Windows 防火墙 - 阻止所有程序访问互联网(但有例外),最好在 powershell 中

tag-icon tag-icon powershell windows-firewall windows-server-2019
Windows 防火墙 - 阻止所有程序访问互联网(但有例外),最好在 powershell 中

我想使用 Windows 防火墙传出规则来阻止除以下程序之外的所有程序访问互联网:

  • c:\zx\CertifyTheWeb - 刷新 IIS 证书的应用程序
  • 万维网 - 如果我们的 Web 应用包含 httpget/httppost 或 Web API 集成,我希望它能够正常工作
  • c:\zx\BatchProcessor - 我们希望可以访问互联网的另一个应用程序

我想创建一个或多个规则来使用 powershell 执行此操作,但即使仅仅知道如何使用任何语言或手动执行此操作也会有所帮助。

我知道我可以允许 svchost.exe,但我不希望其他服务使用该服务访问互联网,只希望访问万维网。

这也会阻止 Windows 更新,在这种情况下这也是可取的。

我并不介意这是否可以通过一条规则完成,或者是否需要 3 条规则。两者都可以 :)

谢谢

答案1

这是一个 powershell 脚本,它可以完成我要求的所有操作。请谨慎使用,因为它最初会删除所有防火墙规则,如果您在该服务器上运行实时应用程序,这可能会导致短暂的连接问题。



$RDPPORT = 39123

"DELETE ALL RULES"
netsh advfirewall firewall delete rule all

"LOCKDOWN OUTGOING PORTS"
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

# dns is needed for internet to work
"DNS"
netsh advfirewall firewall add rule name="Core Networking (DNS-Out)" dir=out action=allow protocol=UDP remoteport=53 program="c:\windows\system32\svchost.exe" service="dnscache"

"RDP $RDPPORT"
netsh advfirewall firewall add rule name="Remote Desktop (TCP-In) $RDPPORT" dir=in localport=$RDPPORT protocol=tcp action=allow
netsh advfirewall firewall add rule name="Remote Desktop (UDP-In) $RDPPORT" dir=in localport=$RDPPORT protocol=udp action=allow

"IN 443"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-In)" dir=in action=allow protocol=TCP localport=443 remoteport=any

"Certify The Web 80"
netsh advfirewall firewall add rule name="Core Networking (HTTP-Out) c1" dir=out action=allow protocol=TCP remoteport=80 program="C:\Program Files\CertifyTheWeb\Certify.exe"
netsh advfirewall firewall add rule name="Core Networking (HTTP-Out) c2" dir=out action=allow protocol=TCP remoteport=80 program="C:\Program Files\CertifyTheWeb\CertifySSLManager.Service.exe"
netsh advfirewall firewall add rule name="Core Networking (HTTP-Out) c3" dir=out action=allow protocol=TCP remoteport=80 program="C:\Program Files\CertifyTheWeb\Certify.UI.exe"

"Certify The Web 443"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) c1" dir=out action=allow protocol=TCP remoteport=443 program="C:\Program Files\CertifyTheWeb\Certify.exe"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) c2" dir=out action=allow protocol=TCP remoteport=443 program="C:\Program Files\CertifyTheWeb\CertifySSLManager.Service.exe"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) c3" dir=out action=allow protocol=TCP remoteport=443 program="C:\Program Files\CertifyTheWeb\Certify.UI.exe"

"W3SVC 443"
#netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) IIS1" dir=out action=allow protocol=TCP remoteport=443 program="%%systemroot%%\system32\inetsrv\w3wp.exe"
"W3SVC 443"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) IIS1" dir=out action=allow protocol=TCP remoteport=443 service="W3SVC"
"443 Out - KEEP THIS RULE DISABLED"
netsh advfirewall firewall add rule name="443 Out - KEEP THIS RULE DISABLED" dir=out action=allow protocol=TCP remoteport=443

"BATCH 443"
netsh advfirewall firewall add rule name="Core Networking (HTTPS-Out) Batch" dir=out action=allow protocol=TCP remoteport=443 program="C:\Program Files\MyApp\Web Server\Database Administrator\MyAppBatchService7.exe"
netsh advfirewall firewall add rule name="FTP Outbound Batch" dir=out action=allow remoteip=any localip=any protocol=TCP localport=any remoteport=20,21,990,989,10000-10125,57000-60000 profile=any

"BATCH SMTP 25"
# netsh advfirewall firewall add rule name="Core Networking (SMTP-Out) Batch" dir=out action=allow protocol=TCP remoteport=25 program="C:\Program Files\MyApp\Web Server\Database Administrator\MyAppBatchService7.exe"
netsh advfirewall firewall add rule name="Core Networking (SMTP-Out) Batch" dir=out action=allow protocol=TCP remoteport=25

netsh advfirewall set allprofiles state ON

相关内容