我想阻止计算机访问任何在中国设置的网站。操作系统是 Windows 10。我已经有一个包含中国所有 IP 的 .csv 文件,其中每行都按以下格式排列,1.0.1.0, 1.0.3.255 \n表示 IP 从1.0.1.0到1.0.3.255。那么是否可以实现这一目标以及如何实现?
有太多条目(数十万)无法手动添加到防火墙的出站规则中。而文件中重定向到 127.0.0.1hosts似乎只对 URL 有效,对 IP 无效(这是真的吗?)。
答案1
这是我发现的一种可能性,目前只能从互联网档案中找到。我还没有测试过,但下面是它的使用方法。
- 以管理员身份启动 PowerShell 会话并运行命令
Set-ExecutionPolicy Unrestricted,然后退出会话(您可以稍后撤消此操作) - 下载 zip 文件 windows防火墙脚本.zip 并将其解压到文件夹中
- 您将在其中找到以(表示注释行)
BlockList.txt开头的 文件# China# - 找到该行
# Russia并删除从该行到文件末尾的所有内容 - 将任何缺失的 IP 以相同的 CIDR 格式附加到文件并保存
- 右键单击该文件
Import-Firewall-Blocklist.ps1并选择“使用 PowerShell 运行”
该脚本将在 Windows 防火墙中创建入站和出站规则,以阻止文件中列出的所有 IPv4 和/或 IPv6 地址BlockList.txt。
如果此 PowerShell 脚本本身将来会消失,则以下是一份副本:
####################################################################################
#.Synopsis
# Block all IP addresses listed in a text file using the Windows Firewall.
#
#.Description
# Script will create inbound and outbound rules in the Windows Firewall to
# block all the IPv4 and/or IPv6 addresses listed in an input text file. IP
# address ranges can be defined with CIDR notation (10.4.0.0/16) or with a
# dash (10.4.0.0-10.4.255.255). Comments and blank lines are ignored in the
# input file. The script deletes and recreates the rules each time the
# script is run, so don't edit the rules by hand. Requires admin privileges.
# Multiple rules will be created if the input list is large. Requires
# Windows Vista, Windows 7, Server 2008 or later operating system. Blocking
# thousands of ranges does not seem to impede performance, but will slow
# the loading of the Windows Firewall snap-in and lengthen the time it takes
# to disable/enable a network interface. This script is just a wrapper for
# the netsh.exe tool. You can block individual IP addresses too, you do not
# need to use CIDR notation for this (10.1.1.1/32) though it does work.
#
#.Parameter InputFile
# File containing IP addresses and ranges to block; IPv4 and IPv6 supported.
# By default, the script will look for and use a file named 'blocklist.txt'.
#
#.Parameter RuleName
# (Optional) Override default firewall rule name; default based on file name.
# When used with -DeleteOnly, just give the rule basename without the "-#1".
#
#.Parameter ProfileType
# (Optional) Comma-delimited list of network profile types for which the
# blocking rules will apply: public, private, domain, any (default = any).
#
#.Parameter InterfaceType
# (Optional) Comma-delimited list of interface types for which the
# blocking rules will apply: wireless, ras, lan, any (default = any).
#
#.Parameter DeleteOnly
# (Switch) Matching firewall rules will be deleted, none will be created.
# When used with -RuleName, leave off the "-#1" at the end of the rulename.
#
#.Example
# import-firewall-blocklist.ps1 -inputfile IpToBlock.txt
#
#.Example
# import-firewall-blocklist.ps1 -inputfile iptoblock.txt -profiletype public
#
#.Example
# import-firewall-blocklist.ps1 -inputfile iptoblock.txt -interfacetype wireless
#
#.Example
# import-firewall-blocklist.ps1 -inputfile IpToBlock.txt -deleteonly
#
#.Example
# import-firewall-blocklist.ps1 -rulename IpToBlock -deleteonly
#
#Requires -Version 1.0
#
#.Notes
# Author: Jason Fossen (http://www.sans.org/windows-security/)
# Version: 1.3
# Updated: 31.Mar.2012
# LEGAL: PUBLIC DOMAIN. SCRIPT PROVIDED "AS IS" WITH NO WARRANTIES OR GUARANTEES OF
# ANY KIND, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY AND/OR FITNESS FOR
# A PARTICULAR PURPOSE. ALL RISKS OF DAMAGE REMAINS WITH THE USER, EVEN IF
# THE AUTHOR, SUPPLIER OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF
# ANY SUCH DAMAGE. IF YOUR STATE DOES NOT PERMIT THE COMPLETE LIMITATION OF
# LIABILITY, THEN DELETE THIS FILE SINCE YOU ARE NOW PROHIBITED TO HAVE IT.
####################################################################################
param ($InputFile = "BlockList.txt", $RuleName, $ProfileType = "any", $InterfaceType = "any", [Switch] $DeleteOnly)
# Look for some help arguments, show help, then quit.
if ($InputFile -match '/[?h]') { "`nPlease run 'get-help .\import-firewall-blocklist.ps1 -full' for help on PowerShell 2.0 and later, or just read the script's header in a text editor.`n" ; exit }
# Get input file and set the name of the firewall rule.
$file = get-item $InputFile -ErrorAction SilentlyContinue # Sometimes rules will be deleted by name and there is no file.
if (-not $? -and -not $DeleteOnly) { "`nCannot find $InputFile, quitting...`n" ; exit }
if (-not $rulename) { $rulename = $file.basename } # The '-#1' will be appended later.
# Description will be seen in the properties of the firewall rules.
$description = "Rule created by script. Do not edit rule by hand, it will be overwritten when the script is run again. By default, the name of the rule is named after the input file."
# Any existing firewall rules which match the name are deleted every time the script runs.
"`nDeleting any inbound or outbound firewall rules named like '$rulename-#*'`n"
$currentrules = netsh.exe advfirewall firewall show rule name=all | select-string '^[Rule Name|Regelname|Nome]+:\s+(.+$)' | foreach { $_.matches[0].groups[1].value }
if ($currentrules.count -lt 3) {"`nProblem getting a list of current firewall rules, quitting...`n" ; exit }
# Note: If you are getting the above error, try editing the regex pattern two lines above to include the 'Rule Name' in your local language.
$currentrules | foreach { if ($_ -like "$rulename-#*"){ netsh.exe advfirewall firewall delete rule name="$_" | out-null } }
# Don't create the firewall rules again if the -DeleteOnly switch was used.
if ($deleteonly -and $rulename) { "`nReminder: when deleting by name, leave off the '-#1' at the end of the rulename.`n" }
if ($deleteonly) { exit }
# Create array of IP ranges; any line that doesn't start like an IPv4/IPv6 address is ignored.
$ranges = get-content $file | where {($_.trim().length -ne 0) -and ($_ -match '^[0-9a-f]{1,4}[\.\:]')}
if (-not $?) { "`nCould not parse $file, quitting...`n" ; exit }
$linecount = $ranges.count
if ($linecount -eq 0) { "`nZero IP addresses to block, quitting...`n" ; exit }
# Now start creating rules with hundreds of IP address ranges per rule. Testing shows
# that netsh.exe errors begin to occur with more than 400 IPv4 ranges per rule, and
# this number might still be too large when using IPv6 or the Start-End format, so
# default to only 200 ranges per rule, but feel free to edit the following variable:
$MaxRangesPerRule = 200
$i = 1 # Rule number counter, when more than one rule must be created, e.g., BlockList-#001.
$start = 1 # For array slicing out of IP $ranges.
$end = $maxrangesperrule # For array slicing out of IP $ranges.
do {
$icount = $i.tostring().padleft(3,"0") # Used in name of rule, e.g., BlockList-#042.
if ($end -gt $linecount) { $end = $linecount }
$textranges = [System.String]::Join(",",$($ranges[$($start - 1)..$($end - 1)]))
"`nCreating an inbound firewall rule named '$rulename-#$icount' for IP ranges $start - $end"
netsh.exe advfirewall firewall add rule name="$rulename-#$icount" dir=in action=block localip=any remoteip="$textranges" description="$description" profile="$profiletype" interfacetype="$interfacetype"
if (-not $?) { "`nFailed to create '$rulename-#$icount' inbound rule for some reason, continuing anyway..."}
"`nCreating an outbound firewall rule named '$rulename-#$icount' for IP ranges $start - $end"
netsh.exe advfirewall firewall add rule name="$rulename-#$icount" dir=out action=block localip=any remoteip="$textranges" description="$description" profile="$profiletype" interfacetype="$interfacetype"
if (-not $?) { "`nFailed to create '$rulename-#$icount' outbound rule for some reason, continuing anyway..."}
$i++
$start += $maxrangesperrule
$end += $maxrangesperrule
} while ($start -le $linecount)
# END-O-SCRIPT