A PowerShell DSC solution for firewall rules

In my last post I started using PowerShell DSC to configure my VM’s ready to run the Azure Pack websites role.  My next step was to try to configure firewall rules using the script resource.  However I ran into a couple of problems, one of which I couldn’t solve and would love any feedback to help figure it out.

Using the “import-module” functionality didn’t work at first.  However a quick tweet to Jeff Snover (why not go straight to the top?) helped sort that out – it’s a bug, and you need to use “& “import-module” <module name>”

The other problem I had was that the size of my MOF file was getting too large, which was causing errors running start-dscconfiguration.  I haven’t managed to resolve this – I had some success with was ensuring that getscript actually did return a hash table.

So, I ended up building a custom resource to do the firewall configuration which is available here.

Some notes on using it:

1. Extract the folder to \Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSProviders\

2. Use the “Ensure” keyword to ensure that the rule is enabled, and the “Absent” keyword to ensure that the rule is disabled.  I’m not sure this is strictly correct, but it’s consistent with other resources.

3. Use the friendly name (FirewallRules) in your configuration script

4. The solution only enables & disables existing firewall rules.  Use the Name parameter in your script to pass the rule name in. e.g. Name = “FPS-NB_Session-Out-TCP”

A couple of things I learned building this:

1. Read the documentation, and then read it again.

2. Use the write-verbose command in your script to write debugging information to the console (and use the –verbose switch for start-dscconfiguration).  This is suggested in the documentation and is good advice.

3. The functions stand alone – so state or information won’t get passed between the functions automagically.  You need to check your state (or whatever) when you need it.

I’d still like to understand how and why my MOF file becomes too large in my scripted approach, because I feel like that is a better and easier way to do it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s