Comments (13)
PlagueHO
commented on August 28, 2024
I'll take a look and see if I can figure out what the issue is.
from networkingdsc.
PlagueHO
commented on August 28, 2024
Hi @nebffa ,
I did a bit of digging around and this isn't problem with the resource.
The issue is that the LocalPort parameter can only take on the parameter of PlayToDiscovery if the protocol is UDP. PlayToDiscovery is not supported by the TCP protocol in WFAS.
You can confirm this by executing:
New-NetFirewallRule `
-Name "IIS Remote Administration" `
-DisplayName "IIS Remote Administration" `
-Action "Allow" `
-Profile "Domain" `
-Direction "InBound" `
-RemotePort "Any" `
-LocalPort "PlayToDiscovery" `
-Protocol "TCP"It will fail with the Error:
New-NetFirewallRule : One of the port keywords is invalid.
At line:1 char:1
- New-NetFirewallRule -Name "IIS Remote Administration" -DisplayName "I ...
-
- CategoryInfo : InvalidArgument: (MSFT_NetFirewallRule:root/standardcimv2/MSFT_NetFirewallRule) [New-NetFirewallRule], CimException - FullyQualifiedErrorId : HRESULT 0x80070057,New-NetFirewallRule
But:
New-NetFirewallRule `
-Name "IIS Remote Administration" `
-DisplayName "IIS Remote Administration" `
-Action "Allow" `
-Profile "Domain" `
-Direction "InBound" `
-RemotePort "Any" `
-LocalPort "PlayToDiscovery" `
-Protocol "UDP"will succeed.
You can also confirm this in the Windows Firewall with Advanced Security management interface.
So either don't use the PlayToDiscovery for LocalPort or change the protocol to UDP.
HTH.
from networkingdsc.
tysonjhayes
commented on August 28, 2024
@PlagueHO Is there anything we can do to clear up the error logs to make that clearer for the next user?
from networkingdsc.
nebffa
commented on August 28, 2024
Hey @tysonjhayes , thanks that was really quick. The Microsoft documentation on that page I linked (not in this DSC resource) is clearly erroneous in that it says the keyword would work with TCP.
I noticed in other error messages that xFirewall returns, it displays the possible parameters that you could supply instead. I think that would also be useful in this case.
Interestingly, what I was trying to do from the start was set a firewall rule with LocalPort being RPC Dynamic Ports, I will play around with it to see what I can find.
from networkingdsc.
tysonjhayes
commented on August 28, 2024
Hey @nebffa thank @PlagueHO he did most of the work. 👍 Let us know what you can find we're trying to improve this as much as we can.
from networkingdsc.
nebffa
commented on August 28, 2024
Sorry, you're right @tysonjhayes . Thanks @PlagueHO as well for your help.
I played around with it a bit more. All I needed to do was use LocalPort = "RPC" to get what I need.
The Microsoft docs say If the Protocol parameter is not specified, then the acceptable values for this parameter are: RPC, RPCEPMap, Teredo, IPHTTPSIn, IPHTTPSOut, or Any. which makes it sound like you can't use these parameters if the Protocol parameter is being used.
Perhaps an option for clearer error logs would be something like:
The supplied value for "LocalPort" is invalid - it can be one of the following:
* A number between "0-65536"
* "RPC"
* "RPCEPMap"
etc. etc.
from networkingdsc.
PlagueHO
commented on August 28, 2024
Hi @tysonjhayes and @nebffa ,
When I was investigating this I found the New-NetFirewallRule cmdlet docs are definitely not too clear on this - which is what had be scratching my head as well. I've added a community addition to the documentation on this page.
@tysonjhayes, it would definitely be possible to sanitize the parameters in the Test-TargetResource (perhaps call out to a Test-Parameters function like we do in the other resources) and throw a slightly more descriptive error message should this be encountered. The only problem with this is that if an existing rule is being modified then might still slip through.
E.g. if a rule exists:
LocalPort: PlayToDiscovery, Protocol: UDP
And a resource is created that changes the Protocol to TCP (without modifying the LocalPort) then this test wouldn't flag the issue. It could be made to do this (compare both existing values and new values) but it would increase complexity.
A better way might be to just try and catch that specific exception when creating/updating the firewall rule.
But perhaps the best solution is just to document this in the Readme.md in a list of known bad combinations (because I'm sure there are a few of them that aren't documented). :)
from networkingdsc.
tysonjhayes
commented on August 28, 2024
We could start with a list of known bad combinations, and expand from there, I don't really want to write a bunch of code to handle everything as one off combinations just to bubble up the excepton properly. I was more thinking could we get it to say "One of the port keywords is invalid." which was the actual exception. I'll look at the code later.
Side note, I was noticing that this came out of the verbose logs:
VERBOSE: [PERFTEST01]: [[xFirewall]IIS Remote Administration] Test-RuleProperties: LocalPort
property value 'System.String[]' does not match desired state 'System.String[]'.Which suggests we may not be comparing that array correctly or at least not displaying it in the verbose stream. I'd expect it to say 'LocalPort property value 123456 does not match desired state 80' or something to that effect.
from networkingdsc.
PlagueHO
commented on August 28, 2024
Regarding the "One of the port keywords is invalid" exception, when I actually tested this problem and ran the config through my test systems, that was actually the error that was reported to me in the Verbose log. This did strike me as odd given that the error the logs @nebffa posted shows a different error. I might do some additional investigation on this as I don't like mysteries...
And good catch with the bad messages - I ran into and fixed the same thing in the last PR I raised (pushing an array into a format string must be first joined). I can pop a fix through for this as well and see if I can identify any others if you like?
from networkingdsc.
PlagueHO
commented on August 28, 2024
After further experimentation, I found that the message "One of the port keywords is invalid" message is reported in the Verbose log if the firewall rule does not yet exist:
VERBOSE: [SA_FS1]: LCM: [ Start Resource ] [[xFirewall]IIS Remote Administration]
VERBOSE: [SA_FS1]: LCM: [ Start Test ] [[xFirewall]IIS Remote Administration]
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Test-TargetResource: Checking settings for firewall rule with Name 'IIS Remote
Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Test-TargetResource: Find firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Get-FirewallRule: No Firewall Rule found with Name 'IIS Remote Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Test-TargetResource: Firewall rule with Name 'IIS Remote Administration' does not
exist.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Test-TargetResource: Check Firewall rule with Name 'IIS Remote Administration'
returning False.
VERBOSE: [SA_FS1]: LCM: [ End Test ] [[xFirewall]IIS Remote Administration] in 0.1250 seconds.
VERBOSE: [SA_FS1]: LCM: [ Start Set ] [[xFirewall]IIS Remote Administration]
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Set-TargetResource: Applying settings for firewall rule with Name 'IIS Remote
Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Set-TargetResource: Find firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Get-FirewallRule: No Firewall Rule found with Name 'IIS Remote Administration'.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Set-TargetResource: We want the firewall rule with Name 'IIS Remote
Administration' to exist since Ensure is set to Present.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] Set-TargetResource: We want the firewall rule with Name 'IIS Remote
Administration' to exist, but it does not.
VERBOSE: [SA_FS1]: [[xFirewall]IIS Remote Administration] New-NetFirewallRule DisplayName: IIS Remote Administration
One of the port keywords is invalid.
+ CategoryInfo : InvalidArgument: (MSFT_NetFirewallRule:) [], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070057,New-NetFirewallRule
+ PSComputerName : SA_FS1
VERBOSE: [SA_FS1]: LCM: [ End Set ] [[xFirewall]IIS Remote Administration] in 0.2650 seconds.
The PowerShell DSC resource MSFT_xFirewall threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the
ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : SA_FS1
VERBOSE: [SA_FS1]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : SA_FS1
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 20.693 seconds
If a version of the firewall rule already exists (regardless of how that rule is configured), then that is when the error that @nebffa's log is showing. So in summary, the odd error message only occurs when updating an existing rule with a bad combination. I'll see if I can figure out a way to resolve it.
from networkingdsc.
PlagueHO
commented on August 28, 2024
I've found and fixed the issue where the error is being misreported. It is actually a slightly more significant bug in that any time the DisplayName is passed when the rule already exists an error would be thrown. I'm going to add some pester tests to check for this issue in future, but I'm away for the rest of this week so I'll do it first thing next week. Thanks all.
from networkingdsc.
tysonjhayes
commented on August 28, 2024
No rush, I think you've documented it fairly well up to this point. I'm sure anyone who runs into this until we've gotten a fix in will be able to find this issue and sort it out. 😁 Thanks for looking into this.
from networkingdsc.
tysonjhayes
commented on August 28, 2024
This was fixed in #37 which is now merged. Please reopen this if you are still blocked on the latest code.
from networkingdsc.
Related Issues (20)
- Enable Code Coverage Reporting
- PowerShell-DLM
- Resource parameter naming inconsistent HOT 1
- Include hidden adapters by default? HOT 3
- Remove group of FW rules HOT 1
- NetAdapterAdvancedProperty Constantly Re-Running
- Issue with Networkteaminterface when vlanid is used
- Problem with DSC Automate Account
- Update Azure DevOps Pipeline Images
- Update CI Pipeline Files from Latest Pattern
- Intermittent Integration Test Failures on Windows Server 2022
- Netbios: Fails to disable when NIC has link down HOT 6
- Correct Changelog.md Heading HOT 3
- DnsServerAddress: Fails when trying to rename network adapter when running Test
- NetBios resource failing for Azure VMs with Accelerated Networking enabled
- Firewall resource isn't properly identifying some built-in rules on Windows Server (2019 and 2022 tested) HOT 5
- The first byte of the proxy settings binary was '60' but should have been 0x46. HOT 1
- Puppet Module Source Repo HOT 1
- HostsFile Get-TargetResource returns an array for HostName if there is one or more spaces at the beginning of the line
- Update Pipeline Files to Latest DSC Community and Sampler pattern
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from networkingdsc.