Windows Firewall Question

[jim]

Hello all,

I'm currently running 2.7.19 (Puppet Enterprise 2.7.0)

I want to use puppet to add / amend or delete windows firewall rules, is there a tidy way of doing this ????

exec { "Check_MK_Firewall_Rule_create":

command => 'C:\Windows\System32\netsh.exe advfirewall firewall add rule name="Check_MK" dir=in action=allow protocol=TCP localport=6556',

unless => 'C:\Windows\System32\netsh.exe advfirewall firewall show rule name="Check_MK"',

}

## If I remove the unless statement, it will keep add the same rule over and over again, which will make the firewall rule list un-manageable

exec { "Check_MK_Firewall_Rule_enable":

command => 'C:\Windows\System32\netsh.exe advfirewall firewall set rule name="Check_MK" new enable=Yes',

}

## When I do a puppet run it keeps running this, is there a way to only run if disabled ???

Hope this make sense

regards

James

[Justin Stoller]

I belive you want to your second exec to subscribe to the first (so the first exec only runs if the rule doesn't exist and the second only runs if the first does).

To tidy that up you could put them in a defined type so you can write something like:

win_firewall { "Check_MK":

  direction => in,

  action     => allow,

  protocol  => TCP,

  port         => 6556,
}

Of course there's a whole host of things you can do to continue tiding up. Like creating a native type & provider for windows firewall, extending a current type with a windows provider, or wrapping linux firewall types & windows firewall types in a more generic 'firewall' type, that just depends on how far you want to take it.....

 - Justin

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[ad]

Hey Jim,

As someone who generally hates using execs unless I absolutely have to, I would recommend using the Puppet Labs registry module. I can dig out some examples tomorrow if you like.

Adam

[david....@struq.com]

Hi Adam,

 

I would be interested in seeing an example of a firewall config managed by the registry module. Is that possible?

 

Thanks,
David.

[phundisk]

I also would.  I was also thinking of making a native windows firewall module/provider in my copious free time (sarcasm).  If the registry version of controlling firewall rules works fine though, that would probably be the fastest and easiest way I can think of.

_____________________________________________________

This email and any files transmitted with it are confidential and intended solely for the addressee.  If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system.

© 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions.

Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824

[Paul Tötterman]

As someone who generally hates using execs unless I absolutely have to, I would recommend using the Puppet Labs registry module. I can dig out some examples tomorrow if you like.

I'm a bit wary about prodding in the registry behind the back of windows firewall, but please tell me if it works. I wrote some idempotent powershell to control the firewall rules in windows.

Cheers,

Paul 

[Nan Liu]

On Thu, Mar 7, 2013 at 7:55 AM, Paul Tötterman <paul.to...@gmail.com> wrote:

As someone who generally hates using execs unless I absolutely have to, I would recommend using the Puppet Labs registry module. I can dig out some examples tomorrow if you like.

I'm a bit wary about prodding in the registry behind the back of windows firewall, but please tell me if it works. I wrote some idempotent powershell to control the firewall rules in windows.

The registry data looks straightforward in HKLM/System/CurrentControlSet/ (search FirewallRules):

v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1433|Name=SQL|

But the problem is generating the name:

{4DBAC415-6138-489A-B647-7FAA20709582}

You can't arbitrarily name it SQL. This would be straightforward as a define type wrapping around registry if someone knows how to generate the registry name. Adam?

I'm also using exec with netsh firewall to open a port for SQL server for now, but a type and provider would be much more robust. However I would like to hear some Windows expert chime in, before trying to write a type/provider around netsh advfirewall.

Thanks,

Nan

[ad]

Hey David

Below are some examples. Note these are used on embedded Windows 7 (6.1.7601) and I've never tested them on servers (we run mostly Linux servers). I also have examples for XP (5.1.2600) if you want, it's a lot different.

The first 6 are just for enabling the firewall and allowing exceptions. Obviously you may not want to enable the non-domain profiles.

  # Enable firewall

  # Note: In Windows7, it seems the gui doesn't reflect enabling/disabling the firewall in the registry until a reboot.

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':

    ensure => present,

    type   => 'dword',

    data   => '1',

  } 

    

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':

    ensure => present,

    type   => 'dword',

    data   => '1',

  } 

    

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':

    ensure => present,

    type   => 'dword',

    data   => '1',

  }

  

  # Allow exceptions

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':

    ensure => present,

    type   => 'dword',

    data   => '0',

  } 

    

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':

    ensure => present,

    type   => 'dword',

    data   => '0',

  } 

    

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':

    ensure => present,

    type   => 'dword',

    data   => '0',

  }

Here's an example for opening a port:

  # enable Edge

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':

    ensure => present,

    type   => 'string',

    data   => 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',

  }

Some other examples

  # enable public ping

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':

    ensure => present,

    type   => 'string',

    data   => 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',

  }

  # disable Remote Assistant

  # Note: when you set this in Advanced System Settings it also changes a bunch of firewall rules that we aren't doing yet

  registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance\fAllowToGetHelp':

    ensure  => present,

    type    => 'dword',

    data    => '0',

  }   

hth,

Adam

[Nan Liu]

The registry keys for enabling is helpful, but Windows 2008r2 is not happy with registry added firewall rules (see attach). I'm guessing they function, but doesn't work correctly in the UI. I suppose netsh advfirewall is the way to go.

Thanks,

Nan 

[phundisk]

Does anyone know of this provider?  If not I can start to make one with netsh but it will probably take me a while

[Paul Tötterman]

Does anyone know of this provider?  If not I can start to make one with netsh but it will probably take me a while

I really suggest you do it via the proper firewall COM API, e.g. with powershell: http://stackoverflow.com/questions/11956291/how-can-i-add-a-widows-firewall-rule-with-a-custom-group-name . netsh doesn't expose the whole firewall API.

Cheers,

Paul 

[Alex Farhadi]

Excellent, thank you for the link.

--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/XNcU3qDH6fc/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.