 防火牆匹配原則
rem 1 優先匹配安全鏈接規則
rem 2 匹配阻止的規則
rem 3 匹配容許的規則
rem 4 按照默認策略匹配，通常是阻止，除非作了修改
rem 全部若是有端口有些ip容許，有些不容許，應該寫一個容許規則，而後將容許的ip加入到規則中，不須要再添加一個阻止規則！
rem 負責會形成對這個端口的訪問所有被阻止！

rem 恢復防火牆到默認值
netsh advfirewall reset
rem 防火牆日誌位置 %systemroot%\system32\LogFiles

rem 如何避免很長的一行，使用變量！
set innet_ip=10.0.0.0/255.0.0.0,172.16.0.0/255.255.0.0,192.168.0.0/255.255.0.0
set in_common_tcp_port=135,139,445,23,80,21
set in_common_udp_port=137,138

rem 用法: add rule name=<string>
rem       dir=in|out
rem       action=allow|block|bypass
rem       [program=<program path>]
rem       [service=<service short name>|any]
rem       [description=<string>]
rem       [enable=yes|no (default=yes)]
rem       [profile=public|private|domain|any[,...]]
rem       [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
rem       [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
rem          <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
rem       [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
rem       [remoteport=0-65535|<port range>[,...]|any (default=any)]
rem       [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
rem          tcp|udp|any (default=any)]
rem       [interfacetype=wireless|lan|ras|any]
rem       [rmtcomputergrp=<SDDL string>]
rem       [rmtusrgrp=<SDDL string>]
rem       [edge=yes|deferapp|deferuser|no (default=no)]
rem       [security=authenticate|authenc|authdynenc|authnoencap|notrequired
rem       (default=notrequired)]
rem 例子
rem 爲不具備封裝的 messenger.exe 添加入站規則:
rem netsh advfirewall firewall add rule name="allow messenger"
rem dir=in program="c:\programfiles\messenger\msmsgs.exe"
rem security=authnoencap action=allow

rem 爲端口 80 添加出站規則:
rem netsh advfirewall firewall add rule name="allow80"
rem protocol=TCP dir=out localport=80 action=block

rem 爲 TCP 端口 80 通訊添加須要安全和加密的入站規則:
rem netsh advfirewall firewall add rule
rem name="Require Encryption for Inbound TCP/80"
rem protocol=TCP dir=in localport=80 security=authdynenc
rem action=allow
rem 修改規則set rule name=<string> 規則屬性

rem 關閉網絡共享和經常使用端口,可是容許內網訪問
netsh advfirewall firewall add rule name="deny smb common tcp" description="deny smb common and tcp port" protocol=TCP dir=in  remoteip=%innet_ip% localport=%in_common_tcp_port% action=allow enable=yes
netsh advfirewall firewall add rule name="deny smb common udp" description="deny smb common and udp port" protocol=UDP dir=in  remoteip=%innet_ip% localport=%in_common_udp_port% action=allow enable=yes

rem 容許內網訪問
netsh advfirewall firewall add rule name="allow in net" description="permit in net" protocol=any dir=in  remoteip=%innet_ip%  action=allow

rem 容許遠程桌面
netsh advfirewall firewall add rule name="permitT3389 (RDP Access)" protocol=TCP dir=in remoteip=%snda_ip% localport=3389 action=allow


rem 容許icmp
netsh advfirewall firewall add rule name="permit_icmp"    protocol=ICMPv4 dir=in  remoteip=any action=allow


rem 多個ip段
netsh advfirewall firewall add rule name="nets" description="innet B class"  dir=in  action=allow

rem Ip段1    128.1.0.0/16
set net_ip=128.1.0.0/255.255.0.0
rem Ip段2    128.2.0.0/16
set net_ip=%net_ip%,128.2.0.0/255.255.0.0
netsh advfirewall firewall set rule name="nets"  new remoteip=%net_ip%