使用Windows防火墙拒绝访问50,000个特定IP地址

时间:2014-08-13 09:48:51

标签: windows firewall

我需要拒绝在Windows防火墙中访问大约50,000个IP地址; netsh advfirewall只允许我添加大约700.如何实现?

2 个答案:

答案 0 :(得分:0)

看起来您可以使用c#app以编程方式将规则添加到Windows防火墙。您需要添加FirewallAPI.dll的引用,该引用位于c:\windows\system32

做这样的事情:

using NetFwTypeLib; // Located in FirewallAPI.dll
...
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
firewallRule.Description = "Block this!";
firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
firewallRule.Enabled = true;
firewallRule.InterfaceTypes = "All";
firewallRule.RemoteAddresses = "x.x.x.x" //or x.x.x.x,x.x.x.x,... See Note 1
firewallRule.Name = "Block IP x.x.x.x";

INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
    Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);

注1:您可以尝试制作50,000个单独的规则(此代码添加1个规则)或将50,000个远程IP添加到1个规则。

这是针对入站阻止的,如果你想要出站阻止,也要改变方向。

参考:改编自Any way to turn the "internet off" in windows using c#?https://msdn.microsoft.com/en-us/library/aa366458(VS.85).aspx

答案 1 :(得分:0)

不幸的是,由于控制台的限制,netsh advfirewall命令每行只能执行大约8192个字符(每条规则约550-1k IP)。

要使用此方法添加无限数量的IP块,您必须将逗号分隔的IP列表拆分为不超过8k字符的块或将它们添加为单独的IP块(这可能是不合需要的,因为它会洪水列出您的防火墙规则!)

我在TCL中做过这个,但是如果有人知道如何将txt文件拆分成不超过8k字符的DOS变量块,或者将IP添加到不超过8k字符长的变量中 - 也可以在这里发布: )

以下是文件中的TCL编码...逗号分隔IP列表: comma_seperated_iplist.txt

set readfile [open "comma_seperated_iplist.txt" r]; # Open the comma seperated IP list file
set ip_list [read $out]; # read the whole file into 1 variable 
close $readfile; # close the file, no longer needed

catch {exec netsh advfirewall firewall delete rule name=IPBlocks}; # remove any old entries

if {[string length $ip_list] < 8000} {
    # if under 8000 characters, just add them directly to 1 firewall entry
    catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$ip_list}

} else {
    # if over 8000 characters, break up into 8000 components and add each firewall rule
    set startpos 0; # set the search starting position (begining)
    set add_ip_range "1"; # set the start range IP list to anything

    while {$add_ip_range !=""} {; # loop until the start range IP list is empty
        # set the IP range contents to check up to
        set compare_ip_range [string range $ip_list 0 [expr $startpos + 8000]]
        # set the end position with the last character as comma * remove last comma
        set endpos [expr [string last "," $compare_ip_range]-1]
        # get the actual text range/chunk from the start position to the end position of the whole list
        set add_ip_range [string range $ip_list $startpos $endpos]

        # ensure the IP range (chunk) has something in it first
        if {$add_ip_range !=""} {
            # add the range of IP's (chunk) to a Windows Firewall Rule
            if {![catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$add_ip_range} err]} {
        }
        set startpos [expr $endpos+2]; # Update new start position for more chunks +2 characters to skip over removed comma from endpos
    }
}