windows 本地安全策略 命令行方法

XP下的ipseccmd.exe 需要下载先,请自行google ,关键词 “ipseccmd 下载” ,或者到 http://ishare.iask.sina.com.cn/f/7579277.html下载

下面文章建议看下http://microsoft.cnfan.net/winsystem/3692.html  和 http://technet.microsoft.com/en-us/library/cc739550(WS.10).aspx#BKMK_add_rule

本博客主要目的是 屏蔽 某些ip段对本机80端口的访问,比较适用于windows服务器(如果是windows 2003 ,命令行相应的应该是 ipsec.exe )
命令如下

ipseccmd.exe -w reg -p "phpsir ipsec" -o
ipseccmd.exe -w reg -p "phpsir ipsec" -r "block lijin 1.1" -f 1.1.*.*=*:80:TCP -n BLOCK
ipseccmd.exe -w reg -p "phpsir ipsec" -r "block lijin 2.2" -f 2.2.*.*=*:80:TCP -n BLOCK
ipseccmd.exe -w reg -p "phpsir ipsec" -y

win2003/win7的netsh 方法

netsh ipsec static set policy name="phpsir-deny-policy" assign=n
netsh ipsec static delete policy name="phpsir-deny-policy"

netsh ipsec static add policy name="phpsir-deny-policy"
netsh ipsec static add filteraction name="phpsir-deny" action=block

netsh ipsec static add filter filterlist="deny 1.1.1.1" srcaddr=1.1.1.1 srcport=0 dstaddr=me dstport=0 protocol=0 mirrored=yes
netsh ipsec static add filter filterlist="deny 2.2.2.2" srcaddr=2.2.2.2 srcport=0 dstaddr=me dstport=0 protocol=0 mirrored=yes 



netsh ipsec static add rule name="11111" policy="phpsir-deny-policy" filterlist="deny 1.1.1.1" filteraction="phpsir-deny"
netsh ipsec static add rule name="22222" policy="phpsir-deny-policy" filterlist="deny 2.2.2.2" filteraction="phpsir-deny"   

netsh ipsec static set policy name="phpsir-deny-policy" assign=y