Re: [Puppet Users] Re: Windows Firewall Question

Thu, 07 Mar 2013 18:53:02 -0800 

On Thu, Mar 7, 2013 at 5:50 PM, ad <adam.denn...@gmail.com> wrote:

> Hey David
>
> Below are some examples. Note these are used on embedded Windows 7
> (6.1.7601) and I've never tested them on servers (we run mostly Linux
> servers). I also have examples for XP (5.1.2600) if you want, it's a lot
> different.
>
> The first 6 are just for enabling the firewall and allowing exceptions.
> Obviously you may not want to enable the non-domain profiles.
>
>   # Enable firewall
>   # Note: In Windows7, it seems the gui doesn't reflect enabling/disabling
> the firewall in the registry until a reboot.
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':
>     ensure => present,
>     type   => 'dword',
>     data   => '1',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':
>     ensure => present,
>     type   => 'dword',
>     data   => '1',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':
>     ensure => present,
>     type   => 'dword',
>     data   => '1',
>   }
>
>   # Allow exceptions
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':
>     ensure => present,
>     type   => 'dword',
>     data   => '0',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':
>     ensure => present,
>     type   => 'dword',
>     data   => '0',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':
>     ensure => present,
>     type   => 'dword',
>     data   => '0',
>   }
>
> Here's an example for opening a port:
>
>   # enable Edge
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':
>     ensure => present,
>     type   => 'string',
>     data   =>
> 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',
>   }
>
> Some other examples
>
>   # enable public ping
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':
>     ensure => present,
>     type   => 'string',
>     data   =>
> 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',
>   }
>
>   # disable Remote Assistant
>   # Note: when you set this in Advanced System Settings it also changes a
> bunch of firewall rules that we aren't doing yet
>   registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote
> Assistance\fAllowToGetHelp':
>     ensure  => present,
>     type    => 'dword',
>     data    => '0',
>   }
>

The registry keys for enabling is helpful, but Windows 2008r2 is not happy
with registry added firewall rules (see attach). I'm guessing they
function, but doesn't work correctly in the UI. I suppose netsh advfirewall
is the way to go.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

<<attachment: Screen Shot 2013-03-07 at 6.46.43 PM.png>>

<<attachment: Screen Shot 2013-03-07 at 6.47.57 PM.png>>

Reply via email to