-
Notifications
You must be signed in to change notification settings - Fork 134
/
Firewall.psm1
101 lines (88 loc) · 3.17 KB
/
Firewall.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Name and description for the Firewall rules. Used in multiple locations
New-Variable -Name fireWallRuleDisplayName -Value 'DSCPullServer_IIS_Port' -Option ReadOnly -Scope Script -Force
New-Variable -Name netsh -Value "$env:windir\system32\netsh.exe" -Option ReadOnly -Scope Script -Force
<#
.SYNOPSIS
Create a firewall exception so that DSC clients are able to access the configured Pull Server
.PARAMETER Port
The TCP port used to create the firewall exception
#>
function Add-PullServerFirewallConfiguration
{
[CmdletBinding()]
param
(
[Parameter()]
[ValidateRange(1, 65535)]
[System.UInt32]
$Port
)
Write-Verbose -Message 'Disable Inbound Firewall Notification'
$null = & $script:netsh advfirewall set currentprofile settings inboundusernotification disable
$ruleName = $FireWallRuleDisplayName -f $port
# Remove all existing rules with that displayName
$null = & $script:netsh advfirewall firewall delete rule name=$ruleName protocol=tcp localport=$Port
Write-Verbose -Message "Add Firewall Rule for port $Port"
$null = & $script:netsh advfirewall firewall add rule name=$ruleName dir=in action=allow protocol=TCP localport=$Port
}
<#
.SYNOPSIS
Delete the Pull Server firewall exception
.PARAMETER Port
The TCP port for which the firewall exception should be deleted
#>
function Remove-PullServerFirewallConfiguration
{
[CmdletBinding()]
param
(
[Parameter()]
[ValidateRange(1, 65535)]
[System.UInt32]
$Port
)
if (Test-PullServerFirewallConfiguration -Port $Port)
{
# remove all existing rules with that displayName
Write-Verbose -Message "Delete Firewall Rule for port $Port"
$ruleName = $FireWallRuleDisplayName -f $port
# backwards compatibility with old code
if (Get-Command -Name Get-NetFirewallRule -CommandType Cmdlet -ErrorAction:SilentlyContinue)
{
# Remove all rules with that name
Get-NetFirewallRule -DisplayName $ruleName | Remove-NetFirewallRule
}
else
{
$null = & $script:netsh advfirewall firewall delete rule name=$ruleName protocol=tcp localport=$Port
}
}
else
{
Write-Verbose -Message "No DSC PullServer firewall rule found with port $Port. No cleanup required"
}
}
<#
.SYNOPSIS
Tests if a Pull Server firewall exception exists for a specific port
.PARAMETER Port
The TCP port for which the firewall exception should be tested
#>
function Test-PullServerFirewallConfiguration
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter()]
[ValidateRange(1, 65535)]
[System.UInt32]
$Port
)
# Remove all existing rules with that displayName
Write-Verbose -Message "Testing Firewall Rule for port $Port"
$ruleName = $FireWallRuleDisplayName -f $port
$result = & $script:netsh advfirewall firewall show rule name=$ruleName | Select-String -Pattern "LocalPort:\s*$Port"
return -not [string]::IsNullOrWhiteSpace($result)
}
Export-ModuleMember -Function '*-PullServerFirewallConfiguration'