windows防火墙默认只要不加block策略,没开放的就是关闭
可以通过netsh配置如上策略:
netsh advfirewall set currentprofile blockinbound,allowoutbound其它一些例子
# 恢复初始防火墙设置
netsh advfirewall reset
# 关闭防火墙
netsh advfirewall set allprofiles state off
# 开启防火墙
netsh advfirewall set allprofile state on
# 查看状态
netsh advfirewall show allprofiles
# 关闭已有规则
NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no
# 直接禁止指定端口 会导致其它没指定的端口放开
# 保证不会关闭业务端口
netsh advfirewall set allprofile state on
netsh advfirewall firewall add rule dir=in action=block protocol=UDP localport=53 name="Block_UDP-53"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=137 name="Block_TCP-137"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=138 name="Block_TCP-138"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=139 name="Block_TCP-139"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=3389 name="Block_TCP-3389"
# 3389对指定IP放行
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389 remoteip="10.153.127.110"
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389 remoteip="192.168.111.129"
# 删掉指定名称的规则
netsh advfirewall firewall delete rule name="Block_UDP-53"
netsh advfirewall firewall delete rule name="Block_TCP-135"
netsh advfirewall firewall delete rule name="Block_TCP-137"
netsh advfirewall firewall delete rule name="Block_TCP-138"
netsh advfirewall firewall delete rule name="Block_TCP-139"
netsh advfirewall firewall delete rule name="Block_TCP-445"
netsh advfirewall firewall delete rule name="Block_TCP-1245"
netsh advfirewall firewall delete rule name="Block_TCP-1433"
netsh advfirewall firewall delete rule name="Block_TCP-3306"
netsh advfirewall firewall delete rule name="Block_TCP-3389"
#禁用 指定端口上的规则
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=53 protocol=UDP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=135 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=137 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=138 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=139 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=445 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=1245 protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE name=all dir=in localport=3389 protocol=TCP NEW enable=no
# 只允许堡垒机(10.153.127.110)访问3389
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389 remoteip="10.153.127.110"
# 删掉指定端口,指定协议上的规则 不建议使用
netsh advfirewall firewall delete rule name=all dir=in localport=53 protocol=UDP
netsh advfirewall firewall delete rule name=all dir=in localport=135 protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=137 protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=138 protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=139 protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=445 protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=1245 protocol=TCP
# 开启防火墙阻止445并开放其他所有端口
netsh advfirewall set allprofile state on
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
netsh advfirewall firewall add rule name="ALL port" protocol=TCP dir=in localport=1-444 action=allow
netsh advfirewall firewall add rule name="ALL port" protocol=TCP dir=in localport=446-65535 action=allow
# 重置全部规则,只允许堡垒机访问3389
netsh advfirewall reset
netsh advfirewall set allprofile state on
NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389 remoteip="10.153.127.110"
#查看所有支持IPv6的网卡
Get-NetAdapterBinding -ComponentID ms_tcpip6
#禁用所有网卡的IPv6协议
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
# 如果后面需要启用,执行: Enable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
# 官方文档 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd734783(v=ws.10)?redirectedfrom=MSDN
# 禁用规则 https://www.tenforums.com/tutorials/90033-enable-disable-ipv6-windows.html