Public/New-LocalInPolicy.ps1
<#
.Description The purpose of this function is to write a configuration script. The purpose of that configuration script will be to implement a localin restriction policy. A use case being to allow managing the firewall from a public interface, but only from permitted IP addresses. If you fully understand the config output you can leverage this for additional purposes related to localin policies. .Parameter Administrators Provide and array administrators that should be able to access the firewall by the services to be specified in another parameter. .Parameter Interfaces An interface or interfaces that the localin policy will apply for. .Parameter PolicyName This is a string that will be used in parts of the config to avoid overwriting existing configurations. This must be unique. .Parameter Services Specify the Service or services that the local-in policy applies to. ex: "RDP/3389/TCP", "piov/5060-5061/UDP" .Parameter TrustedHosts Provide an array of CIDR addresses that should be able to acccess the firewall management interfaces using the services to be provided later. .Example $params = @{ Administrators = "AdminAccount01", "AdminAccount02" Interfaces = "wan1", "DMZ" PolicyName = "RemoteAccess" Services = "HTTPS/443/TCP", "SSH/22/TCP" TrustedHosts = "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8" } New-LocalinPolicy @params .Link https://github.com/TheTaylorLee/AdminToolbox/tree/master/docs #> function New-LocalinPolicy { [CmdletBinding()] Param ( [Parameter(Mandatory = $true, HelpMessage = "Provide an array administrators that should be able to login.")] [string[]]$administrators, [Parameter(Mandatory = $true, HelpMessage = "Provide an array of interfaces that this policy will apply to.")] [string[]]$interfaces, [Parameter(Mandatory = $true, HelpMessage = "This PolicyName will be used to avoid overwriting existing address objects")] [string]$policyname, [Parameter(Mandatory = $false, HelpMessage = "Specify services in the following format. ex: ""RDP/3389/TCP"", ""piov/5060-5061/UDP""")] [string[]]$Services, [Parameter(Mandatory = $true, HelpMessage = "Provide an array of CIDR addresses that should be able to acccess the firewall management interfaces.")] [ValidateScript( { if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[/]{1}[0-9]{1,2}$') { $true } else { throw "$_ is an invalid pattern. You must provide a proper CIDR format. ex: 192.168.0.0/24" } })] [string[]]$trustedhosts ) begin { } process { #configure Trusted hosts New-LocalInPolicyTrustHosts -administrators $administrators -trustedhosts $trustedhosts #Create Address Objects for the Policy [int]$max = $trustedhosts.Count $addresses = for ($i = 0; $i -lt $max; $i++) { [PSCustomObject]@{ Name = "LocalIn" + "_" + $PolicyName + "_" + $trustedhosts[$i] CIDR = $trustedhosts[$i] } } Foreach ($Address in $Addresses) { New-AddressObject -AddressName $Address.Name -CIDR $Address.CIDR } #Create Address Objects for the policy $LocNames = ($Addresses).name -join " " $LocalGroupName = "LocalIn_$policyname" New-AddressGroup -AddressNames $LocNames -GroupName $LocalGroupName #Create Services foreach ($service in $services) { $split = $service -split "/" if ($split[2] -eq 'TCP') { $Params = @{ ServiceName = "LocalIn_" + $PolicyName + "_" + $split[0] TCPPortRange = $split[1] } } if ($split[2] -eq 'UDP') { $Params = @{ ServiceName = "LocalIn_" + $PolicyName + "_" + $split[0] UDPPortRange = $split[1] } } New-ServiceObject @Params } #Create Service Groups $proc = $services -split "/" [int]$count = $proc.count $svcs = for ($i = 0; $i -lt $count) { "LocalIn_" + $PolicyName + "_" + $proc[$i] $i = $i + [int]3 } $svcresult = $svcs -join " " $svcgroupname = "LocalIn_" + $PolicyName New-ServiceGroup -ServiceGroupName $svcgroupname -Members $svcresult # Create local-in allow policy Write-Output " config firewall local-in-policy edit 0 set intf any set srcaddr $LocalGroupName set dstaddr all set action accept set service $svcgroupname set schedule always next end " #Create local-in block policy foreach ($int in $interfaces) { Write-Output " config firewall local-in-policy edit 0 set intf $int set srcaddr all set dstaddr all set action deny set service $svcgroupname set schedule always next end " } } end { } } |