DSC resource for managing firewall rules.
Carbon_FirewallRule [string] #ResourceName
{
Name = [string]
[ Action = [string] { Allow | Block | Bypass } ]
[ DependsOn = [string[]] ]
[ Description = [string] ]
[ Direction = [string] { In | Out } ]
[ EdgeTraversalPolicy = [string] { DeferApp | DeferUser | No | Yes } ]
[ Enabled = [bool] ]
[ Ensure = [string] { Absent | Present } ]
[ InterfaceType = [string] { Any | LAN | RAS | Wireless } ]
[ LocalIPAddress = [string] ]
[ LocalPort = [string] ]
[ Profile = [string] { Any | Domain | Private | Public } ]
[ Program = [string] ]
[ Protocol = [string] ]
[ RemoteIPAddress = [string] ]
[ RemotePort = [string] ]
[ Security = [string] { AuthDynEnc | AuthEnc | Authenticate | AuthNoEncap | NotRequired } ]
[ Service = [string] ]
}
The Carbon_FirewallRule
resource manages firewall rules. It uses the netsh advfirewall firewall
command. Please see Netsh AdvFirewall Firewall Commands or run netsh advfirewall firewall set rule
for documentation on how to configure the firewall.
When modifying existing rules, only properties you pass are updated/changed. All other properties are left as-is.
Name | Type | Description | Required? | Pipeline Input | Default Value |
---|---|---|---|---|---|
Name | String | The name of the rule. | true | false | |
Enabled | Boolean | If $true , the rule is enabled. If $false , the rule is disabled. |
false | false | True |
Direction | String | If set to In , the rule applies to inbound network traffic. If set to Out , the rule applies to outbound traffic. |
false | false | |
Profile | String[] | Specifies the profile(s) to which the firewall rule is assigned. The rule is active on the local computer only when the specified profile is currently active. Valid values are Any , Domain , Public , and Private . |
false | false | |
LocalIPAddress | String | The local IP addresses the rule applies to. Valid values are any , an exact IPv4 or IPv6 address, a subnet mask (e.g. 192.168.0.0/24), or a range. Separate each value with a comma; no spaces. |
false | false | |
LocalPort | String | The local port the rule applies to. Valid values are a specific port number, a range of port numbers (e.g. 5000-5010 ), a comma-separate list of numbers and ranges, any , rpc , rpc-epmap , Teredo , and iphttps . |
false | false | |
RemoteIPAddress | String | The remote IP addresses the rules applies to. Valid values are any , an exact IPv4 or IPv6 address, a subnet mask (e.g. 192.168.0.0/24), or a range. Separate each value with a comma; no spaces. |
false | false | |
RemotePort | String | The remote port the rule applies to. Valid values are a specific port number, a range of port numbers (e.g. 5000-5010 ), a comma-separate list of numbers and ranges, any , rpc , rpc-epmap , Teredo , and iphttps . |
false | false | |
Protocol | String | The protocol the rule applies to. Valid values are any , the protocol number, icmpv4 , icmpv6', icmpv4:type,code, icmpv6:type,code, tcp, or udp`. Separate multiple values with a comma; no spaces. |
false | false | |
EdgeTraversalPolicy | String | For inbound rules, specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule. Valid values are any , deferapp , deferuse , or no . |
false | false | |
Action | String | Specifies what to do when packets match the rule. Valid values are Allow , Block , or Bypass . |
false | false | |
InterfaceType | String | Specifies that only network packets passing through the indicated interface types match this rule. Valid values are Any , Wireless , LAN , or RAS . |
false | false | |
Security | String | Specifies that only network packets protected with the specified type of IPsec options match this rule. Valid values are NotRequired , Authenticate , AuthEnc , AuthDynEnc , or AuthNoEncap . |
false | false | |
Description | String | A description of the rule. | false | false | |
Program | String | Specifies that network traffic generated by the identified executable program matches this rule. | false | false | |
Service | String | Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name. | false | false | |
Ensure | String | Set to Present to create the fireall rule. Set to Absent to delete it. |
false | false | Present |
Demonstrates how to enable a firewall rule.
Carbon_FirewallRule EnableHttpIn
{
Name = 'World Wide Web Services (HTTP Traffic-In)'
Enabled = $true;
Ensure = 'Present'
}
Demonstrates how to delete a firewall rule.
Carbon_FirewallRule DeleteMyRule
{
Name = 'MyCustomRule';
Ensure = 'Absent';
}
There may be multiple rules with the same name, so we recommend disabling rules instead.
Demonstrates how to create/modify an incoming firewall rule.
Carbon_FirewallRule MyAppPorts
{
Name = 'My App Ports';
Action = 'Allow';
Direction = 'In';
Protocol = 'tcp';
LocalPort = '8080,8180';
Ensure = 'Present';
}