Configure the firewall profile with DSC (Part 2)

The 2nd part deals with the classic way of creating custom DSC resources.
To help demo that, there’s actually an xDSCResourceDesginer module available in the PowerShell Gallery (a.k.a. PSGallery).

Here’s what I run if it’s not installed

# 1. Get the module and load it
Find-Module -Name xDSCResourceDesigner -Repository PsGallery -Verbose
Install-Module -Name xDSCResourceDesigner -Repository PsGallery -Verbose
Import-Module -Name xDSCResourceDesigner -Force -Verbose

There are only a few steps required to get started

# 2. Create the resource
$resource = @{
    Name = 'cFirewallProfile';
    Property  = (New-xDscResourceProperty -Name 'Name' -Type 'String' -Attribute = 'Key' -ValidateSet 'Domain','Public','Private'),
                (New-xDscResourceProperty -Name "Enabled" -Type "String" -Attribute Required -ValidateSet 'True','False','NotConfigured'),
                (New-xDscResourceProperty -Name DefaultInboundAction -Type "String" -Attribute Required -ValidateSet 'Allow','Block','NotConfigured'),
                (New-xDscResourceProperty -Name DefaultOutboundAction -Type "String" -Attribute Required -ValidateSet 'Allow','Block','NotConfigured')
    Path = 'C:\Program Files\WindowsPowerShell\Modules\cFirewallProfile';
    ClassVersion = '1.0' ;
    FriendlyName = 'cFirewallProfile' ;
    Force = $true ;
New-xDscResource @resource

# 3. Create its manifest
$Manifest = @{
    Path = 'C:\Program Files\WindowsPowerShell\Modules\cFirewallProfile\cFirewallProfile.psd1'
    Guid = ([guid]::NewGuid().Guid) ;
    Author  = 'Emin Atac' ;
    CompanyName  = 'Emin Atac'
    Copyright = 'Free to use'
    ModuleVersion = '1.0.0'
    PowerShellVersion = '4.0'
    FunctionsToExport = 'Get-TargetResource','Test-TargetResource','Set-TargetResource'
New-ModuleManifest @Manifest -Verbose

# 4. Ready to edit the resource
psedit 'C:\Program Files\WindowsPowerShell\Modules\cFirewallProfile\DSCResources\cFirewallProfile\cFirewallProfile.psm1'

All the parameters of the 3 functions have been populated automatically thanks to the New-xDscResource and New-xDscResourceProperty cmdlets and we only have to focus and create the body of these functions. Nice isn’t it?

Here’s what to paste inside the cFirewallProfile.psm1 file.

Now, I can use the above custom DSC resource to configure the firewall profiles:

Configuration TestFirewallProfileConfig {

    Param (
        [string[]]$NodeName = 'localhost'

    Import-DscResource -Name * -ModuleName 'cFirewallProfile';

    Node $NodeName
        Foreach ($fw in @('Domain','Public','Private'))
            cFirewallProfile "$($fw)"
                Name = "$($fw)"
                Enabled = 'True'
                DefaultInboundAction = 'Block' ;
                DefaultOutboundAction = 'Allow' ;

The last step consists in compiling the configuration into a MOF file and applying it like this:

if (-not(test-path -Path C:\DSC -PathType Container)){
    mkdir C:\DSC
# Compile into MOF file
TestFirewallProfileConfig -OutputPath C:\DSC 

# Apply
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait

To be able to test it, I’ll set the exact opposite way I want it to be. Don’t do that on a production server.

Set-NetFirewallProfile -All -DefaultInboundAction Allow -DefaultOutboundAction Block  -Enabled false

When I apply the configuration, we can see all the 3 profiles being configured:

If I ask whether the system is in its desired state with the Test-DscConfiguration cmdlet, I get:
If I refresh the wf.msc MMC snap-in I’ve actually restored back the defaults thanks to my DSC configuration.

Let’s say I only mess up the Domain profile.

When I (re)apply the configuration, there’s only one profile that is being reconfigured before the Test-DscConfiguration cmdlet tells me it’s compliant again 😀


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s