简介

IPSec 是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止专用网络与 Internet 的***。在通信中,只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。在 Windows XP 和 Windows Server 2003 家族中,IPSec 提供了一种能力,以保护工作组、局域网计算机、域客户端和服务器、分支机构(物理上为远程机构)、Extranet 以及漫游客户端之间的通信。


下面使用 IP SEC 实现以下条件的策略:

允许其他人访问我的WEB服务器,端口TCP(80);允许其他人远程连接到我的桌面,端口TCP(3389);

允许我打开其他网站,例如 BINGUN.BLOG.51CTO.COM ,需要使用的端口有 UDP(53)TCP(53)TCP(80)

创建策略

  1. netsh ipsec static add policy name="My Policy" description="Port accessed policy."

创建两个过滤器

  1. netsh ipsec static add filterlist name="Trust" description="Permit accessed rules."
  1. netsh ipsec static add filterlist name="Distrust" description="Block accessed rules."

分别为过滤器创建规则

  1. netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=udp mirrored=yes description="Permit Any UDP(53) accessed Me UDP(All) ports."
  1. netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(53) accessed Me TCP(all) ports."
  1. netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=80 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(80) accessed Me TCP(all) ports."
  1. netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=80 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(80) ports."
  1. netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=3389 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(3389) ports."
  1. netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=tcp mirrored=no description="Block Any TCP(all) accessed Me TCP(all) ports."
  1. netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=udp mirrored=no description="Block Any(all) accessed Me UDP(all) ports."

创建过滤动作

  1. netsh ipsec static add filteraction name="Permit" action=permit
  1. netsh ipsec static add filteraction name="Block" action=block

将过滤器与过滤动作关联

  1. netsh ipsec static add rule name="Trusted rules" policy="My Policy" filterlist="Trust" filteraction="Permit"
  1. netsh ipsec static add rule name="Distrust rules" policy="My Policy" filterlist="Distrust" filteraction="Block"

启用和停止策略

  1. netsh ipsec static set policy name="My Policy" assign=y
  1. netsh ipsec static set policy name="My Policy" assign=n

IP SEC 中的优先级是按所建规则的严格程度来区分的,规则越严格优先级越高。

     (更多细节请参考微软官方文档