使用Windows防火墙拒绝访问50000个特定IP地址
我需要在Windows防火墙中拒绝访问大约50000个IP地址使用Windows防火墙拒绝访问50000个特定IP地址,windows,firewall,Windows,Firewall,我需要在Windows防火墙中拒绝访问大约50000个IP地址netsh advfirewall只允许我添加大约700个。如何实现这一点?看起来您可以使用c应用程序以编程方式将规则添加到windows防火墙。您需要添加对FirewallAPI.dll的引用,它位于c:\windows\system32 这样做: using NetFwTypeLib; // Located in FirewallAPI.dll ... INetFwRule firewallRule = (INetFwRule)A
netsh advfirewallFirewallAPI.dllc:\windows\system32using NetFwTypeLib; // Located in FirewallAPI.dll
...
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
firewallRule.Description = "Block this!";
firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
firewallRule.Enabled = true;
firewallRule.InterfaceTypes = "All";
firewallRule.RemoteAddresses = "x.x.x.x" //or x.x.x.x,x.x.x.x,... See Note 1
firewallRule.Name = "Block IP x.x.x.x";
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);
参考文献:改编自和不幸的是,由于控制台的限制,
netsh advfirewallset readfile[open“comma_separated_iplist.txt”r];#打开逗号分隔的IP列表文件
设置ip_列表[读取$out];#将整个文件读入一个变量
关闭$readfile;#关闭文件,不再需要
catch{exec netsh advfirewall delete rule name=IPBlocks};#删除所有旧条目
如果{[string length$ip_list]<8000}{
#如果少于8000个字符,只需将它们直接添加到1个防火墙条目中即可
catch{exec netsh advfirewall add rule name=“IPBlocks”protocol=any dir=in action=block remoteip=$ip_list}
}否则{
#如果超过8000个字符,则分解为8000个组件并添加每个防火墙规则
设置startpos 0;#设置搜索开始位置(开始)
将添加ip范围设置为“1”;#将起始范围ip列表设置为任意值
而{$add_ip_range!=''}{;#循环,直到开始范围ip列表为空
#设置要检查的IP范围内容
设置比较ip范围[字符串范围$ip\U列表0[expr$startpos+8000]]
#将最后一个字符设置为逗号*删除最后一个逗号
设置endpos[expr[string last',“$compare\u ip\u range]-1]
#获取整个列表从开始位置到结束位置的实际文本范围/区块
设置添加ip范围[字符串范围$ip\U列表$startpos$endpos]
#首先确保IP范围(区块)中包含某些内容
如果{$add\u ip\u range!=“”}{
#将IP的范围(区块)添加到Windows防火墙规则
如果{![catch{exec netsh advfirewall firewall add rule name=“IPBlocks”protocol=any dir=in action=block remoteip=$add_ip_range}err]}{
}
设置startpos[expr$endpos+2];#更新更多块的新开始位置+2个字符,以跳过从endpos删除的逗号
}
}
set readfile [open "comma_seperated_iplist.txt" r]; # Open the comma seperated IP list file
set ip_list [read $out]; # read the whole file into 1 variable
close $readfile; # close the file, no longer needed
catch {exec netsh advfirewall firewall delete rule name=IPBlocks}; # remove any old entries
if {[string length $ip_list] < 8000} {
# if under 8000 characters, just add them directly to 1 firewall entry
catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$ip_list}
} else {
# if over 8000 characters, break up into 8000 components and add each firewall rule
set startpos 0; # set the search starting position (begining)
set add_ip_range "1"; # set the start range IP list to anything
while {$add_ip_range !=""} {; # loop until the start range IP list is empty
# set the IP range contents to check up to
set compare_ip_range [string range $ip_list 0 [expr $startpos + 8000]]
# set the end position with the last character as comma * remove last comma
set endpos [expr [string last "," $compare_ip_range]-1]
# get the actual text range/chunk from the start position to the end position of the whole list
set add_ip_range [string range $ip_list $startpos $endpos]
# ensure the IP range (chunk) has something in it first
if {$add_ip_range !=""} {
# add the range of IP's (chunk) to a Windows Firewall Rule
if {![catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$add_ip_range} err]} {
}
set startpos [expr $endpos+2]; # Update new start position for more chunks +2 characters to skip over removed comma from endpos
}
}