新建 一个bat文件,复制如下内容到bat文件中,将文件名命名为drop-udp.bat
netsh ipsec static add policy name=dropudp
netsh ipsec static add filterlist name=allow-udp
netsh ipsec static add filterlist name=drop-udp
REM 添加筛选器到IP筛选器列表(允许上网)
netsh ipsec static add filter filterlist=allow-udp srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yesdstport=53
netsh ipsec static add filter filterlist=allow-udp srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yesdstport=123
netsh ipsec static add filter filterlist=allow-udp srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yesdstport=161
REM 添加筛选器到IP筛选器列表(不让别人访问)
netsh ipsec static add filter filterlist=drop-udp srcaddr=any dstaddr=me description=别人到我任何访问 protocol=udp mirrored=yes
REM 添加筛选器操作
netsh ipsec static add filteraction name=allow-udp-port action=permit
netsh ipsec static add filteraction name=drop-udp-port action=block
REM 创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
netsh ipsec static add rule name=允许规则 policy=dropudp filterlist=allow-udp filteraction=allow-udp-port
netsh ipsec static add rule name=拒绝规则 policy=dropudp filterlist=drop-udp filteraction=drop-udp-port
REM 激活我的安全策略
netsh ipsec static setpolicy name=dropudp assign=y
保存后,双击运行即可
udp除53 DNS解析,161 snmp监控端口 及时间同步服务123这三个udp的端口外,禁用所有udp出入站连接
