使用 C# 以编程方式更改 ipsec 规则的方法?

发布于 2024-08-08 13:50:47 字数 222 浏览 8 评论 0原文

我知道如何执行 IPsec 更改的唯一方法是调用 netsh 来进行更改。有没有直接使用 System.Management 和 WMI 对象的方法?如果是这样,那是什么?我很难通过 MSDN 找到相关的 WMI 信息。

或者有人使用过其他有用的方法吗?

编辑:我正在使用 C# 工作,并且更喜欢 C# 示例以及基于 .NET System.Management 的答案。

谢谢你!

The only method I know how to execute IPsec changes involves calling netsh to do the changes. Is there a method using System.Management and WMI objects directly? If so, what is it? I am having a hard time finding relevant WMI information with MSDN.

Or is there some other useful method someone out there has used?

EDIT: I am working in C#, and would prefer C# examples with regard to .NET System.Management based answers.

Thank you!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

终难遇 2024-08-15 13:50:47

1) 准确:WMI。

EnableIPFilterSec WMI 类静态方法可以跨所有 IP 绑定的网络适配器全局启用 IP 安全。启用安全性后,可以使用 EnableIPSec WMI 类方法更改任何特定适配器的安全特性。前者的 MSDN 位于:

http://msdn。 microsoft.com/en-us/library/aa390381%28VS.85%29.aspx

有关 EnableIPSec 及其参数(允许您声明端口和协议列表)的信息,请参阅此 MSDN 条目:

< a href="http://msdn.microsoft.com/en-us/library/aa390382%28VS.85%29.aspx" rel="nofollow noreferrer">http://msdn.microsoft.com/en-us /library/aa390382%28VS.85%29.aspx

最后,这是 WMI.NET 代码目录的链接,其中有使用 System.Management 执行 WQL 查询的有用代码示例。

http://msdn.microsoft.com/en-us/library/ms257338。注意

如果您需要像我一样对 ObjectQuery/SelectQuery System.Management 对象进行广泛的 WQL 测试,请尝试一下 wbemtest。它是 Windows Management Instrumentation 测试器,使您的应用程序的编写、测试和磨练 WQL 变得更加顺利。

2) 相关:使用 FirewallAPI、INetFwRule 接口以及可能需要的其他任何内容在 Vista 或更高版本上进行编程防火墙更改。

在 Vista 或更高版本上,如果您需要 ipsec 功能但不关心旧的 PolicyAgent 实现,那么使用 FirewallAPI.dll 是一个简单的选择。

我一开始并没有意识到这是一个选项,因为我不知道 Vista 和后来的高级防火墙真正将 IPSec 和 WFP(Windows 过滤平台)内的防火墙结合起来,并使旧的 IPSec 实现通过 PolicyAgent 进行。

这意味着使用 FirewallAPI.dll 可以提供 IPSec 的所有功能以及防火墙的状态智能,这正是我想要的。我只是添加黑名单规则(因为黑名单规则优先),并在需要时通过 API 添加到黑名单,WFP 开始丢弃流量。完毕!

1) Exact: WMI.

The EnableIPFilterSec WMI class static method can enable IP security globally across all IP-bound network adapters. With security enabled, security characteristics for any specific adapter can be altered with the EnableIPSec WMI class method. MSDN for the former here:

http://msdn.microsoft.com/en-us/library/aa390381%28VS.85%29.aspx

And see this MSDN entry for information about EnableIPSec and its parameters (that allow you to declare a list of ports and protocols):

http://msdn.microsoft.com/en-us/library/aa390382%28VS.85%29.aspx

Finally, this is a link to the WMI.NET code directory, where there are useful samples of code using System.Management to execute WQL queries.

http://msdn.microsoft.com/en-us/library/ms257338.aspx

NOTE:

If you need to mess around extensively with WQL tests for your ObjectQuery/SelectQuery System.Management objects, as I did, give wbemtest a try. It is the Windows Management Instrumentation tester, and makes writing, testing, and honing WQL for your applications much nicer.

2) Related: Programmatic firewall changes on Vista or later using FirewallAPI, INetFwRule Interface, and anything else one may need.

On Vista or later, using the FirewallAPI.dll is an easy option if you need ipsec functionality but don't care about the legacy PolicyAgent implementation.

I did not realize this was an option at first because I did not know that the Advanced Firewall in Vista and later truly combines IPSec and firewalling within the WFP (Windows Filtering Platform), and keeps legacy IPSec implementations going through PolicyAgent.

This means that using FirewallAPI.dll can give all the functionality of IPSec with the stateful intelligence of the firewall, which is exactly what I wanted. I just add blacklist rules (since blacklist rules take precedence), and add to the blacklist when needed through the API and WFP starts dropping the traffic. Done!

卸妝后依然美 2024-08-15 13:50:47

在 IIS 7 中,可以直接从配置文件操作 IP 限制,而不会干扰元数据库。为了便于维护,配置文件可以用 configSource 分割,以便 IPSecure 部分可以保存到它自己的文件中。

全文:
http://boseca.blogspot.com/2010/12/programmatically -addremove-ip-security.html

In IIS 7 IP restriction can be manipulate directly from config file, without messing with metadatabase. For easy maintenance config file can be split with configSource so that IPSecure section can be saved into it's own file.

Full article:
http://boseca.blogspot.com/2010/12/programmatically-addremove-ip-security.html

℉服软 2024-08-15 13:50:47

你不能用 WMI 来做到这一点。 WMI 仅限于 TCP 过滤,即阻塞端口。而已。

如果您使用的是以前的 Windows 版本,则可以:

a) 使用命令行工具,在本例中为 ipseccmd.exe 或 ipsecpol.exe (W2K),或 netsh

b) 将策略写入注册表

我的猜测是命令行工具就是这样做的:它们将值写入注册表。

我已经研究了一段时间了,但没有找到托管代码解决方案。遗憾的是 WFP API 在以前的 Windows 版本中不可用。

You can't do it with WMI. WMI is restricted to TCP Filtering, meaning blocking ports. Nothing more.

If you are using previous Windows versions, you can either:

a) use a command line tool, in this case either ipseccmd.exe or ipsecpol.exe (W2K), or netsh

or

b) Write the policies to the registry

My guess is that the command line tools do just that: they write values to the registry.

I've been into it for some time now and i didn't find a managed code solution. Too bad that the WFP API is not available in previous windows versions.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文