我需要拒绝在Windows防火墙中访问大约50,000个IP地址; netsh advfirewall只允许我添加大约700.如何实现?
答案 0 :(得分:0)
看起来您可以使用c#app以编程方式将规则添加到Windows防火墙。您需要添加FirewallAPI.dll的引用,该引用位于c:\windows\system32
做这样的事情:
using NetFwTypeLib; // Located in FirewallAPI.dll
...
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
firewallRule.Description = "Block this!";
firewallRule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
firewallRule.Enabled = true;
firewallRule.InterfaceTypes = "All";
firewallRule.RemoteAddresses = "x.x.x.x" //or x.x.x.x,x.x.x.x,... See Note 1
firewallRule.Name = "Block IP x.x.x.x";
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);
注1:您可以尝试制作50,000个单独的规则(此代码添加1个规则)或将50,000个远程IP添加到1个规则。
这是针对入站阻止的,如果你想要出站阻止,也要改变方向。
参考:改编自Any way to turn the "internet off" in windows using c#?和https://msdn.microsoft.com/en-us/library/aa366458(VS.85).aspx
答案 1 :(得分:0)
不幸的是,由于控制台的限制,netsh advfirewall命令每行只能执行大约8192个字符(每条规则约550-1k IP)。
要使用此方法添加无限数量的IP块,您必须将逗号分隔的IP列表拆分为不超过8k字符的块或将它们添加为单独的IP块(这可能是不合需要的,因为它会洪水列出您的防火墙规则!)
我在TCL中做过这个,但是如果有人知道如何将txt文件拆分成不超过8k字符的DOS变量块,或者将IP添加到不超过8k字符长的变量中 - 也可以在这里发布: )
以下是文件中的TCL编码...逗号分隔IP列表: comma_seperated_iplist.txt
set readfile [open "comma_seperated_iplist.txt" r]; # Open the comma seperated IP list file
set ip_list [read $out]; # read the whole file into 1 variable
close $readfile; # close the file, no longer needed
catch {exec netsh advfirewall firewall delete rule name=IPBlocks}; # remove any old entries
if {[string length $ip_list] < 8000} {
# if under 8000 characters, just add them directly to 1 firewall entry
catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$ip_list}
} else {
# if over 8000 characters, break up into 8000 components and add each firewall rule
set startpos 0; # set the search starting position (begining)
set add_ip_range "1"; # set the start range IP list to anything
while {$add_ip_range !=""} {; # loop until the start range IP list is empty
# set the IP range contents to check up to
set compare_ip_range [string range $ip_list 0 [expr $startpos + 8000]]
# set the end position with the last character as comma * remove last comma
set endpos [expr [string last "," $compare_ip_range]-1]
# get the actual text range/chunk from the start position to the end position of the whole list
set add_ip_range [string range $ip_list $startpos $endpos]
# ensure the IP range (chunk) has something in it first
if {$add_ip_range !=""} {
# add the range of IP's (chunk) to a Windows Firewall Rule
if {![catch {exec netsh advfirewall firewall add rule name="IPBlocks" protocol=any dir=in action=block remoteip=$add_ip_range} err]} {
}
set startpos [expr $endpos+2]; # Update new start position for more chunks +2 characters to skip over removed comma from endpos
}
}