Author Posts

August 22, 2014 at 4:15 am

Alright gentlemen,

I wrote this little configuration to control the two ICMP firewall rules in Windows 7 using the default DSC resources.
It does work, but i feel my approach is a bit flimsy. Is there a better way to do this? (excluding GPO).
I also feel that using [b]Invoke-Expression[/b] is probably a bit much, but i haven't figured a way around it because of the darn double quotes that netsh.exe wants for the rule name.

$computers = 'aperturelabs-8', 'aperturelabs-7'

Set-Location "D:\365\OneDrive for Business\apertureLabs"
$LocalMOFpath = "D:\365\OneDrive for Business\apertureLabs"

Configuration ApertureLabsConf
{
    Param([string[]]$Computername)
    
    Node $Computername
    {

        Script Mr_Ping
        {
             GetScript = {
                           $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                    'File and Printer Sharing (Echo Request - ICMPv4-In)'
                           $rules.ForEach({
                                            $netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
                                            $enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
                                          })
                           $result = [string]$enabled + " matching rules are enabled: BACKTICKn" + $rules.ForEach({ write-output $_"BACKTICKn" })
                           return @{
                                     GetScript = $GetScript
                                     SetScript = $SetScript
                                    TestScript = $TestScript
                                        Result = $result
                                   }
                         }
            TestScript = {
                           $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                    'File and Printer Sharing (Echo Request - ICMPv4-In)'
                           $flag = $True
                           $rules.ForEach({
                                            $netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
                                            $enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
                                            if ($enabled -lt 2) { $flag = $False } #netsh on Win7 groups Private,Public into one rule                                            
                                         })
                           $flag -eq $True #if it's $True then all $rules are Enabled
                         }
             SetScript = { 
                           $rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
                                    'File and Printer Sharing (Echo Request - ICMPv4-In)'

                           $rules.ForEach({ 
                                            $netsh = "netsh.exe --% advfirewall firewall set rule name=BACKTICK"$_BACKTICK" new enable=YES"
                                            invoke-expression -Command $netsh
                                          })
                         }
        } #Script

    } #node
} #configuration

August 22, 2014 at 4:35 am

Instead of using the Script resource, you could write a resource which behaves like xFirewall / cFirewall, but uses netsh to do the work instead of cmdlets that only work on Windows 8 / Server 2012. That's probably a lot more work, but also would result in something that's much more useful in the future.

It's unfortunate that WMF 4.0 (and by extension, DSC) are supported on Windows 7 and Server 2008 R2, but so many of the available resources don't work on those platforms.

August 22, 2014 at 10:27 am

I just wrote a firewall resource that works on Windows 7 and Windows 2012 R2 for Carbon, my open-source DevOps module. The resource will be officially released as part of the 2.0 alpha release. I'm currently finalizing the documentation. If you can't wait, you can download it here: [url]https://bitbucket.org/splatteredbits/carbon/src/936df054fbbc558541f62110f51ac3482cb482fc/Carbon/DscResources/Carbon_FirewallRule/?at=default[/url].