Hey David
Below are some examples. Note these are used on embedded Windows 7
(6.1.7601) and I've never tested them on servers (we run mostly Linux
servers). I also have examples for XP (5.1.2600) if you want, it's a lot
different.
The first 6 are just for enabling the firewall and allowing exceptions.
Obviously you may not want to enable the non-domain profiles.
# Enable firewall
# Note: In Windows7, it seems the gui doesn't reflect enabling/disabling
the firewall in the registry until a reboot.
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}
# Allow exceptions
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}
Here's an example for opening a port:
# enable Edge
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':
ensure => present,
type => 'string',
data =>
'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',
}
Some other examples
# enable public ping
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':
ensure => present,
type => 'string',
data =>
'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',
}
# disable Remote Assistant
# Note: when you set this in Advanced System Settings it also changes a
bunch of firewall rules that we aren't doing yet
registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote
Assistance\fAllowToGetHelp':
ensure => present,
type => 'dword',
data => '0',
}
hth,
Adam
On Tuesday, March 5, 2013 8:36:15 AM UTC-6, david....@struq.com wrote:
>
> Hi Adam,
>
> I would be interested in seeing an example of a firewall config managed by
> the registry module. Is that possible?
>
> Thanks,
> David.
>
> On Friday, February 15, 2013 5:13:04 AM UTC, ad wrote:
>
>> Hey Jim,
>>
>> As someone who generally hates using execs unless I absolutely have to, I
>> would recommend using the Puppet Labs registry module. I can dig out some
>> examples tomorrow if you like.
>>
>> Adam
>>
>> On Thursday, February 14, 2013 9:29:52 AM UTC-6, jim wrote:
>>>
>>> Hello all,
>>>
>>> I'm currently running 2.7.19 (Puppet Enterprise 2.7.0)
>>>
>>> I want to use puppet to add / amend or delete windows firewall rules, is
>>> there a tidy way of doing this ????
>>>
>>> exec { "Check_MK_Firewall_Rule_create":
>>> command => 'C:\Windows\System32\netsh.exe advfirewall firewall add rule
>>> name="Check_MK" dir=in action=allow protocol=TCP localport=6556',
>>> unless => 'C:\Windows\System32\netsh.exe advfirewall firewall show rule
>>> name="Check_MK"',
>>> }
>>>
>>> ## If I remove the unless statement, it will keep add the same rule over
>>> and over again, which will make the firewall rule list un-manageable
>>>
>>>
>>> exec { "Check_MK_Firewall_Rule_enable":
>>> command => 'C:\Windows\System32\netsh.exe advfirewall firewall set rule
>>> name="Check_MK" new enable=Yes',
>>> }
>>>
>>> ## When I do a puppet run it keeps running this, is there a way to only
>>> run if disabled ???
>>>
>>> Hope this make sense
>>>
>>> regards
>>>
>>> James
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
