DSCResources/DSC_FirewallProfile/DSC_FirewallProfile.psm1
$modulePath = Join-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -ChildPath 'Modules' # Import the Networking Common Modules Import-Module -Name (Join-Path -Path $modulePath ` -ChildPath (Join-Path -Path 'NetworkingDsc.Common' ` -ChildPath 'NetworkingDsc.Common.psm1')) Import-Module -Name (Join-Path -Path $modulePath -ChildPath 'DscResource.Common') # Import Localization Strings $script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US' <# This is an array of all the parameters used by this resource. #> $resourceData = Import-LocalizedData ` -BaseDirectory $PSScriptRoot ` -FileName 'DSC_FirewallProfile.data.psd1' # This must be a script parameter so that it is accessible $script:parameterList = $resourceData.ParameterList <# .SYNOPSIS Returns the current Firewall Profile. .PARAMETER Name The name of the firewall profile to configure. #> function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [ValidateSet('Domain', 'Public', 'Private')] [System.String] $Name ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.GettingFirewallProfileMessage) ` -f $Name ) -join '' ) # Get the current Dns Client Global Settings $netFirewallProfile = Get-NetFirewallProfile -Name $Name ` -ErrorAction Stop # Generate the return object. $returnValue = @{ Name = $Name } foreach ($parameter in $script:parameterList) { $returnValue += @{ $parameter.Name = $netFirewallProfile.$($parameter.name) } } # foreach return $returnValue } # Get-TargetResource <# .SYNOPSIS Sets the Firewall Profile. .PARAMETER Name The name of the firewall profile to configure. .PARAMETER AllowInboundRules Specifies that the firewall blocks inbound traffic. .PARAMETER AllowLocalFirewallRules Specifies that the local firewall rules should be merged into the effective policy along with Group Policy settings. .PARAMETER AllowLocalIPsecRules Specifies that the local IPsec rules should be merged into the effective policy along with Group Policy settings. .PARAMETER AllowUnicastResponseToMulticast Allows unicast responses to multi-cast traffic. .PARAMETER AllowUserApps Specifies that traffic from local user applications is allowed through the firewall. .PARAMETER AllowUserPorts Specifies that traffic is allowed through local user ports. .PARAMETER DefaultInboundAction Specifies how to filter inbound traffic. .PARAMETER DefaultOutboundAction Specifies how to filter outbound traffic. .PARAMETER DisabledInterfaceAliases Specifies a list of interfaces on which firewall settings are excluded. .PARAMETER Enabled Specifies that devolution is activated. .PARAMETER EnableStealthModeForIPsec Enables stealth mode for IPsec traffic. .PARAMETER LogAllowed Specifies how to log the allowed packets in the location specified by the LogFileName parameter. .PARAMETER LogBlocked Specifies how to log the dropped packets in the location specified by the LogFileName parameter. .PARAMETER LogFileName Specifies the path and filename of the file to which Windows Server writes log entries. .PARAMETER LogIgnored Specifies how to log the ignored packets in the location specified by the LogFileName parameter. .PARAMETER LogMaxSizeKilobytes Specifies the maximum file size of the log, in kilobytes. The acceptable values for this parameter are: 1 through 32767. .PARAMETER NotifyOnListen Allows the notification of listening for inbound connections by a service. #> function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateSet('Domain', 'Public', 'Private')] [System.String] $Name, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowInboundRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowLocalFirewallRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowLocalIPsecRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUnicastResponseToMulticast, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUserApps, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUserPorts, [Parameter()] [ValidateSet('Block', 'Allow', 'NotConfigured')] [System.String] $DefaultInboundAction, [Parameter()] [ValidateSet('Block', 'Allow', 'NotConfigured')] [System.String] $DefaultOutboundAction, [Parameter()] [System.String[]] $DisabledInterfaceAliases, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $Enabled, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $EnableStealthModeForIPsec, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogAllowed, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogBlocked, [Parameter()] [ValidateNotNullOrEmpty()] [System.String] $LogFileName, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogIgnored, [Parameter()] [ValidateRange(1,32767)] [System.Uint64] $LogMaxSizeKilobytes, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $NotifyOnListen ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.SettingFirewallProfileMessage) ` -f $Name ) -join '' ) # Get the current Firewall Profile Settings $netFirewallProfile = Get-NetFirewallProfile -Name $Name ` -ErrorAction Stop # Generate a list of parameters that will need to be changed. $changeParameters = @{} foreach ($parameter in $script:parameterList) { $parameterSourceValue = $netFirewallProfile.$($parameter.name) $parameterNewValue = (Get-Variable -Name ($parameter.name)).Value if ($PSBoundParameters.ContainsKey($parameter.Name) ` -and (Compare-Object -ReferenceObject $parameterSourceValue -DifferenceObject $parameterNewValue -SyncWindow 0)) { $changeParameters += @{ $($parameter.name) = $parameterNewValue } Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.FirewallProfileUpdateParameterMessage) ` -f $Name,$parameter.Name,$parameterNewValue ) -join '' ) } # if } # foreach if ($changeParameters.Count -gt 0) { # Update any parameters that were identified as different $null = Set-NetFirewallProfile -Name $Name ` @ChangeParameters ` -ErrorAction Stop Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.FirewallProfileUpdatedMessage) ` -f $Name ) -join '' ) } # if } # Set-TargetResource <# .SYNOPSIS Tests the state of Firewall Profile. .PARAMETER Name The name of the firewall profile to configure. .PARAMETER AllowInboundRules Specifies that the firewall blocks inbound traffic. .PARAMETER AllowLocalFirewallRules Specifies that the local firewall rules should be merged into the effective policy along with Group Policy settings. .PARAMETER AllowLocalIPsecRules Specifies that the local IPsec rules should be merged into the effective policy along with Group Policy settings. .PARAMETER AllowUnicastResponseToMulticast Allows unicast responses to multi-cast traffic. .PARAMETER AllowUserApps Specifies that traffic from local user applications is allowed through the firewall. .PARAMETER AllowUserPorts Specifies that traffic is allowed through local user ports. .PARAMETER DefaultInboundAction Specifies how to filter inbound traffic. .PARAMETER DefaultOutboundAction Specifies how to filter outbound traffic. .PARAMETER DisabledInterfaceAliases Specifies a list of interfaces on which firewall settings are excluded. .PARAMETER Enabled Specifies that devolution is activated. .PARAMETER EnableStealthModeForIPsec Enables stealth mode for IPsec traffic. .PARAMETER LogAllowed Specifies how to log the allowed packets in the location specified by the LogFileName parameter. .PARAMETER LogBlocked Specifies how to log the dropped packets in the location specified by the LogFileName parameter. .PARAMETER LogFileName Specifies the path and filename of the file to which Windows Server writes log entries. .PARAMETER LogIgnored Specifies how to log the ignored packets in the location specified by the LogFileName parameter. .PARAMETER LogMaxSizeKilobytes Specifies the maximum file size of the log, in kilobytes. The acceptable values for this parameter are: 1 through 32767. .PARAMETER NotifyOnListen Allows the notification of listening for inbound connections by a service. #> function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [ValidateSet('Domain', 'Public', 'Private')] [System.String] $Name, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowInboundRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowLocalFirewallRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowLocalIPsecRules, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUnicastResponseToMulticast, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUserApps, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $AllowUserPorts, [Parameter()] [ValidateSet('Block', 'Allow', 'NotConfigured')] [System.String] $DefaultInboundAction, [Parameter()] [ValidateSet('Block', 'Allow', 'NotConfigured')] [System.String] $DefaultOutboundAction, [Parameter()] [System.String[]] $DisabledInterfaceAliases, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $Enabled, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $EnableStealthModeForIPsec, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogAllowed, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogBlocked, [Parameter()] [ValidateNotNullOrEmpty()] [System.String] $LogFileName, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $LogIgnored, [Parameter()] [ValidateRange(1,32767)] [System.Uint64] $LogMaxSizeKilobytes, [Parameter()] [ValidateSet('True', 'False', 'NotConfigured')] [System.String] $NotifyOnListen ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.TestingFirewallProfileMessage) ` -f $Name ) -join '' ) # Flag to signal whether settings are correct [Boolean] $desiredConfigurationMatch = $true # Get the current Dns Client Global Settings $netFirewallProfile = Get-NetFirewallProfile -Name $Name ` -ErrorAction Stop # Check each parameter foreach ($parameter in $script:parameterList) { $parameterSourceValue = $netFirewallProfile.$($parameter.name) $parameterNewValue = (Get-Variable -Name ($parameter.name)).Value if ($PSBoundParameters.ContainsKey($parameter.Name) ` -and (Compare-Object -ReferenceObject $parameterSourceValue -DifferenceObject $parameterNewValue -SyncWindow 0)) { Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.FirewallProfileParameterNeedsUpdateMessage) ` -f $Name,$parameter.Name,$parameterSourceValue,$parameterNewValue ) -join '' ) $desiredConfigurationMatch = $false } # if } # foreach return $desiredConfigurationMatch } # Test-TargetResource Export-ModuleMember -Function *-TargetResource |