Enable/Disable Firewall Rules natively on Windows 7

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Aaron Jensen Aaron Jensen 2 years, 3 months ago.

  • Author
    Posts
  • #18263
    Profile photo of Adrian Calinescu
    Adrian Calinescu
    Participant

    Alright gentlemen,

    I wrote this little configuration to control the two ICMP firewall rules in Windows 7 using the default DSC resources.
    It does work, but i feel my approach is a bit flimsy. Is there a better way to do this? (excluding GPO).
    I also feel that using [b]Invoke-Expression[/b] is probably a bit much, but i haven't figured a way around it because of the darn double quotes that netsh.exe wants for the rule name.

    $computers = 'aperturelabs-8', 'aperturelabs-7'
    
    Set-Location "D:\365\OneDrive for Business\apertureLabs"
    $LocalMOFpath = "D:\365\OneDrive for Business\apertureLabs"
    
    Configuration ApertureLabsConf
    {
        Param([string[]]$Computername)
        
        Node $Computername
        {
    
            Script Mr_Ping
            {
                 GetScript = {
                               $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                        'File and Printer Sharing (Echo Request - ICMPv4-In)'
                               $rules.ForEach({
                                                $netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
                                                $enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
                                              })
                               $result = [string]$enabled + " matching rules are enabled: BACKTICKn" + $rules.ForEach({ write-output $_"BACKTICKn" })
                               return @{
                                         GetScript = $GetScript
                                         SetScript = $SetScript
                                        TestScript = $TestScript
                                            Result = $result
                                       }
                             }
                TestScript = {
                               $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                        'File and Printer Sharing (Echo Request - ICMPv4-In)'
                               $flag = $True
                               $rules.ForEach({
                                                $netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
                                                $enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
                                                if ($enabled -lt 2) { $flag = $False } #netsh on Win7 groups Private,Public into one rule                                            
                                             })
                               $flag -eq $True #if it's $True then all $rules are Enabled
                             }
                 SetScript = { 
                               $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                        'File and Printer Sharing (Echo Request - ICMPv4-In)'
    
                               $rules.ForEach({ 
                                                $netsh = "netsh.exe --% advfirewall firewall set rule name=BACKTICK"$_BACKTICK" new enable=YES"
                                                invoke-expression -Command $netsh
                                              })
                             }
            } #Script
    
        } #node
    } #configuration
    
    
  • #18264
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Instead of using the Script resource, you could write a resource which behaves like xFirewall / cFirewall, but uses netsh to do the work instead of cmdlets that only work on Windows 8 / Server 2012. That's probably a lot more work, but also would result in something that's much more useful in the future.

    It's unfortunate that WMF 4.0 (and by extension, DSC) are supported on Windows 7 and Server 2008 R2, but so many of the available resources don't work on those platforms.

  • #18273
    Profile photo of Aaron Jensen
    Aaron Jensen
    Participant

    I just wrote a firewall resource that works on Windows 7 and Windows 2012 R2 for Carbon, my open-source DevOps module. The resource will be officially released as part of the 2.0 alpha release. I'm currently finalizing the documentation. If you can't wait, you can download it here: [url]https://bitbucket.org/splatteredbits/carbon/src/936df054fbbc558541f62110f51ac3482cb482fc/Carbon/DscResources/Carbon_FirewallRule/?at=default[/url].

You must be logged in to reply to this topic.