Skip to content

Instantly share code, notes, and snippets.

@ig0774
Created July 6, 2011 23:35
Show Gist options
  • Save ig0774/1068598 to your computer and use it in GitHub Desktop.
Save ig0774/1068598 to your computer and use it in GitHub Desktop.
Manage Windows Advanced Firewall with PowerShell
Set-StrictMode -Version Latest
# Constants
if (!(Test-Path variable:\NET_FW_DISABLED)) { Set-Variable NET_FW_DISABLED $False }
if (!(Test-Path variable:\NET_FW_ENABLED)) { Set-Variable NET_FW_ENABLED $True }
if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_TCP)) { Set-Variable NET_FW_IP_PROTOCOL_TCP 6 }
if (!(Test-Path variable:\NET_FW_IP_PROTOCOL_UDP)) { Set-Variable NET_FW_IP_PROTOCOL_UDP 17 }
if (!(Test-Path variable:\NET_FW_PROFILE_DOMAIN)) { Set-Variable NET_FW_PROFILE_DOMAIN 0x1 }
if (!(Test-Path variable:\NET_FW_PROFILE_PRIVATE)) { Set-Variable NET_FW_PROFILE_PRIVATE 0x2 }
if (!(Test-Path variable:\NET_FW_PROFILE_PUBLIC)) { Set-Variable NET_FW_PROFILE_PUBLIC 0x2 }
if (!(Test-Path variable:\NET_FW_PROFILE_ALL)) { Set-Variable NET_FW_PROFILE_ALL 0x7FFFFFFF }
function Enable-FirewallRule([String] $name, [String] $description = "", [ScriptBlock] $filter = { $_.Name = $name }, [ScriptBlock] $createRule = {}) {
<#
.SYNOPSIS
Creates or enables a firewall rule
.DESCRIPTION
The Enable-FirewallRule function checks whether a given firewall rule exists, and if
it does, it enables it, if it is not already enabled. If the rule does not exist,
it is created, calling the $createRule script block to finalize the rule
.PARAMETER name
the name of the rule
.PARAMETER description
a description for the firewall rule
.PARAMETER filter
a ScriptBlock to be passed to Where-Object to determine whether or not the rule
exists.
.PARAMETER createRule
a ScriptBlock that is called when the rule is created to allow the caller to specify
any additional restrictions on the rule
.EXAMPLE
Create a rule that opens local port 8080 to all computers
Enable-FirewallRule "Enable TCP Over Port 8080" -filter { $_.Enabled -And $_.LocalPorts -And $_.LocalPorts -eq "8080" } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.LocalPorts = "8080" }"
.EXAMPLE
Create a rule that allows all incoming connections to notepad.exe
Enable-FirewallRule "Enable Incoming TCP Connections to Notepad.exe" -filter { $_.Enabled -And $_.ApplicationName -And $_.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) } -createRule { param($rule) $rule.Protocol = $NET_FW_IP_PROTOCOL_TCP; $rule.ApplicationName = ("{0}\System32\notepad.exe" -f $Env:windir) }
#>
$rules = @($policy.Rules | Where-Object $filter)
if ($rules.Count -eq 0) {
$rule = New-Object -com HNetCfg.FWRule
$rule.Name = $name
$rule.Description = $description
$rule.Protocol = $NET_FW_IP_PROTOCOL_TCP
if ($createRule -ne $null) { $createRule.Invoke($rule) }
$rule.Enabled = $NET_FW_ENABLED
$policy.Rules.Add($rule)
Write-Host ("Created the rule ""{0}""" -f $rule.Name)
} elseif (@($rules | Where-Object { $_.Enabled }).Count -eq 0) {
$rules | Where-Object { !$_.Enabled } | Select-Object -f 1 | ForEach-Object {
$_.Enabled = $NET_FW_ENABLED
Write-Host ("Enabled the rule ""{0}""" -f $_.Name)
}
} else {
$rules | Where-Object { $_.Enabled } | ForEach-Object {
Write-Host ("The rule ""{0}"" was already enabled" -f $_.Name)
}
}
}
function Disable-FirewallRules([ScriptBlock] $filter = {}) {
<#
.SYNOPSIS
Disables a set of firewall rules matching the filter
.DESCRIPTION
The Disable-FirewallRules function disables all enabled rules that match the supplied filter ScriptBlock.
.PARAMETER filter
a ScriptBlock matching all the rules to disable
.EXAMPLE
Disable all rules for incoming port 80 connections
Disable-FirewallRules { $_.LocalPorts -And $_.LocalPorts -eq "80" }
#>
$rules = @($policy.Rules | Where-Object $filter | Where-Object { $_.Enabled })
$rules | ForEach-Object { Write-Host ("Disabling rule: ""{0}""" -f $_.Name); $_.Enabled = $NET_FW_DISABLED }
}
function Remove-FirewallRules([ScriptBlock] $filter = {}) {
<#
.SYNOPSIS
Deletes a set of firewall rules matching the filter
.DESCRIPTION
The Remove-FirewallRules function removes all rules that match the supplied filter ScriptBlock.
.PARAMETER filter
a ScriptBlock matching all the rules to remove
.EXAMPLE
Remove all firewall rules in the "Mistake" group
Remove-FirewallRules { $_.Grouping -And $_.Grouping -eq "Mistake" }
#>
$rules = @($policy.Rules | Where-Object $filter)
if ($rules.Count -gt 0) {
$rules | ForEach-Object { Write-Host ("Deleting rule: ""{0}""" -f $_.Name); $policy.Rules.Remove($_.Name) }
} else {
Write-Host "No rules matched the supplied filter"
}
}
$policy = New-Object -com HNetCfg.FwPolicy2
@ig0774
Copy link
Author

ig0774 commented Jul 6, 2011

This PowerPack is probably more thorough, but otherwise, I couldn't find any good documentation on using PowerShell to script firewall rules. Note that it's necessary to run the script with elevated permission for any of this to take effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment