From: 011netservice@gmail.com Date: 2022-04-24 Subject: Windows-FireWall.txt ---------- 20200410 C:>tracert 60.250.98.233 在上限 30 個躍點上 追蹤 60-250-98-233.HINET-IP.hinet.net [60.250.98.233] 的路由: 1 1 ms 1 ms 1 ms 192.168.0.1 2 4 ms 4 ms 3 ms 220-128-199-254.HINET-IP.hinet.net [220.128.199.254] 3 4 ms 2 ms 5 ms tpe4-3301.hinet.net [168.95.228.78] 4 7 ms 4 ms 3 ms 220-128-3-134.HINET-IP.hinet.net [220.128.3.134] 5 4 ms 4 ms 25 ms tpdt-3307.hinet.net [220.128.26.93] 6 3 ms 8 ms 7 ms h217.s81.ts.hinet.net [168.95.81.217] 7 19 ms 16 ms 12 ms 60-250-98-233.HINET-IP.hinet.net [60.250.98.233] 追蹤完成。 C:\Users\uAdmin>tracert 60.250.98.234 在上限 30 個躍點上 追蹤 60-250-98-234.HINET-IP.hinet.net [60.250.98.234] 的路由: 1 <1 ms <1 ms <1 ms 60-250-98-234.HINET-IP.hinet.net [60.250.98.234] 追蹤完成。 ---------- 20200410 常用Port: 21, FTP. 23, Telnet. 25, SMTP. 53, DNS. 67, 68, Bootp, Bootstrap Protocol Server/Client. 69, TFPT(Cisco) 79, Finger. 80, Http. 135, RPC. Remote Procedure Call, DCOM. 137, NetBios Name Service 139, NetBios Session Service, 檔案與印表機共用. 443, TCP, SSL, VisualSVN Server suggests to use the standard 80 and 443 ports by default (instead of 8080 and 8443 ports as in previous versions). 1433, TCP, SQL Server 1434, UDP, SQL Browser, SQL Admin Connection 3306, TCP, MySql 3389, 遠端桌面 5800, VNC 5938, TeamViwer (IN 5938, OUT 80) ---------- 20200409 微軟提供的 SQL Server防火牆的設定: @echo ========= SQL Server Ports =================== @echo Enabling SQLServer default instance port 1433 netsh firewall set portopening TCP 1433 "SQLServer" @echo Enabling Dedicated Admin Connection port 1434 netsh firewall set portopening TCP 1434 "SQL Admin Connection" @echo Enabling conventional SQL Server Service Broker port 4022 netsh firewall set portopening TCP 4022 "SQL Service Broker" @echo Enabling Transact-SQL Debugger/RPC port 135 netsh firewall set portopening TCP 135 "SQL Debugger/RPC" @echo ========= Analysis Services Ports ============== @echo Enabling SSAS Default Instance port 2383 netsh firewall set portopening TCP 2383 "Analysis Services" @echo Enabling SQL Server Browser Service port 2382 netsh firewall set portopening TCP 2382 "SQL Browser" @echo ========= Misc Applications ============== @echo Enabling HTTP port 80 netsh firewall set portopening TCP 80 "HTTP" @echo Enabling SSL port 443 netsh firewall set portopening TCP 443 "SSL" @echo Enabling port for SQL Server Browser Service's 'Browse' Button netsh firewall set portopening UDP 1434 "SQL Browser" @echo Allowing multicast broadcast response on UDP (Browser Service Enumerations OK) netsh firewall set multicastbroadcastresponse ENABLE ---------- 20190721 ---------- 啟動防火牆程式 control firewall.cpl control /name Microsoft.WindowsFirewall ---------- 限制外部 IP A. 新增輸入規則BlockAll. 1. 選取左邊的「輸入規則」,然後點選右邊的「新增規則」. 2. 規則類型=自訂. 3. 規則動作=僅允許安全連線. 4. 規則名稱=BlockAll. B. 新增(連線安全規則) 1. 選取左邊的「連線安全規則」,然後點選右邊的「新增規則」. 2. 規則類型=豁免驗證. 3. 電腦列表中新增允許連線的IP(那些連線電腦不需要驗證?).例如: 10.10.0.1-10.10.0.19. ---------- 指定(程式與外部IP)可通過防火牆. netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private ---------- 新增服務通過防火牆 New command: netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes 開啟服務通過防火牆 New command: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes 對所有的設定檔, 開啟服務通過防火牆 netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private ---------- 開啟連接埠 輸入規則: 新增規則: 規則類型=連接埠 (例如 TCP, 80), 動作=允許連線, 選擇套用的設定檔(網域 或 私人 或 公用 或全選), 名稱及描述. 指令: netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80 ---------- ref: https://support.microsoft.com/en-us/help/947709/how-to-use-the-netsh-advfirewall-firewall-context-instead-of-the-netsh 舊版指令為: netsh firewall... (適用 windows 2008 或 vista 以前的電腦) 新版指令為: netsh advfirewall... The netsh advfirewall firewall command-line context is available in Windows Server 2008 and in Windows Vista. This context provides the functionality for controlling Windows Firewall behavior that was provided by the netsh firewall context in earlier Windows operating systems. This context also provides functionality for more precise control of firewall rules. These rules include the following per-profile settings: Domain Private Public The netsh firewall command-line context might be deprecated in a future version of the Windows operating system. We recommend that you use the netsh advfirewall firewall context to control firewall behavior. Note The netsh firewall command line is not recommended for use in Windows Vista. This article describes how to use the netsh advfirewall firewall context instead of the netsh firewall context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista. --------- Example 1: Enable a program 允許程式通過防火牆 Old command: netsh firewall add allowedprogram C:\MyApp\MyApp.exe "My Application" ENABLE New command: netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes 允許程式通過防火牆, 並限制外部可使用的IP, 及設定檔=網域 Old command: netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=Domain New command: netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain 允許程式通過防火牆, 並限制外部可使用的IP, 及設定檔=全部 Old command: netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=ALL New command: Run the following commands: netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private --------- Example 2: Enable a port 開啟連接埠 Old command: netsh firewall add portopening TCP 80 "Open Port 80" New command: netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80 --------- Example 3: Delete enabled programs or ports 刪除(可通過防火牆)的程式 Old command: netsh firewall delete allowedprogram C:\MyApp\MyApp.exe New command: netsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe" 刪除(可通過防火牆)的連接埠 Old command: delete portopening protocol=UDP port=500 New command: netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500 --------- Example 4: Configure ICMP settings 設定 ICMP (ping) Old command: netsh firewall set icmpsetting 8 New command: netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow 開啟 ICMP (ping) Old command: netsh firewall set icmpsetting type=ALL mode=enable New command: netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow 關閉 ICMP (ping) Old command: netsh firewall set icmpsetting 13 disable all New command: netsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block --------- Example 5: Set logging 設定紀錄 Old command: netsh firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE ENABLE New command: Run the following commands: netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log netsh advfirewall set currentprofile logging maxfilesize 4096 netsh advfirewall set currentprofile logging droppedconnections enable netsh advfirewall set currentprofile logging allowedconnections enable If you want to set logging for a particular profile, use one of the following options instead of the "currentprofile" option: Domainprofile Privateprofile Publicprofile --------- Example 6: Enable Windows Firewall 開啟關閉防火牆 Old command: netsh firewall set opmode ENABLE New command: netsh advfirewall set currentprofile state on 開啟關閉防火牆 並 開啟例外. Old command: netsh firewall set opmode mode=ENABLE exceptions=enable New command: Run the following commands: Netsh advfirewall set currentprofile state on netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound 僅對(domain)設定檔, 開啟關閉防火牆 並 開啟例外. Old command: netsh firewall set opmode mode=enable exceptions=disable profile=domain New command: Run the following commands: Netsh advfirewall set domainprofile state on netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound 對(全部)設定檔, 開啟關閉防火牆 並 開啟例外. Old command: netsh firewall set opmode mode=enable profile=ALL New command: Run the following commands: netsh advfirewall set domainprofile state on netsh advfirewall set privateprofile state on If you want to set the firewall state for a particular profile, use one of the following options instead of the "currentprofile" option: Domainprofile Privateprofile Publicprofile --------- Example 7: Restore policy defaults 重設恢復防火牆原狀 Old command: netsh firewall reset New command: netsh advfirewall reset --------- Example 8: Enable specific services 新增服務通過防火牆 Old command: netsh firewall set service FileAndPrint New command: netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes 開啟服務通過防火牆 Old command: netsh firewall set service RemoteDesktop enable New command: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes 對所有的設定檔, 開啟服務通過防火牆 Old command: netsh firewall set service RemoteDesktop enable profile=ALL New command: Run the following commands: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private Last Updated: Mar 16, 2019 --------- 參考: 開啟防火牆: netsh advfirewall set currentprofile state on 關閉防火牆: netsh advfirewall set currentprofile state off 以MySQL資料庫為例: 介面阜:3306 放行指定界面阜(大陸叫端口): netsh advfirewall firewall add rule name=“mysql” dir=in action=allow protocol=tcp localport=3306 關閉指定界面阜: netsh advfirewall firewall delete rule name=“mysql” protocol=tcp localport=3306 禁止ping : netsh advfirewall firewall add rule name=”echo-request” protocol=icmpv4:8,any dir=in action=allow 開啟ping: netsh advfirewall firewall del rule name=”echo-request” protocol=icmpv4:any,any dir=in action=allow 匯出防火牆設定: netsh advfirewall export “x:路徑/advfirewall.pol” 導入防火牆設定: netsh advfirewall import “x:路徑/advfirewall.pol”