Alright gentlemen,
I wrote this little configuration to control the two ICMP firewall rules in Windows 7 using the default DSC resources.
It does work, but i feel my approach is a bit flimsy. Is there a better way to do this? (excluding GPO).
I also feel that using Invoke-Expression is probably a bit much, but i haven’t figured a way around it because of the darn double quotes that netsh.exe wants for the rule name.
$computers = 'aperturelabs-8', 'aperturelabs-7'
Set-Location "D:\365\OneDrive for Business\apertureLabs"
$LocalMOFpath = "D:\365\OneDrive for Business\apertureLabs"
Configuration ApertureLabsConf
{
Param([string[]]$Computername)
Node $Computername
{
Script Mr_Ping
{
GetScript = {
$rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
'File and Printer Sharing (Echo Request - ICMPv4-In)'
$rules.ForEach({
$netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
$enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
})
$result = [string]$enabled + " matching rules are enabled: BACKTICKn" + $rules.ForEach({ write-output $_"BACKTICKn" })
return @{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $result
}
}
TestScript = {
$rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
'File and Printer Sharing (Echo Request - ICMPv4-In)'
$flag = $True
$rules.ForEach({
$netsh = "netsh.exe --% advfirewall firewall show rule name=BACKTICK"$_BACKTICK""
$enabled = ((invoke-expression $netsh) -match 'Enabled' -match 'Yes').Count
if ($enabled -lt 2) { $flag = $False } #netsh on Win7 groups Private,Public into one rule
})
$flag -eq $True #if it's $True then all $rules are Enabled
}
SetScript = {
$rules = 'File and Printer Sharing (Echo Request - ICMPv6-In)',
'File and Printer Sharing (Echo Request - ICMPv4-In)'
$rules.ForEach({
$netsh = "netsh.exe --% advfirewall firewall set rule name=BACKTICK"$_BACKTICK" new enable=YES"
invoke-expression -Command $netsh
})
}
} #Script
} #node
} #configuration