windows server 推荐使用ipsec修改防火墙设置,默认防火墙需要手动导入导出.wfw文件,需要手动添加单条规则,维护麻烦,推荐关闭,使用ipsec管理
以下是线上防火墙配置,可参照业务环境以及端口做对应修改
win+r:输入secpol.msc,回车打开防火墙配置
REM 删除所有旧的静态策略 netsh ipsec static del all REM 创建一条策略 netsh ipsec static add policy name=Firewall REM 添加一个阻挡 Action netsh ipsec static add filteraction name=m_block action=block REM 添加一个Action netsh ipsec static add filteraction name=m_permit action=permit REM 关闭所有端口 REM 添加一个过滤器,关联所有端口和IP netsh ipsec static add filterlist name=all netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=TCP netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=UDP REM 添加一条Rule,关闭所有端口 netsh ipsec static add rule name=B_all policy=Firewall filterlist=all filteraction=m_block REM 放通3389 REM 添加一个过滤器,关联3389端口 netsh ipsec static add filterlist name=Intrannet_3389 netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=3389 protocol=TCP netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=192.168.0.0 srcmask=16 dstaddr=Me dstport=3389 protocol=TCP netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=10.0.0.0 srcmask=8 dstaddr=Me dstport=3389 protocol=TCP netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=172.0.0.0 srcmask=8 dstaddr=Me dstport=3389 protocol=TCP netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=me dstaddr=any dstport=3389 protocol=TCP REM 添加一条Rule,放通3389端口 netsh ipsec static add rule name=P_3389 policy=Firewall filterlist=Intrannet_3389 filteraction=m_permit REM 放通26333 REM 添加一个过滤器,关联26333端口 netsh ipsec static add filterlist name=Intrannet_26333 netsh ipsec static add filter filterlist=Intrannet_26333 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=26333 protocol=TCP REM 添加一条Rule,放通26333端口 netsh ipsec static add rule name=P_26333 policy=Firewall filterlist=Intrannet_26333 filteraction=m_permit REM 放通IIS_Server REM 添加一个过滤器,关联IIS_Server端口 netsh ipsec static add filterlist name=IIS_Server netsh ipsec static add filter filterlist=IIS_Server srcaddr=any dstaddr=Me dstport=80 protocol=TCP netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=80 protocol=TCP netsh ipsec static add filter filterlist=IIS_Server srcaddr=any dstaddr=Me dstport=443 protocol=TCP netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=443 protocol=TCP netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=2433 protocol=TCP REM 添加一条Rule,放通IIS_Server端口 netsh ipsec static add rule name=P_IIS_Server policy=Firewall filterlist=IIS_Server filteraction=m_permit REM 添加一个过滤器,关联SNMP_161端口 netsh ipsec static add filterlist name=SNMP_161 netsh ipsec static add filter filterlist=SNMP_161 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=161 protocol=UDP REM 添加一条Rule,放通161端口 netsh ipsec static add rule name=P_SNMP_161 policy=Firewall filterlist=SNMP_161 filteraction=m_permit REM 放通Other REM 添加一个过滤器,关联Other端口 netsh ipsec static add filter filterlist=Other srcaddr=Me dstaddr=DNS protocol=any netsh ipsec static add filter filterlist=Other srcaddr=Me dstaddr=any dstport=123 protocol=UDP netsh ipsec static add filter filterlist=Other srcaddr=any dstaddr=Me dstport=873 protocol=TCP netsh ipsec static add filter filterlist=Other srcaddr=me dstaddr=any dstport=873 protocol=TCP netsh ipsec static add filter filterlist=Other srcaddr=43.230.88.131 srcmask=32 dstaddr=me dstport=10050 protocol=tcp mirrored=yes description=Zabbix netsh ipsec static add filter filterlist=Other srcaddr=me dstaddr=43.230.88.131 dstport=10051 protocol=tcp mirrored=yes description=Zabbix REM 添加一条Rule,放通Other端口 netsh ipsec static add rule name=P_Other policy=Firewall filterlist=Other filteraction=m_permit REM 使策略生效 netsh ipsec static set policy name=Firewall assign=y REM ipsec配置成功