簡介
IPSec 是安全聯網的長期方向。它通過端對端的安全性來提供主動的保護以防止專用網絡與 Internet 的***。在通信中,只有發送方和接收方纔是唯一必須瞭解 IPSec 保護的計算機。在 Windows XP 和 Windows Server 2003 家族中,IPSec 提供了一種能力,以保護工作組、局域網計算機、域客戶端和服務器、分支機構(物理上爲遠程機構)、Extranet 以及漫遊客戶端之間的通信。
下面使用 IP SEC 實現以下條件的策略:
允許其他人訪問我的WEB服務器,端口TCP(80);允許其他人遠程連接到我的桌面,端口TCP(3389);
允許我打開其他網站,例如 BINGUN.BLOG.51CTO.COM ,需要使用的端口有 UDP(53)TCP(53)TCP(80)
創建策略
- netsh ipsec static add policy name="My Policy" description="Port accessed policy."
創建兩個過濾器
- netsh ipsec static add filterlist name="Trust" description="Permit accessed rules."
- netsh ipsec static add filterlist name="Distrust" description="Block accessed rules."
分別爲過濾器創建規則
- netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=udp mirrored=yes description="Permit Any UDP(53) accessed Me UDP(All) ports."
- netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=53 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(53) accessed Me TCP(all) ports."
- netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=80 dstaddr=me dstport=0 protocol=tcp mirrored=yes description="Permit Any TCP(80) accessed Me TCP(all) ports."
- netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=80 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(80) ports."
- netsh ipsec static add filter filterlist="Trust" srcaddr=any srcport=0 dstaddr=me dstport=3389 protocol=tcp mirrored=yes description="Permit Any TCP(all) accessed Me TCP(3389) ports."
- netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=tcp mirrored=no description="Block Any TCP(all) accessed Me TCP(all) ports."
- netsh ipsec static add filter filterlist="Distrust" srcaddr=any srcport=0 dstaddr=me dstport=0 protocol=udp mirrored=no description="Block Any(all) accessed Me UDP(all) ports."
創建過濾動作
- netsh ipsec static add filteraction name="Permit" action=permit
- netsh ipsec static add filteraction name="Block" action=block
將過濾器與過濾動作關聯
- netsh ipsec static add rule name="Trusted rules" policy="My Policy" filterlist="Trust" filteraction="Permit"
- netsh ipsec static add rule name="Distrust rules" policy="My Policy" filterlist="Distrust" filteraction="Block"
啓用和停止策略
- netsh ipsec static set policy name="My Policy" assign=y
- netsh ipsec static set policy name="My Policy" assign=n
IP SEC 中的優先級是按所建規則的嚴格程度來區分的,規則越嚴格優先級越高。