Hey David
Below are some examples. Note these are used on embedded Windows 7 (6.1.7601) and I've never tested them on servers (we run mostly Linux servers). I also have examples for XP (5.1.2600) if you want, it's a lot different.
The first 6 are just for enabling the firewall and allowing exceptions. Obviously you may not want to enable the non-domain profiles.
# Enable firewall
# Note: In Windows7, it seems the gui doesn't reflect enabling/disabling the firewall in the registry until a reboot.
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
# Allow exceptions
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
Here's an example for opening a port:
# enable Edge
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':
ensure => present,
type => 'string',
data => 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',
}
Some other examples
# enable public ping
registry_value { 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':
ensure => present,
type => 'string',
data => 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',
}
# disable Remote Assistant
# Note: when you set this in Advanced System Settings it also changes a bunch of firewall rules that we aren't doing yet
registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance\fAllowToGetHelp':
ensure => present,
type => 'dword',
data => '0',
}
hth,
Adam