Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall RemoteAddress fails test if CIDR notation is used #404

Closed
globi84 opened this issue Jun 7, 2019 · 2 comments · Fixed by #407
Closed

Firewall RemoteAddress fails test if CIDR notation is used #404

globi84 opened this issue Jun 7, 2019 · 2 comments · Fixed by #407
Assignees
@PlagueHO
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.

Comments

@globi84
Copy link

globi84 commented Jun 7, 2019

Hi

I use the NetworkingDSC Module in Version 7.2.0.0 and there is something wrong with RemoteAddress in CIDR format.

I use this configuration

Firewall FPS-SMB-In-TCP-NoScope {
        Name          = 'FPS-SMB-In-TCP-NoScope'
        Ensure        = 'Present'
        Enabled       = 'True'
        Profile       = 'Domain'
        RemoteAddress = '192.168.1.0/24'
    }

after pushing to the client, the test is always false and give me this message

[[Firewall]FPS-RPCSS-In-TCP-NoScope::[FirewallSMB]SMB-Firewall-Config] Test-RuleProperties: RemoteAddress property value '192.168.1.0/255.255.255.0' does not match desired state '192.168.1.0/24'.

When I use '192.168.1.0/255.255.255.0' for the remoteAddress everything works fine

is there bug with the module or do I something wrong?

regards

christian
@PlagueHO PlagueHO added bug The issue is a bug. in progress The issue is being actively worked on by someone. labels Jun 7, 2019
@PlagueHO PlagueHO self-assigned this Jun 7, 2019
@PlagueHO
Copy link
Member

PlagueHO commented Jun 7, 2019
edited
Loading

Hi @globi84 - thanks for raising this. We are using the New-NetFirewallRule and Set-NetFirewallRule cmdlet to create the rules and these do support CIDR bit number of bits notation in the format you show: See https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=win10-ps

But Get-NetFirewallAddressFilter always returns CIDR with subnet mask notation for the address filters no matter the input notation.
image

However, we actually have code to address this problem:
https://github.com/PowerShell/NetworkingDsc/blob/dev/DSCResources/MSFT_Firewall/MSFT_Firewall.psm1#L1204

But, there is a clear bug in it:

The above line:

if ($parameter.Type -eq 'IPArray')

Should be:

if ($parameter.Type -eq 'ArrayIP')

An easy fix but I'll improve the test automation as this shouldn't have got through.

Thanks again for raising this.

@PlagueHO PlagueHO mentioned this issue Jun 10, 2019
Merged
9 tasks
@globi84
Copy link
Author

globi84 commented Jun 11, 2019

Hi PlagueHO

thanks for the fast response.

and the fast fix.

regards.

@globi84 globi84 closed this as completed Jun 11, 2019
PlagueHO added a commit that referenced this issue Jun 19, 2019
@PlagueHO
Merge pull request #407 from PlagueHO/Issue-404
243559c 
Fix bug in Firewall with RemoteAddress and LocalAddress - Fixes #404
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PlagueHO PlagueHO

Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bug in Firewall with RemoteAddress and LocalAddress - Fixes #404
2 participants
@PlagueHO @globi84