Skip to content

Commit

Permalink
complete test on Enterprise with Windows PowerShell
Browse files Browse the repository at this point in the history
  • Loading branch information
metablaster committed Aug 10, 2020
1 parent e52e4e9 commit dcca780
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1435,7 +1435,7 @@ function Test-Installation
$InstallTable = $InstallTable.DefaultView.ToTable()

# Print out all candidate rows
Show-Table "0. Abort this operation"
Show-Table "Input '0' to abort this operation"

# Prompt user to chose one
[int32] $Choice = -1
Expand Down
15 changes: 8 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,10 +149,12 @@ contains rules will be significantly slower (depends on number of existing rules
want to fix some problem.
- Any rule that results in "Access denied" while loading should be reloaded by executing specific
script again.
- Master script `SetupFirewall.ps1` will [unblock all files](https://devblogs.microsoft.com/scripting/easily-unblock-all-files-in-a-directory-using-powershell/)
in project first to avoid YES/NO questions spam for every executing script, you should "unblock"
files manually if executing individual scripts after manual download or transfer from
another computer or media by using `UnblockProject.ps1` script.
- You should [unblock all files](https://devblogs.microsoft.com/scripting/easily-unblock-all-files-in-a-directory-using-powershell/)
in project first to avoid YES/NO questions spam for every executing script, before executing any
scripts after manual download or transfer from another computer or media by using
`UnblockProject.ps1` script.
Master script `SetupFirewall.ps1` does this in case if you forget, but initial YES/NO spam questions
will still be visible in that case.
- It's important to understand these rules are designed to be used as "Standard" user, not as
Administrative user, if you're Administrator on your computer you'll have to create standard user
account and use that for your everyday life.
Expand All @@ -179,7 +181,7 @@ Get-ExecutionPolicy
Remember what the output of the above command is, note that PowerShell Core defaults to `RemoteSigned`
while Windows PowerShell defaults to `Restricted`

6. Set new execution policy: (Note that `RemoteSigned` should work too)
6. Set new execution policy: (Note that `RemoteSigned` will work only if scripts are unblocked)

```powershell
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
Expand All @@ -197,8 +199,7 @@ cd C:\
cd WindowsFirewallRuleset-master
```

9. At this point if you want to execute only specific scripts then you should "unblock" all project
files first by executing the script called `UnblockProject.ps1`,
9. At this point you should "unblock" all project files first by executing the script called `UnblockProject.ps1`,
btw. project files were blocked by Windows to prevent users from running untrusted script code
downloaded from internet:

Expand Down
7 changes: 7 additions & 0 deletions Readme/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@
- Added rules for League of Legends game
- Rules for Nvidia now load conditionally based on presence of GeForce experience (needs improvements)

## Bugfixes

- Prevent generating errors is removing rules from empty firewall
- Fix error resetting global firewall settings

## Development

- Resolve all analyzer warnings (some functions were renamed)
Expand All @@ -32,6 +37,7 @@

- Add instructions for LAN setup
- Random updates to docs, fixed dead links and formatting
- Done some spell checking

## New features

Expand All @@ -42,6 +48,7 @@
- ResetFirewall script also deletes IPSec rules
- Script to unblock all files in project, for scripts that were downloaded from GitHub
to prevent spamming YES/NO questions while executing them.
- Updated some informational messages to be more descriptive and less annoying.

# Changelog v0.4.1

Expand Down
3 changes: 2 additions & 1 deletion Readme/TODO.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,8 @@ TODO's in this file are categorized into following sections:

2. Project scripts

- Access is denied randomly while executing rules, need some check around this
- Access is denied randomly while executing rules, need some check around this, ex. catching the
error and ask to re-run the script.
- make possible to apply or enable only rules relevant for current firewall profile
- Add #Requires -Modules to scripts, possibly removing module inclusions, if not
another possibility is to add module path to our modules for current session.
Expand Down
21 changes: 18 additions & 3 deletions ResetFirewall.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,14 @@ Set-NetFirewallProfile -Name Public -PolicyStore $PolicyStore -Enabled NotConfig

Write-Information -Tags "User" -MessageData "INFO: Resetting global firewall settings..." @Logs

# NOTE: MaxSAIdleTimeSeconds NotConfigured
# This parameter value is case-sensitive and NotConfigured can only be specified using dot-notation
# Otherwise default value is 300
Set-NetFirewallSetting -PolicyStore $PolicyStore -EnablePacketQueuing NotConfigured `
-EnableStatefulFtp NotConfigured -EnableStatefulPptp NotConfigured `
-Exemptions NotConfigured -CertValidationLevel NotConfigured `
-KeyEncoding NotConfigured -RequireFullAuthSupport NotConfigured `
-MaxSAIdleTimeSeconds NotConfigured -AllowIPsecThroughNAT NotConfigured `
-MaxSAIdleTimeSeconds 300 -AllowIPsecThroughNAT NotConfigured `
-RemoteUserTransportAuthorizationList NotConfigured `
-RemoteUserTunnelAuthorizationList NotConfigured `
-RemoteMachineTransportAuthorizationList NotConfigured `
Expand All @@ -92,11 +95,23 @@ Set-NetFirewallSetting -PolicyStore $PolicyStore -EnablePacketQueuing NotConfigu
# TODO: Implement removing only project rules.
#

# NOTE: we need to check if there are rules present to avoid errors about "no object found"
# Needed also to log actual rule removal errors
Write-Information -Tags "User" -MessageData "INFO: Removing outbound rules..." @Logs
Remove-NetFirewallRule -Direction Outbound -PolicyStore $PolicyStore @Logs
$OutboundCount = $(Get-NetFirewallRule -PolicyStore $PolicyStore -Direction Outbound -EA Ignore | Measure-Object).Count

if ($OutboundCount -gt 0)
{
Remove-NetFirewallRule -Direction Outbound -PolicyStore $PolicyStore @Logs
}

Write-Information -Tags "User" -MessageData "INFO: Removing inbound rules..." @Logs
Remove-NetFirewallRule -Direction Inbound -PolicyStore $PolicyStore @Logs
$InboundCount = $(Get-NetFirewallRule -PolicyStore $PolicyStore -Direction Inbound -EA Ignore | Measure-Object).Count

if ($InboundCount -gt 0)
{
Remove-NetFirewallRule -Direction Inbound -PolicyStore $PolicyStore @Logs
}

Write-Information -Tags "User" -MessageData "INFO: Removing IPSec rules..." @Logs
Remove-NetIPsecRule -All -PolicyStore $PolicyStore @Logs
Expand Down

0 comments on commit dcca780

Please sign in to comment.