Add support for managing Windows Firewall config

2025-12-20 23:00:35 -05:00 · 2019-11-03 19:22:28 +01:00 · 2019-11-03 19:22:28 +01:00 · 8c6b9257e2
commit 8c6b9257e2
parent 921acbdcea
4 changed files with 121 additions and 0 deletions
--- a/lib/core/icingaagent/firewall/Disable-IcingaFirewall.psm1
+++ b/lib/core/icingaagent/firewall/Disable-IcingaFirewall.psm1
@ -0,0 +1,30 @@
+function Disable-IcingaFirewall()
+{
+    param(
+        [switch]$LegacyOnly
+    );
+
+    $FirewallConfig = Get-IcingaFirewallConfig -NoOutput;
+
+    if ($FirewallConfig.LegacyFirewall) {
+        $Firewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall delete rule name="Icinga 2 Agent Inbound by PS-Module"';
+        if ($Firewall.ExitCode -ne 0) {
+            Write-Host ([string]::Format('Failed to remove legacy firewall: {0}{1}', $Firewall.Message, $Firewall.Error));
+        } else {
+            Write-Host 'Successfully removed legacy Firewall rule';
+        }
+    }
+
+    if ($LegacyOnly) {
+        return;
+    }
+
+    if ($FirewallConfig.IcingaFirewall) {
+        $Firewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall delete rule name="Icinga Agent Inbound"';
+        if ($Firewall.ExitCode -ne 0) {
+            Write-Host ([string]::Format('Failed to remove Icinga firewall: {0}{1}', $Firewall.Message, $Firewall.Error));
+        } else {
+            Write-Host 'Successfully removed Icinga Firewall rule';
+        }
+    }
+}
--- a/lib/core/icingaagent/firewall/Enable-IcingaFirewall.psm1
+++ b/lib/core/icingaagent/firewall/Enable-IcingaFirewall.psm1
@ -0,0 +1,35 @@
+function Enable-IcingaFirewall()
+{
+    param(
+        [int]$IcingaPort = 5665,
+        [switch]$Force
+    );
+
+    $FirewallConfig = Get-IcingaFirewallConfig -NoOutput;
+
+    if ($FirewallConfig.IcingaFirewall -And $Force -eq $FALSE) {
+        Write-Host 'Icinga Firewall is already enabled'
+        return;
+    }
+
+    if ($Force) {
+        Disable-IcingaFirewall;
+    }
+
+    $IcingaBinary         = Get-IcingaAgentBinary;
+    [string]$FirewallRule = [string]::Format(
+        'advfirewall firewall add rule dir=in action=allow program="{0}" name="{1}" description="{2}" enable=yes remoteip=any localip=any localport={3} protocol=tcp',
+        $IcingaBinary,
+        'Icinga Agent Inbound',
+        'Inbound Firewall Rule to allow Icinga 2 masters / satellites to connect to the Icinga 2 Agent installed on this system.',
+        $IcingaPort
+    );
+    
+    $FirewallResult = Start-IcingaProcess -Executable 'netsh' -Arguments $FirewallRule;
+
+    if ($FirewallResult.ExitCode -ne 0) {
+        Write-Host ([string]::Format('Failed to open Icinga firewall for port "{0}": {1}[2}', $IcingaPort, $FirewallResult.Message, $FirewallResult.Error));
+    } else {
+        Write-Host ([string]::Format('Successfully enabled firewall for port "{0}"', $IcingaPort));
+    }
+}
--- a/lib/core/icingaagent/firewall/Get-IcingaFirewallConfig.psm1
+++ b/lib/core/icingaagent/firewall/Get-IcingaFirewallConfig.psm1
@ -0,0 +1,36 @@
+function Get-IcingaFirewallConfig()
+{
+    param(
+        [switch]$NoOutput
+    );
+
+    [bool]$LegacyFirewallPresent = $FALSE;
+    [bool]$IcingaFirewallPresent = $FALSE;
+
+    $LegacyFirewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall show rule name="Icinga 2 Agent Inbound by PS-Module"';
+
+    if ($LegacyFirewall.ExitCode -eq 0) {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Legacy firewall configuration has been detected.';
+        }
+        $LegacyFirewallPresent = $TRUE;
+    }
+
+    $IcingaFirewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall show rule name="Icinga Agent Inbound"';
+
+    if ($IcingaFirewall.ExitCode -eq 0) {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Icinga firewall is present.';
+        }
+        $IcingaFirewallPresent = $TRUE;
+    } else {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Icinga firewall is not present';
+        }
+    }
+
+    return @{
+        'LegacyFirewall' = $LegacyFirewallPresent;
+        'IcingaFirewall' = $IcingaFirewallPresent;
+    }
+}
--- a/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1
+++ b/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1
@ -12,6 +12,7 @@ function Start-IcingaAgentInstallWizard()
        [string]$AgentVersion,
        $AllowVersionChanges,
        $UpdateAgent                 = $null,
+        $AddFirewallRule             = $null,
        $AcceptConnections           = $null,
        [array]$Endpoints            = @(),
        [array]$EndpointConnections  = @(),
@ -99,6 +100,9 @@ function Start-IcingaAgentInstallWizard()
            $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'AcceptConnections' -Value $AcceptConnections -InstallerArguments $InstallerArguments;
            $AcceptConnections   = $Result.Value;
            $InstallerArguments  = $Result.Args;
+            $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'AddFirewallRule' -Value $AddFirewallRule -InstallerArguments $InstallerArguments;
+            $AddFirewallRule     = $Result.Value;
+            $InstallerArguments  = $Result.Args;            
            $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'ServiceUser' -Value $ServiceUser -InstallerArguments $InstallerArguments;
            $ServiceUser         = $Result.Value;
            $InstallerArguments  = $Result.Args;
@ -239,6 +243,18 @@ function Start-IcingaAgentInstallWizard()
        }
    }

+    if ($AcceptConnections -eq 0) {
+        if ($null -eq $AddFirewallRule) {
+            if ((Get-IcingaAgentInstallerAnswerInput -Prompt ([string]::Format('Do you want to open the Windows Firewall for incoming traffic on Port "{0}"?', $CAPort)) -Default 'y').result -eq 1) {
+                $InstallerArguments += "-AddFirewallRule 1";
+                $AddFirewallRule = $TRUE;
+            } else {
+                $InstallerArguments += "-AddFirewallRule 0";
+                $AddFirewallRule = $FALSE;
+            }
+        }
+    }
+
    if ($EndpointConnections.Count -eq 0 -And $AcceptConnections -eq 1) {
        $NetworkDefault = '';
        foreach ($Endpoint in $Endpoints) {
@ -428,6 +444,10 @@ function Start-IcingaAgentInstallWizard()
            Install-IcingaAgentCertificates -Hostname $Hostname -Endpoint $CAEndpoint -Port $CAPort -CACert $CAFile -Ticket $Ticket | Out-Null;
            Write-IcingaAgentApiConfig -Port $CAPort;
            Write-IcingaAgentZonesConfig -Endpoints $Endpoints -EndpointConnections $EndpointConnections -ParentZone $ParentZone -GlobalZones $GlobalZoneConfig -Hostname $Hostname;
+            if ($AddFirewallRule) {
+                # First cleanup the system by removing all old Firewalls
+                Enable-IcingaFirewall -IcingaPort $CAPort -Force;
+            }
            Test-IcingaAgent;
            Restart-IcingaService 'icingapowershell';
            Restart-IcingaService 'icinga2';