-
-
Save espoelstra/66d2c41f829892fe0655270574d9d314 to your computer and use it in GitHub Desktop.
Manage Windows Advanced Firewall with PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-StrictMode -Version Latest | |
| # Constants | |
| if (!(Test-Path variable:\NET_FW_DISABLED)) { Set-Variable NET_FW_DISABLED $False } | |
| if (!(Test-Path variable:\NET_FW_ENABLED)) { Set-Variable NET_FW_ENABLED $True } | |
| if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_TCP)) { Set-Variable NET_FW_IP_PROTOCOL_TCP 6 } | |
| if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_UDP)) { Set-Variable NET_FW_IP_PROTOCOL_UDP 17 } | |
| if (!(Test-Path variable:\NET_FW_PROFILE_DOMAIN)) { Set-Variable NET_FW_PROFILE_DOMAIN 0x1 } | |
| if (!(Test-Path variable:\NET_FW_PROFILE_PRIVATE)) { Set-Variable NET_FW_PROFILE_PRIVATE 0x2 } | |
| if (!(Test-Path variable:\NET_FW_PROFILE_PUBLIC)) { Set-Variable NET_FW_PROFILE_PUBLIC 0x2 } | |
| if (!(Test-Path variable:\NET_FW_PROFILE_ALL)) { Set-Variable NET_FW_PROFILE_ALL 0x7FFFFFFF } | |
| function Enable-FirewallRule([String] $name, [String] $description = "", [ScriptBlock] $filter = { $_.Name = $name }, [ScriptBlock] $createRule = {}) { | |
| <# | |
| .SYNOPSIS | |
| Creates or enables a firewall rule | |
| .DESCRIPTION | |
| The Enable-FirewallRule function checks whether a given firewall rule exists, and if | |
| it does, it enables it, if it is not already enabled. If the rule does not exist, | |
| it is created, calling the $createRule script block to finalize the rule | |
| .PARAMETER name | |
| the name of the rule | |
| .PARAMETER description | |
| a description for the firewall rule | |
| .PARAMETER filter | |
| a ScriptBlock to be passed to Where-Object to determine whether or not the rule | |
| exists. | |
| .PARAMETER createRule | |
| a ScriptBlock that is called when the rule is created to allow the caller to specify | |
| any additional restrictions on the rule | |
| .EXAMPLE | |
| Create a rule that opens local port 8080 to all computers | |
| Enable-FirewallRule "Enable TCP Over Port 8080" -filter { $_.Enabled -And $_.LocalPorts -And $_.LocalPorts -eq "8080" } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.LocalPorts = "8080" }" | |
| .EXAMPLE | |
| Create a rule that allows all incoming connections to notepad.exe | |
| Enable-FirewallRule "Enable Incoming TCP Connections to Notepad.exe" -filter { $_.Enabled -And $_.ApplicationName -And $_.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) } | |
| #> | |
| $rules = @($policy.Rules | Where-Object $filter) | |
| if ($rules.Count -eq 0) { | |
| $rule = New-Object -com HNetCfg.FWRule | |
| $rule.Name = $name | |
| $rule.Description = $description | |
| $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP | |
| if ($createRule -ne $null) { $createRule.Invoke($rule) } | |
| $rule.Enabled = $NET_FW_ENABLED | |
| $policy.Rules.Add($rule) | |
| Write-Host ("Created the rule ""{0}""" -f $rule.Name) | |
| } elseif (@($rules | Where-Object { $_.Enabled }).Count -eq 0) { | |
| $rules | Where-Object { !$_.Enabled } | Select-Object -f 1 | ForEach-Object { | |
| $_.Enabled = $NET_FW_ENABLED | |
| Write-Host ("Enabled the rule ""{0}""" -f $_.Name) | |
| } | |
| } else { | |
| $rules | Where-Object { $_.Enabled } | ForEach-Object { | |
| Write-Host ("The rule ""{0}"" was already enabled" -f $_.Name) | |
| } | |
| } | |
| } | |
| function Disable-FirewallRules([ScriptBlock] $filter = {}) { | |
| <# | |
| .SYNOPSIS | |
| Disables a set of firewall rules matching the filter | |
| .DESCRIPTION | |
| The Disable-FirewallRules function disables all enabled rules that match the supplied filter ScriptBlock. | |
| .PARAMETER filter | |
| a ScriptBlock matching all the rules to disable | |
| .EXAMPLE | |
| Disable all rules for incoming port 80 connections | |
| Disable-FirewallRules { $_.LocalPorts -And $_.LocalPorts -eq "80" } | |
| #> | |
| $rules = @($policy.Rules | Where-Object $filter | Where-Object { $_.Enabled }) | |
| $rules | ForEach-Object { Write-Host ("Disabling rule: ""{0}""" -f $_.Name); $_.Enabled = $NET_FW_DISABLED } | |
| } | |
| function Remove-FirewallRules([ScriptBlock] $filter = {}) { | |
| <# | |
| .SYNOPSIS | |
| Deletes a set of firewall rules matching the filter | |
| .DESCRIPTION | |
| The Remove-FirewallRules function removes all rules that match the supplied filter ScriptBlock. | |
| .PARAMETER filter | |
| a ScriptBlock matching all the rules to remove | |
| .EXAMPLE | |
| Remove all firewall rules in the "Mistake" group | |
| Remove-FirewallRules { $_.Grouping -And $_.Grouping -eq "Mistake" } | |
| #> | |
| $rules = @($policy.Rules | Where-Object $filter) | |
| if ($rules.Count -gt 0) { | |
| $rules | ForEach-Object { Write-Host ("Deleting rule: ""{0}""" -f $_.Name); $policy.Rules.Remove($_.Name) } | |
| } else { | |
| Write-Host "No rules matched the supplied filter" | |
| } | |
| } | |
| $policy = New-Object -com HNetCfg.FwPolicy2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment