win2003 server through ipsec firewall configuration method

The firewall function of windows2003 system is weak, the key is that it cannot be configured by command, which will cause a lot of work for batch deployment, so ipsec is used for access control
Under windows2003, you can use the command netsh ipsec
Command syntax: http: / / technet microsoft. com/zh - cn library/cc739550 (v = ws. 10). # aspx BKMK_add_rule

1. Delete all security policies
netsh ipsec static del all

2. Establish strategy test
netsh ipsec static add policy name=test

3. Create a filter operation, which can be understood as an action, and perform the operation after matching the rules, similar to ACCEPT and DROP in iptables of Linux
Establish a reject operation
netsh ipsec static add filteraction name=block action=block
Establish the accept operation
netsh ipsec static add filteraction name=permit action=permit

4. Add a list of filters for rejection, similar to iptables's default rules
netsh ipsec static add filterlist name=deny_all
Add filters to deny all connections
netsh ipsec static add filter filterlist=deny_all srcaddr=Any dstaddr=Me

5. Add the filters and filter actions created to policy test to reject all requests
netsh ipsec static add rule name=deny_all policy=test filterlist=deny_all filteraction=block

6. Establish the policy of external access of the server itself

Create the filter list server_access
netsh ipsec static add filterlist name=server_access

Add a filter to the filter list server_access, allowing any port of the native to any address. Protocol ports are added as needed
netsh ipsec static add filter filterlist=server_access srcaddr=Me dstaddr=any protocol=tcp dstport=80

The filter server_access is applied in policy test, and the packet matching the filter is allowed
netsh ipsec static add rule name=server_access policy=test filterlist=server_access filteraction=permit

7. Establish the access policy of web server

Create the filter list web
netsh ipsec static add filterlist name=web

Add a filter to the filter list web to allow external arbitrary address access to the native port 80
netsh ipsec static add filter filterlist=web srcaddr=any dstaddr=Me dstport=80

Apply the filter list web in policy test
netsh ipsec static add rule name=web policy=test filterlist=web filteraction=permit

8. Establish the ftp server access policy

netsh ipsec static add filterlist name=ftp
netsh ipsec static add filter filterlist=ftp srcaddr=any dstaddr=Me dstport=21

Add a passive port to the ftp server, and here add three for testing
netsh ipsec static add filter filterlist=ftp srcaddr=any dstaddr=Me dstport=65530
netsh ipsec static add filter filterlist=ftp srcaddr=any dstaddr=Me dstport=65531
netsh ipsec static add filter filterlist=ftp srcaddr=any dstaddr=Me dstport=65532
netsh ipsec static add rule name=ftp policy=test filterlist=ftp fileraction=permit