语法如下:
D:\h3c-agent>netsh advfirewall firewall add rule
提供的许多参数无效。请查看帮助获取正确语法。
用法: add rule name=<string>
dir=in|out
action=allow|block|bypass
[program=<program path>]
[service=<service short name>|any]
[description=<string>]
[enable=yes|no (default=yes)]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
[remoteport=0-65535|<port range>[,...]|any (default=any)]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|tcp|udp|any (default=any)]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|authnoencap|notrequired
(default=notrequired)]
备注:
- 将新的入站或出站规则添加到防火墙策略。
- 规则名称应该是唯一的,且不能为 "all"。
- 如果已指定远程计算机或用户组,则 security 必须为
authenticate、authenc、authdynenc 或 authnoencap。
- 为 authdynenc 设置安全性可允许系统动态协商为匹配
给定 Windows 防火墙规则的通信使用加密。
根据现有连接安全规则属性协商加密。
选择此选项后,只要入站 IPSec 连接已设置安全保护,
但未使用 IPSec 进行加密,计算机就能够接收该入站连接的第一个 TCP 或
UDP 包。
一旦处理了第一个数据包,服务器将重新协商连接并对其进行升级,以便所
有后续通信都完全加密。
- 如果 action=bypass,则 dir=in 时必须指定远程计算机组。
- 如果 service=any,则规则仅应用到服务。
- ICMP 类型或代码可以为 "any"。
- Edge 只能为入站规则指定。
- AuthEnc 和 authnoencap 不能同时使用。
- Authdynenc 仅当 dir=in 时有效。
- 设置 authnoencap 后,security=authenticate 选项就变成可选参数。
示例:
为不具有封装的 messenger.exe 添加入站规则:
netsh advfirewall firewall add rule name="allow messenger"
dir=in program="c:\programfiles\messenger\msmsgs.exe"
security=authnoencap action=allow
为端口 80 添加出站规则:
netsh advfirewall firewall add rule name="allow80"
protocol=TCP dir=out localport=80 action=block
为 TCP 端口 80 通信添加需要安全和加密的入站规则:
netsh advfirewall firewall add rule
name="Require Encryption for Inbound TCP/80"
protocol=TCP dir=in localport=80 security=authdynenc
action=allow
为 messenger.exe 添加需要安全的入站规则:
netsh advfirewall firewall add rule name="allow messenger"
dir=in program="c:\program files\messenger\msmsgs.exe"
security=authenticate action=allow
为 SDDL 字符串标识的组 acmedomain\scanners 添加
经过身份验证的防火墙跳过规则:
netsh advfirewall firewall add rule name="allow scanners"
dir=in rmtcomputergrp=<SDDL string> action=bypass
security=authenticate
为 udp- 的本地端口 5000-5010 添加出站允许规则
Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
netsh advfirewall firewall add rule name="imcApmAgent64" dir=in program="D:\h3c-agent\install\common\imcApmAgent64.exe" security=authnoencap action=allow
netsh advfirewall firewall add rule name="imcApmAgentMain" dir=in program="D:\h3c-agent\Agent\common\jre\bin\imcApmAgentMain.exe" security=authnoencap action=allow
安全的入站规则
netsh advfirewall firewall add rule name="imcApmAgent64" dir=in program="D:\h3c-agent\install\common\imcApmAgent64.exe" security=authenticate action=allow
netsh advfirewall firewall add rule name="imcApmAgentMain" dir=in program="D:\h3c-agent\Agent\common\jre\bin\imcApmAgentMain.exe" security=authenticate action=allow
直接入站规则--security=authenticate
netsh advfirewall firewall add rule name="imcApmAgent64" dir=in program="D:\h3c-agent\install\common\imcApmAgent64.exe" action=allow
netsh advfirewall firewall add rule name="imcApmAgentMain" dir=in program="D:\h3c-agent\Agent\common\jre\bin\imcApmAgentMain.exe" action=allow
添加常规端口、以及非常规端口脚本
rem 批处理防火墙规则
@echo off
rem 设置需要启动的端口
set OTHERPORT=28000,7000,1052,7777,2333,902
rem 启用防火墙常规端口
netsh advfirewall firewall add rule name="_Ping" dir=in protocol=icmpv4 action=allow
netsh advfirewall firewall add rule name="_20 FTP" protocol=TCP dir=in localport=20 action=allow
netsh advfirewall firewall add rule name="_21 FTP" protocol=TCP dir=in localport=21 action=allow
netsh advfirewall firewall add rule name="_22 SSH" protocol=TCP dir=in localport=22 action=allow
netsh advfirewall firewall add rule name="_23 Telnet" protocol=TCP dir=in localport=23 action=allow
netsh advfirewall firewall add rule name="_25 SMTP" protocol=TCP dir=in localport=25 action=allow
netsh advfirewall firewall add rule name="_69 TFTP" protocol=UDP dir=in localport=69 action=allow
netsh advfirewall firewall add rule name="_110 POP3" protocol=TCP dir=in localport=110 action=allow
netsh advfirewall firewall add rule name="_443 HTTPS" protocol=TCP dir=in localport=443 action=allow
netsh advfirewall firewall add rule name="_137 Netbios-ns" protocol=UDP dir=in localport=137 action=allow
netsh advfirewall firewall add rule name="_138 Netbios-dgm" protocol=UDP dir=in localport=138 action=allow
netsh advfirewall firewall add rule name="_139 Netbios-ssn" protocol=TCP dir=in localport=139 action=allow
netsh advfirewall firewall add rule name="_445 Netbios-ds" protocol=TCP dir=in localport=445 action=allow
netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=80 action=allow
netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=8080 action=allow
rem 启用防火墙非常规端口
FOR %%c in (%OTHERPORT%) do (
SET PORT=%%c
call :input
call :output
)
pause
rem 入栈规则
:input
set INPUTPORT=%PORT%
set INPUT_RULE_NAME="_%INPUTPORT% 入栈规则"
netsh advfirewall firewall show rule name=%INPUT_RULE_NAME% >nul
if not ERRORLEVEL 1 (
echo 对不起,规则 %INPUT_RULE_NAME% 已经存在
) else (
netsh advfirewall firewall add rule name=%INPUT_RULE_NAME% dir=in action=allow protocol=TCP localport=%INPUTPORT%
echo 规则 %INPUT_RULE_NAME% 创建成功
)
rem 出栈规则
:output
set OUTPORT=%PORT%
set OUT_RULE_NAME="_%OUTPORT% 出栈规则"
netsh advfirewall firewall show rule name=%OUT_RULE_NAME% >nul
if not ERRORLEVEL 1 (
echo 对不起,规则 %OUT_RULE_NAME% 已经存在
) else (
netsh advfirewall firewall add rule name=%OUT_RULE_NAME% dir=out action=allow protocol=TCP localport=%OUTPORT%
echo 规则 %OUT_RULE_NAME% 创建成功
)
