Internet-Access-Control.ps1
|
<#PSScriptInfo
.VERSION 23.04.28 .GUID 8b5b43ea-f1d3-4fbe-894e-0ce4f5dab51b .AUTHOR Mike Galvin Contact: mike@gal.vin / twitter.com/mikegalvin_ / discord.gg/5ZsnJ5k Based on work by Peter Löfgren syscenramblings.wordpress.com .COMPANYNAME Mike Galvin .COPYRIGHT (C) Mike Galvin. All rights reserved. .TAGS Internet Access Control Windows Firewall .LICENSEURI .PROJECTURI https://gal.vin/utils/internet-access-control-utility/ .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .SYNOPSIS Internet Access Control Utility - Control internet access with Windows Firewall .DESCRIPTION Block or allow internet access using Windows Firewall Run with -help or no arguments for usage. #> ## Set up command line switches. [CmdletBinding()] Param( [alias("L")] $LogPathUsr, [alias("LogRotate")] $LogHistory, [switch]$Enable, [switch]$Disable, [switch]$Help, [switch]$NoBanner) If ($NoBanner -eq $False) { Write-Host -ForegroundColor Yellow -BackgroundColor Black -Object " ____ __ __ ___ / _/__ / /____ _______ ___ / /_ / _ |___________ ___ ___ _/ // _ \/ __/ -_) __/ _ \/ -_) __/ / __ / __/ __/ -_|_-<(_-< /___/_//_/\__/\__/_/ /_//_/\__/\__/_/_/_|_\__/\__/\__/___/___/ / ___/__ ___ / /________ / / / / / / /_(_) (_) /___ __ / /__/ _ \/ _ \/ __/ __/ _ \/ / / /_/ / __/ / / / __/ // / \___/\___/_//_/\__/_/ \___/_/ \____/\__/_/_/_/\__/\_, / /___/ Mike Galvin Version 23.04.28 https://gal.vin See -help for usage Donate: https://www.paypal.me/digressive " } If ($PSBoundParameters.Values.Count -eq 0 -or $Help) { Write-Host -Object "Usage: From an elevated terminal run: [path\]Internet-Access-Control.ps1 -Disable to create a Windows Firewall rule to block internet access using ports 80 and 443. Use -Enable to remove the Windows Firewall rule and enable internet access. To output a log: -L [path\]. To remove logs produced by the utility older than X days: -LogRotate [number]. Run with no ASCII banner: -NoBanner" } else { ## If logging is configured, start logging. ## If the log file already exists, clear it. If ($LogPathUsr) { ## Clean User entered string $LogPath = $LogPathUsr.trimend('\') ## Make sure the log directory exists. If ((Test-Path -Path $LogPath) -eq $False) { New-Item $LogPath -ItemType Directory -Force | Out-Null } $LogFile = ("Inet-Access-Control_{0:yyyy-MM-dd_HH-mm-ss}.log" -f (Get-Date)) $Log = "$LogPath\$LogFile" If (Test-Path -Path $Log) { Clear-Content -Path $Log } } ## Function to get date in specific format. Function Get-DateFormat { Get-Date -Format "yyyy-MM-dd HH:mm:ss" } ## Function for logging. Function Write-Log($Type, $Evt) { If ($Type -eq "Info") { If ($LogPathUsr) { Add-Content -Path $Log -Encoding ASCII -Value "$(Get-DateFormat) [INFO] $Evt" } Write-Host -Object "$(Get-DateFormat) [INFO] $Evt" } If ($Type -eq "Succ") { If ($LogPathUsr) { Add-Content -Path $Log -Encoding ASCII -Value "$(Get-DateFormat) [SUCCESS] $Evt" } Write-Host -ForegroundColor Green -Object "$(Get-DateFormat) [SUCCESS] $Evt" } If ($Type -eq "Err") { If ($LogPathUsr) { Add-Content -Path $Log -Encoding ASCII -Value "$(Get-DateFormat) [ERROR] $Evt" } Write-Host -ForegroundColor Red -BackgroundColor Black -Object "$(Get-DateFormat) [ERROR] $Evt" } If ($Type -eq "Conf") { If ($LogPathUsr) { Add-Content -Path $Log -Encoding ASCII -Value "$Evt" } Write-Host -ForegroundColor Cyan -Object "$Evt" } } ## Test if any options are set If ($Disable -eq $false -And $Enable -eq $false) { Write-Log -Type Err -Evt "No options set." Exit } ## Getting Windows Version info $OSVMaj = [environment]::OSVersion.Version | Select-Object -expand major $OSVMin = [environment]::OSVersion.Version | Select-Object -expand minor $OSVBui = [environment]::OSVersion.Version | Select-Object -expand build $OSV = "$OSVMaj" + "." + "$OSVMin" + "." + "$OSVBui" ## ## Display the current config and log if configured. ## Write-Log -Type Conf -Evt "--- Running with the following config ---" Write-Log -Type Conf -Evt "Utility Version: 23.04.28" Write-Log -Type Conf -Evt "Hostname: $Env:ComputerName." Write-Log -Type Conf -Evt "Windows Version: $OSV." If ($Disable) { Write-Log -Type Conf -Evt "Net access will be: Blocked." } If ($Enable) { Write-Log -Type Conf -Evt "Net access will be: Allowed." } If ($LogPathUsr) { Write-Log -Type Conf -Evt "Logs directory: $LogPath." } If ($Null -ne $LogHistory) { Write-Log -Type Conf -Evt "Logs to keep: $LogHistory days" } Write-Log -Type Conf -Evt "---" Write-Log -Type Info -Evt "Process started" ## ## Display current config ends here. ## ## If the -Disable switch is used, the script adds a Firewall Rule to block traffic on ports 80 (http) and 443 (https). If ($Disable) { ## Test if the rule already exists try { $RuleExist = Get-NetFirewallRule -DisplayName "Internet-Access-Control-Block" -ErrorAction Stop } catch { Write-Log -Type Info -Evt "Creating firewall rule: Internet-Access-Control-Block." } If ($RuleExist.count -eq 0) { New-NetFirewallRule -DisplayName "Internet-Access-Control-Block" -Enabled True -Direction Outbound -Profile Any -Action Block -Protocol TCP -RemotePort 80,443 | Out-Null } else { Write-Log -Type Err -Evt "Firewall rule: Internet-Access-Control-Block already exists." } } If ($Enable) { ## Test if the rule already exists try { $RuleExist = Get-NetFirewallRule -DisplayName "Internet-Access-Control-Block" -ErrorAction Stop } catch { Write-Log -Type Err -Evt "Firewall rule: Internet-Access-Control-Block doesn't exist." } If ($RuleExist.count -ne 0) { Write-Log -Type Info -Evt "Removing firewall rule: Internet-Access-Control-Block" Get-NetFirewallRule -DisplayName "Internet-Access-Control-Block" | Remove-NetFirewallRule } } Write-Log -Type Info -Evt "Process finished" If ($Null -ne $LogHistory) { ## Cleanup logs. Write-Log -Type Info -Evt "Deleting logs older than: $LogHistory days" Get-ChildItem -Path "$LogPath\Inet-Access-Control_*" -File | Where-Object CreationTime -lt (Get-Date).AddDays(-$LogHistory) | Remove-Item -Recurse } } ## End |