使用 netsh ipsec 管理本地安全策略
 

 下面使用 IP SEC 实现以下条件的策略:

  允许其他人访问我的WEB服务器,端口TCP(80);允许其他人远程连接到我的桌面,端口TCP(3389);

  允许我打开其他网站,例如 gepunet.com ,需要使用的端口有 UDP(53)TCP(53)TCP(80)

  创建策略

  1.netsh ipsec static add policy name="My Policy" description="Port accessed policy."

  创建两个过滤器

  1.netsh ipsec static add filterlist name="Trust" description="Permit accessed rules."

  1.netsh ipsec static add filterlist name="Distrust" description="Block accessed rules."

  分别为过滤器创建规则

  1.netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=udp mirrored=yes description="Permit Any UDP(53) accessed Me UDP(All) ports."

  1.netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(53) accessed Me TCP(all) ports."

  1.netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=80 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(80) accessed Me TCP(all) ports."

  1.netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=80 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(80) ports."

  1.netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=3389 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(3389) ports."

  1.netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=tcp mirrored=no description="Block Any TCP(all) accessed Me TCP(all) ports."

  1.netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=udp mirrored=no description="Block Any(all) accessed Me UDP(all) ports."

  创建过滤动作

  1.netsh ipsec static add filteraction name="Permit" action=permit

  1.netsh ipsec static add filteraction name="Block" action=block

  将过滤器与过滤动作关联

  1.netsh ipsec static add rule name="Trusted rules" policy="My Policy" filterlist="Trust" filteraction="Permit"

  1.netsh ipsec static add rule name="Distrust rules" policy="My Policy" filterlist="Distrust" filteraction="Block"

  启用和停止策略

  1.netsh ipsec static set policy name="My Policy" assign=y

  1.netsh ipsec static set policy name="My Policy" assign=n

  --------------------------------------------------------------------------------

  IP SEC 中的优先级是按所建规则的严格程度来区分的,规则越严格优先级越高。

  ==================================================================================

  以下是新添加的部分

  netsh ipsec static add policy name=mypolicy (建一个安全策略)

  netsh ipsec static add filterlist name=myaccess (允许筛选列表)

  netsh ipsec static add filterlist name=myrefuse (拒绝筛选列表)

  netsh ipsec static add filter filterlist=myaccess……(为myaccess添加一个筛选器)不建筛选器,建规则时会失败

  netsh ipsec static add filter filterlist=myrefuse…… (为myrefuse添加一个筛选器)不建筛选器,建规则时会失败

  netsh ipsec static add filteraction name=ok action=permit (建一个允许筛选操作)

  netsh ipsec static add filteraction name=not action=block (建一个拒绝筛选操作)

  netsh ipsec static add rule name=允许规则 policy=mypolicy filterlist=myaccess filteraction=ok (建一个规则,并将其添加到mypolicy策略中,并关联筛选操作)

  netsh ipsec static add rule name=拒绝规则 policy=mypolicy filterlist=myrefuse filteraction=not (建一个规则,并将其添加到mypolicy策略中,并关联筛选操作)

  netsh ipsec static set policy name=mypolicy assign=y (激活策略)

  netsh ipsec static show policy all(显示所有安全策略)

  netsh ipsec static show policy name=mypolicy(显示mypolicy安全策略)

  netsh ipsec static show policy name=mypolicy level=verbose(显示mypolicy策略及相关筛选器及筛选操作等相关信息)

  netsh ipsec static show filterlist name=myaccess lever=verbose(显示myaccess筛选列表等相关信息)

  netsh ipsec static delete policy name=mypolicy(删除某个安全策略)

  netsh ipsec static delete filterlist name=myaccess(删除某个筛选器列表)

  程序实现,增加列表后然后才执行,每次执行前先删除现有的规则。