Recently I built an NPS server for Radius authentication, and had to dual home it with one NIC in the DMZ and one on the production network. I wanted to firewall everything on the DMZ interface but not affect the production interface. That way I could then allow the traffic I wanted to enable on the DMZ interface port by port. Assuming windows has correctly detected the profile on the two interfaces as “Domain” and “Public”, which it should based on the resources visible on each network, you can run the following script to disable traffic just on the public interface.
|
$LogFilePath = $env:LOCALAPPDATA + "\Cloudwyse\Logs\adv_firewall" + $(get-date -Format ddMMyy_HHmmss) + ".log" Start-Transcript -Path $LogFilePath -NoClobber
$rules = Get-NetFirewallRule $total = 0 foreach ($rule in $rules) { if (($rule.Profile -like "any" -or $rule.Profile -match "public") -and $rule.enabled -like "True" -and $rule.direction -like "Inbound") { if ($rule.Profile -like "any") { Set-NetFirewallRule -Name $rule.Name -Profile "Domain, Private" write-host "Setting" $rule.DisplayName "Domain, Private" } elseif ($rule.Profile -match "Domain" -and $rule.Profile -match "private" -and $rule.Profile -match "public" ) { Set-NetFirewallRule -Name $rule.Name -Profile "Domain, Private" write-host "Setting" $rule.DisplayName "Domain, Private" } elseif ($rule.Profile -match "Domain" -and $rule.Profile -match "public" ) { Set-NetFirewallRule -Name $rule.Name -Profile "Domain" write-host "Setting" $rule.DisplayName "Domain" } elseif ($rule.Profile -match "Private" -and $rule.Profile -match "public" ) { Set-NetFirewallRule -Name $rule.Name -Profile "Private" write-host "Setting" $rule.DisplayName "Private" } elseif ($rule.Profile -like "public" ) { Disable-NetFirewallRule -Name $rule.Name write-host "Disabling" $rule.DisplayName } else {write-host -ForegroundColor Red "Error - check logs"} $total = $total +1 }} write-host -ForegroundColor Yellow "$total rules processed"
stop-transcript
|
|
No comments:
Post a Comment