4 01 2016

如果要运行这台机器访问192.168.1.1的8080端口，我们可以通过如下设置,以下为一个设置及相关注释，请您参考：
 
建立一个名叫policy1的安全策略：
Netsh ipsec static add policy name=policy1
 
建立一个安全筛选器，指定192.168.1.1
Netsh ipsec static add filterlist name=allowip
Netsh ipsec static add filter filterlist=allowip srcaddr=me dstaddr=192.168.1.1 dstport=8080 protocol=TCP
(网段srcaddr=192.168.1.1 srcmask=255.255.255.0)
(dstport=8080 protocol=TCP 不填写代表all )
 
建立一个筛选器操作：
Netsh ipsec static add filteraction name=allowact action=permit
 
加入规则到安全策略policy1:
Netsh ipsec static add rule name=rule1 policy=policy1 filterlist=allowip filteraction=allowact
 
激活这个策略：
Netsh ipsec static set policy name=policy1 assign=y
‘把安全策略导出
netsh ipsec static exportpolicy d:\ip.ipsec
‘删除所有安全策略
netsh ipsec static del all
‘把安全策略导入
netsh ipsec static importpolicy d:\ip.ipsec
 
 
脚本方式
========
可以将以下内容复制到一个ipsec.bat文件中:
netsh ipsec static add policy name=test
netsh ipsec static add filterlist name=myallow
netsh ipsec static add filter filterlist=myallow srcaddr=me dstaddr=192.168.1.1 dstport=8080 protocol=TCP
netsh ipsec static add filteraction name=allow action=permit
netsh ipsec static add rule name=allowrule policy=test filterlist=myallow filteraction=allow
netsh ipsec static set policy name=test assign=y
 
在需要配置的机器上，以管理员权限运行BAT文件，即可添加上
 
Firewall 高级设置
================
 
同样，我们也可以考虑使用windows firewall去设置相应的策略和规则，命令如下：
 
右击以管理员权限运行cmd.exe执行如下命令：
netsh advfirewall set currentprofile state on??????????????? —该命令是将计算机上的防火墙启用起来
再设置白名单，其中rule name 和remoteip可以自行修改：
netsh advfirewall firewall add rule name=”LOGS” dir=in action=allow protocol=TCP localport=8080 remoteip=192.268.1.1
netsh advfirewall firewall add rule name=”rdp01″ dir=in action=allow protocol=TCP localport=3389 remoteip=33.33.33.31
netsh advfirewall firewall add rule name=”rdp02″ dir=in action=allow protocol=TCP localport=3389 remoteip=33.33.33.32
netsh advfirewall firewall add rule name=”rdp03″ dir=in action=allow protocol=TCP localport=3389 remoteip=33.33.33.33
netsh advfirewall firewall add rule name=”SQL01″ dir=in action=allow protocol=TCP localport=1444 remoteip=33.33.33.31
netsh advfirewall firewall add rule name=”SQL02″ dir=in action=allow protocol=TCP localport=1444 remoteip=33.33.33.32
netsh advfirewall firewall add rule name=”SQL03″ dir=in action=allow protocol=TCP localport=1444 remoteip=33.33.33.33
 
 
 
参考链接：
Netsh commands for Internet Protocol security-2003
https://technet.microsoft.com/en-us/library/cc739550(v=ws.10).aspx
 
Netsh Commands for Internet Protocol Security (IPsec)-2008
https://technet.microsoft.com/en-us/library/cc725926(v=ws.10).aspx
 
How to use the “netsh advfirewall firewall” context instead of the “netsh firewall” context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista
https://support.microsoft.com/en-us/kb/947709
 
Netsh AdvFirewall Firewall Commands
https://technet.microsoft.com/zh-cn/library/dd734783(v=ws.10).aspx
 

ipsec，firework

禁止不安全的php函数(php.ini) MySql注入科普