[18807] win_firewall_rule module uses HNetCfg.FwPolicy2 COM Object (#27381)

* #18807 win_firewall_rule uses HNetCfg.FwPolicy2 COM object

* Added missing tests

* Added support for InterfaceTypes property

* Added support for EdgeTraversalOptions property

* Added SecureFlags property

* Port ranges are not possible in W2K8

* Added windows version checks

* Fixed doc: removed 'force' option and all notes

* Fixed copirights and docs
This commit is contained in:
Artem Zinenko 2017-08-29 23:18:03 +03:00 committed by Jordan Borean
parent 38a5033b48
commit 06fadefbdc
3 changed files with 414 additions and 522 deletions

View file

@ -1,273 +1,164 @@
#!powershell #!powershell
# # Copyright (c) 2017 Artem Zinenko <zinenkoartem@gmail.com>
# (c) 2014, Timothy Vandenbrande <timothy.vandenbrande@gmail.com> # Copyright (c) 2014 Timothy Vandenbrande <timothy.vandenbrande@gmail.com>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
# WANT_JSON # WANT_JSON
# POWERSHELL_COMMON # POWERSHELL_COMMON
# TODO: Reimplement this using Powershell cmdlets function Parse-ProtocolType {
param($protocol)
$protocolNumber = $protocol -as [int]
if ($protocolNumber -is [int]) {
return $protocolNumber
}
switch -wildcard ($protocol) {
"tcp" { return [System.Net.Sockets.ProtocolType]::Tcp -as [int] }
"udp" { return [System.Net.Sockets.ProtocolType]::Udp -as [int] }
"icmpv4*" { return [System.Net.Sockets.ProtocolType]::Icmp -as [int] }
"icmpv6*" { return [System.Net.Sockets.ProtocolType]::IcmpV6 -as [int] }
default { throw "Unknown protocol '$protocol'." }
}
}
# See 'Direction' constants here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364724(v=vs.85).aspx
function Parse-Direction {
param($directionStr)
switch ($directionStr) {
"in" { return 1 }
"out" { return 2 }
default { throw "Unknown direction '$directionStr'." }
}
}
# See 'Action' constants here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364724(v=vs.85).aspx
function Parse-Action {
param($actionStr)
switch ($actionStr) {
"block" { return 0 }
"allow" { return 1 }
default { throw "Unknown action '$actionStr'." }
}
}
# Profile enum values: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366303(v=vs.85).aspx
function Parse-Profiles
{
param($profilesStr)
$profiles = ($profilesStr.Split(',') | Select -uniq | ForEach {
switch ($_) {
"domain" { return 1 }
"private" { return 2 }
"public" { return 4 }
default { throw "Unknown profile '$_'." }
}
} | Measure-Object -Sum).Sum
if ($profiles -eq 7) { return 0x7fffffff }
return $profiles
}
function Parse-InterfaceTypes
{
param($interfaceTypesStr)
return ($interfaceTypesStr.Split(',') | Select -uniq | ForEach {
switch ($_) {
"wireless" { return "Wireless" }
"lan" { return "Lan" }
"ras" { return "RemoteAccess" }
default { throw "Unknown interface type '$_'." }
}
}) -Join ","
}
function Parse-EdgeTraversalOptions
{
param($edgeTraversalOptionsStr)
switch ($edgeTraversalOptionsStr) {
"yes" { return 1 }
"deferapp" { return 2 }
"deferuser" { return 3 }
default { throw "Unknown edge traversal options '$edgeTraversalOptionsStr'." }
}
}
function Parse-SecureFlags
{
param($secureFlagsStr)
switch ($secureFlagsStr) {
"authnoencap" { return 1 }
"authenticate" { return 2 }
"authdynenc" { return 3 }
"authenc" { return 4 }
default { throw "Unknown secure flags '$secureFlagsStr'." }
}
}
function New-FWRule
{
param (
[string]$name,
[string]$description,
[string]$applicationName,
[string]$serviceName,
[string]$protocol,
[string]$localPorts,
[string]$remotePorts,
[string]$localAddresses,
[string]$remoteAddresses,
[string]$direction,
[string]$action,
[bool]$enabled,
[string]$profiles,
[string]$interfaceTypes,
[string]$edgeTraversalOptions,
[string]$secureFlags
)
# INetFwRule interface description: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365344(v=vs.85).aspx
$rule = New-Object -ComObject HNetCfg.FWRule
$rule.Name = $name
$rule.Enabled = $enabled
if ($description) { $rule.Description = $description }
if ($applicationName) { $rule.ApplicationName = $applicationName }
if ($serviceName) { $rule.ServiceName = $serviceName }
if ($protocol -and $protocol -ne "any") { $rule.Protocol = Parse-ProtocolType -protocol $protocol }
if ($localPorts -and $localPorts -ne "any") { $rule.LocalPorts = $localPorts }
if ($remotePorts -and $remotePorts -ne "any") { $rule.RemotePorts = $remotePorts }
if ($localAddresses -and $localAddresses -ne "any") { $rule.LocalAddresses = $localAddresses }
if ($remoteAddresses -and $remoteAddresses -ne "any") { $rule.RemoteAddresses = $remoteAddresses }
if ($direction) { $rule.Direction = Parse-Direction -directionStr $direction }
if ($action) { $rule.Action = Parse-Action -actionStr $action }
if ($profiles) { $rule.Profiles = Parse-Profiles -profilesStr $profiles }
if ($interfaceTypes -and $interfaceTypes -ne "any") { $rule.InterfaceTypes = Parse-InterfaceTypes -interfaceTypesStr $interfaceTypes }
if ($edgeTraversalOptions -and $edgeTraversalOptions -ne "no") {
# EdgeTraversalOptions property exists only from Windows 7/Windows Server 2008 R2: https://msdn.microsoft.com/en-us/library/windows/desktop/dd607256(v=vs.85).aspx
if ($rule | Get-Member -Name 'EdgeTraversalOptions') {
$rule.EdgeTraversalOptions = Parse-EdgeTraversalOptions -edgeTraversalOptionsStr $edgeTraversalOptions
}
}
if ($secureFlags -and $secureFlags -ne "notrequired") {
# SecureFlags property exists only from Windows 8/Windows Server 2012: https://msdn.microsoft.com/en-us/library/windows/desktop/hh447465(v=vs.85).aspx
if ($rule | Get-Member -Name 'SecureFlags') {
$rule.SecureFlags = Parse-SecureFlags -secureFlagsStr $secureFlags
}
}
return $rule
}
$ErrorActionPreference = "Stop" $ErrorActionPreference = "Stop"
function convertToNetmask($maskLength) {
[IPAddress] $ip = 0
$ip.Address = ([UInt32]::MaxValue) -shl (32 - $maskLength) -shr (32 - $maskLength)
return $ip.IPAddressToString
}
function ConvertTo-TitleCase($string) {
return (Get-Culture).TextInfo.ToTitleCase($string.ToLower())
}
function ConvertTo-SortedKV($object, $unsupported = @()) {
$output = ""
foreach($item in $object.GetEnumerator() | Sort -Property Name) {
if (($item.Name -notin $unsupported) -and ($item.Value -ne $null)) {
$output += "$($item.Name): $($item.Value)`n"
}
}
return $output
}
function preprocessAndCompare($key, $outputValue, $fwsettingValue) {
if ($key -eq 'RemoteIP') {
if ($outputValue -eq $fwsettingValue) {
return $true
}
if ($outputValue -eq $fwsettingValue+'-'+$fwsettingValue) {
return $true
}
if (($outputValue -eq $fwsettingValue+'/32') -or ($outputValue -eq $fwsettingValue+'/255.255.255.255')) {
return $true
}
if ($outputValue -match '^([\d\.]+)\/(\d+)$') {
$netmask = convertToNetmask($Matches[2])
if ($fwsettingValue -eq $Matches[1]+"/"+$netmask) {
return $true
}
}
if ($fwsettingValue -match '^([\d\.]+)\/(\d+)$') {
$netmask = convertToNetmask($Matches[2])
if ($outputValue -eq $Matches[1]+"/"+$netmask) {
return $true
}
}
}
return $false
}
function getFirewallRule ($fwsettings) {
$diff = $false
$result = @{ $result = @{
changed = $false changed = $false
identical = $false
exists = $false
failed = $false
msg = @()
multiple = $false
}
try {
$command = "netsh advfirewall firewall show rule name=`"$($fwsettings.'Rule Name')`" verbose"
#$output = Get-NetFirewallRule -name $($fwsettings.'Rule Name')
$result.output = Invoke-Expression $command | Where { $_ }
$rc = $LASTEXITCODE
if ($rc -eq 1) {
$result.msg += @("No rule '$name' could be found")
} elseif ($rc -eq 0) {
# Process command output
$result.output | Where {$_ -match '^([^:]+):\s*(\S.*)$'} | ForEach -Begin {
$FirstRun = $true
$HashProps = @{}
} -Process {
if (($Matches[1] -eq 'Rule Name') -and (-not $FirstRun)) {
$output = $HashProps
$HashProps = @{}
}
$HashProps.$($Matches[1]) = $Matches[2]
$FirstRun = $false
} -End {
$output = $HashProps
}
if ($($output|measure).count -gt 0) {
$diff = $false
$result.exists = $true
#$result.msg += @("The rule '$($fwsettings.'Rule Name')' exists.")
if ($($output|measure).count -gt 1) {
$result.multiple = $true
$result.msg += @("The rule '$($fwsettings.'Rule Name')' has multiple entries.")
$result.diff = @{}
$result.diff.after = ConvertTo-SortedKV $fwsettings
$result.diff.before = ConvertTo-SortedKV $rule $unsupported
if ($result.diff.after -ne $result.diff.before ) {
$diff = $true
}
} else {
if ($diff_support) {
$result.diff = @{}
$result.diff.after = ConvertTo-SortedKV $fwsettings
$result.diff.before = ConvertTo-SortedKV $output $unsupported
}
ForEach($fwsetting in $fwsettings.GetEnumerator()) {
if ($output.$($fwsetting.Key) -ne $fwsettings.$($fwsetting.Key)) {
if ((preprocessAndCompare -key $fwsetting.Key -outputValue $output.$($fwsetting.Key) -fwsettingValue $fwsettings.$($fwsetting.Key))) {
Continue
} elseif (($fwsetting.Key -eq 'DisplayName') -and ($output."Rule Name" -eq $fwsettings.$($fwsetting.Key))) {
Continue
} elseif (($fwsetting.Key -eq 'Program') -and ($output.$($fwsetting.Key) -eq (Expand-Environment($fwsettings.$($fwsetting.Key))))) {
# Ignore difference caused by expanded environment variables
Continue
} else {
$diff = $true
Break
}
}
}
}
if (-not $diff) {
$result.identical = $true
}
if ($result.identical) {
$result.msg += @("The rule '$name' exists and is identical")
} else {
$result.msg += @("The rule '$name' exists but has different values")
}
}
} else {
$result.failed = $true
}
} catch [Exception] {
$result.failed = $true
$result.error = $_.Exception.Message
}
return $result
}
function createFireWallRule ($fwsettings) {
$result = @{
changed = $false
failed = $false
msg = @()
}
$command = "netsh advfirewall firewall add rule"
ForEach ($fwsetting in $fwsettings.GetEnumerator()) {
if ($fwsetting.value -ne $null) {
switch($fwsetting.key) {
"Direction" { $option = "dir" }
"Rule Name" { $option = "name" }
"Enabled" { $option = "enable" }
"Profiles" { $option = "profile" }
"InterfaceTypes" { $option = "interfacetype" }
"Security" { $option = "security" }
"Edge traversal" { $option = "edge" }
default { $option = $($fwsetting.key).ToLower() }
}
$command += " $option='$($fwsetting.value)'"
}
}
try {
$rc = 0
if (-not $check_mode) {
$result.output = Invoke-Expression $command | Where { $_ }
$rc = $LASTEXITCODE
}
if ($rc -eq 0) {
if ($diff_support) {
$result.diff = @{}
$result.diff.after = ConvertTo-SortedKV $fwsettings
$result.diff.before= ""
}
$result.changed = $true
$result.msg += @("Created firewall rule '$name'")
} else {
$result.failed = $true
$result.msg += @("Create command '$command' failed with rc=$rc")
}
} catch [Exception]{
$result.error = $_.Exception.Message
$result.failed = $true
$result.msg = @("Failed to create the rule '$name'")
}
return $result
}
function removeFireWallRule ($fwsettings) {
$result = @{
changed = $false
failed = $false
msg = @()
}
$command = "netsh advfirewall firewall delete rule name='$($fwsettings.'Rule Name')'"
try {
$rc = 0
if (-not $check_mode) {
$result.output = Invoke-Expression $command | Where { $_ }
$rc = $LASTEXITCODE
$result.output | Where {$_ -match '^([^:]+):\s*(\S.*)$'} | Foreach -Begin {
$FirstRun = $true
$HashProps = @{}
} -Process {
if (($Matches[1] -eq 'Rule Name') -and (-not $FirstRun)) {
$result.output = $HashProps
$HashProps = @{}
}
$HashProps.$($Matches[1]) = $Matches[2]
$FirstRun = $false
} -End {
$result.output = $HashProps
}
}
if ($rc -eq 0 -or $rc -eq 1) {
if ($diff_support) {
$result.diff = @{}
$result.diff.after = ""
$result.diff.before = ConvertTo-SortedKV $fwsettings
}
$result.changed = $true
$result.msg += @("Removed the rule '$name'")
} else {
$result.failed = $true
$result.msg += @("Remove command '$command' failed with rc=$rc")
}
} catch [Exception]{
$result.error = $_.Exception.Message
$result.failed = $true
$result.msg += @("Failed to remove the rule '$name'")
}
return $result
}
# FIXME: Unsupported keys
#$unsupported = @("Grouping", "Rule source")
$unsupported = @("Rule source")
$result = @{
changed = $false
fwsettings = @{}
msg = @()
} }
$params = Parse-Args $args -supports_check_mode $true $params = Parse-Args $args -supports_check_mode $true
@ -287,167 +178,99 @@ $remoteip = Get-AnsibleParam -obj $params -name "remoteip" -type "str" -default
$localport = Get-AnsibleParam -obj $params -name "localport" -type "str" $localport = Get-AnsibleParam -obj $params -name "localport" -type "str"
$remoteport = Get-AnsibleParam -obj $params -name "remoteport" -type "str" $remoteport = Get-AnsibleParam -obj $params -name "remoteport" -type "str"
$protocol = Get-AnsibleParam -obj $params -name "protocol" -type "str" -default "any" $protocol = Get-AnsibleParam -obj $params -name "protocol" -type "str" -default "any"
$edge = Get-AnsibleParam -obj $params -name "edge" -type "str" -default "no" -validateset "no","yes","deferapp","deferuser"
$interfacetypes = Get-AnsibleParam -obj $params -name "interfacetypes" -type "str" -default "any" $interfacetypes = Get-AnsibleParam -obj $params -name "interfacetypes" -type "str" -default "any"
$security = Get-AnsibleParam -obj $params -name "security" -type "str" -default "notrequired" $edge = Get-AnsibleParam -obj $params -name "edge" -type "str" -default "no" -validateset "no","yes","deferapp","deferuser"
$security = Get-AnsibleParam -obj $params -name "security" -type "str" -default "notrequired" -validateset "notrequired","authnoencap","authenticate","authdynenc","authenc"
$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset "present","absent" $state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset "present","absent"
$force = Get-AnsibleParam -obj $params -name "force" -type "bool" -default $false $force = Get-AnsibleParam -obj $params -name "force" -type "bool" -default $false
# Check the arguments if ($diff_support) {
if ($enabled) { $result.diff = @{}
$result.fwsettings.Add("Enabled", "Yes") $result.diff.prepared = ""
}
try {
$fw = New-Object -ComObject HNetCfg.FwPolicy2
$existingRule = $fw.Rules | Where { $_.Name -eq $name }
if ($existingRule -is [System.Array]) {
Fail-Json $result "Multiple firewall rules with name '$name' found."
}
$rule = New-FWRule -name $name `
-description $description `
-direction $direction `
-action $action `
-applicationName $program `
-serviceName $service `
-enabled $enabled `
-profiles $profiles `
-localAddresses $localip `
-remoteAddresses $remoteip `
-localPorts $localport `
-remotePorts $remoteport `
-protocol $protocol `
-interfaceTypes $interfacetypes `
-edgeTraversalOptions $edge `
-secureFlags $security
$fwPropertiesToCompare = @('Name','Description','Direction','Action','ApplicationName','ServiceName','Enabled','Profiles','LocalAddresses','RemoteAddresses','LocalPorts','RemotePorts','Protocol','InterfaceTypes', 'EdgeTraversalOptions', 'SecureFlags')
if ($state -eq "absent") {
if ($existingRule -eq $null) {
$result.msg = "Firewall rule '$name' does not exist."
} else { } else {
$result.fwsettings.Add("Enabled", "No") if ($diff_support) {
foreach ($prop in $fwPropertiesToCompare) {
$result.diff.prepared += "-[$($prop)='$($existingRule.$prop)']`n"
}
} }
$result.fwsettings.Add("Rule Name", $name) if (-not $check_mode) {
#$result.fwsettings.Add("displayname", $name) $fw.Rules.Remove($existingRule.Name)
if ($state -eq "present") {
$result.fwsettings.Add("Direction", $(ConvertTo-TitleCase($direction)))
$result.fwsettings.Add("Action", $(ConvertTo-TitleCase $action))
} }
if ($description -ne $null) {
$result.fwsettings.Add("Description", $description)
}
if ($program -ne $null) {
$result.fwsettings.Add("Program", $program)
}
$result.fwsettings.Add("LocalIP", $localip)
$result.fwsettings.Add("RemoteIP", $remoteip)
if ($localport -ne $null) {
$result.fwsettings.Add("LocalPort", $localport)
}
if ($remoteport -ne $null) {
$result.fwsettings.Add("RemotePort", $remoteport)
}
if ($service -ne $null) {
$result.fwsettings.Add("Service", $(ConvertTo-TitleCase($service)))
}
if ($protocol -eq "Any") {
$result.fwsettings.Add("Protocol", $protocol)
} else {
$result.fwsettings.Add("Protocol", $protocol.toupper())
}
if ($profiles -eq "Any") {
$result.fwsettings.Add("Profiles", "Domain,Private,Public")
} else {
$result.fwsettings.Add("Profiles", $(ConvertTo-TitleCase($profiles)))
}
$result.fwsettings.Add("Edge traversal", $(ConvertTo-TitleCase($edge)))
if ($interfacetypes -ne $null) {
$result.fwsettings.Add("InterfaceTypes", $(ConvertTo-TitleCase($interfacetypes)))
}
switch($security) {
"Authenticate" { $security = "Authenticate" }
"AuthDynEnc" { $security = "AuthDynEnc" }
"AuthEnc" { $security = "AuthEnc" }
"AuthNoEncap" { $security = "AuthNoEncap" }
"NotRequired" { $security = "NotRequired" }
}
$result.fwsettings.Add("Security", $security)
# FIXME: Define unsupported options
#$result.fwsettings.Add("Grouping", "")
#$result.fwsettings.Add("Rule source", "Local Setting")
$get = getFirewallRule($result.fwsettings)
$result.msg += $get.msg
if ($get.failed) {
$result.error = $get.error
$result.output = $get.output
Fail-Json $result $result.msg
}
$result.diff = $get.diff
if ($state -eq "present") {
if (-not $get.exists) {
$create = createFireWallRule($result.fwsettings)
$result.msg += $create.msg
$result.diff = $create.diff
if ($create.failed) {
$result.error = $create.error
$result.output = $create.output
Fail-Json $result $result.msg
}
$result.changed = $true $result.changed = $true
$result.msg = "Firewall rule '$name' removed."
} elseif (-not $get.identical) { }
# FIXME: This ought to use netsh advfirewall firewall set instead ! } elseif ($state -eq "present") {
if ($force) { if ($existingRule -eq $null) {
if ($diff_support) {
$remove = removeFirewallRule($result.fwsettings) foreach ($prop in $fwPropertiesToCompare) {
# NOTE: We retain the diff output from $get.diff here $result.diff.prepared += "+[$($prop)='$($existingRule.$prop)']`n"
$result.msg += $remove.msg }
if ($remove.failed) {
$result.error = $remove.error
$result.output = $remove.output
Fail-Json $result $result.msg
} }
$create = createFireWallRule($result.fwsettings) if (-not $check_mode) {
# NOTE: We retain the diff output from $get.diff here $fw.Rules.Add($rule)
$result.msg += $create.msg
if ($create.failed) {
$result.error = $create.error
$result.output = $create.output
Fail-Json $result $result.msg
} }
$result.changed = $true $result.changed = $true
$result.msg = "Firewall rule '$name' created."
} else { } else {
foreach ($prop in $fwPropertiesToCompare) {
$result.msg += @("There was already a rule '$name' with different values, use the 'force' parameter to overwrite it") if ($existingRule.$prop -ne $rule.$prop) {
Fail-Json $result $result.msg if ($diff_support) {
$result.diff.prepared += "-[$($prop)='$($existingRule.$prop)']`n"
} $result.diff.prepared += "+[$($prop)='$($rule.$prop)']`n"
} else {
$result.msg += @("Firewall rule '$name' was already created")
} }
} elseif ($state -eq "absent") { if (-not $check_mode) {
$existingRule.$prop = $rule.$prop
if ($get.exists) {
$remove = removeFirewallRule($result.fwsettings)
$result.diff = $remove.diff
$result.msg += $remove.msg
if ($remove.failed) {
$result.error = $remove.error
$result.output = $remove.output
Fail-Json $result $result.msg
} }
$result.changed = $true $result.changed = $true
} else {
$result.msg += @("Firewall rule '$name' did not exist")
} }
} }
if ($result.changed) {
$result.msg = "Firewall rule '$name' changed."
} else {
$result.msg = "Firewall rule '$name' already exists."
}
}
}
} catch [Exception] {
Fail-Json $result $_.Exception.Message
}
Exit-Json $result Exit-Json $result

View file

@ -1,21 +1,7 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2017 Artem Zinenko <zinenkoartem@gmail.com>
# (c) 2014, Timothy Vandenbrande <timothy.vandenbrande@gmail.com> # Copyright (c) 2014 Timothy Vandenbrande <timothy.vandenbrande@gmail.com>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {'metadata_version': '1.1', ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'], 'status': ['preview'],
@ -26,20 +12,22 @@ DOCUMENTATION = r'''
--- ---
module: win_firewall_rule module: win_firewall_rule
version_added: "2.0" version_added: "2.0"
author: Timothy Vandenbrande author:
- Artem Zinenko (@ar7z1)
- Timothy Vandenbrande (@TimothyVandenbrande)
short_description: Windows firewall automation short_description: Windows firewall automation
description: description:
- Allows you to create/remove/update firewall rules - Allows you to create/remove/update firewall rules.
options: options:
enabled: enabled:
description: description:
- Is this firewall rule enabled or disabled - Is this firewall rule enabled or disabled.
type: bool
default: 'yes' default: 'yes'
choices: [ 'no', 'yes' ]
aliases: [ 'enable' ] aliases: [ 'enable' ]
state: state:
description: description:
- Should this rule be added or removed - Should this rule be added or removed.
default: "present" default: "present"
choices: ['present', 'absent'] choices: ['present', 'absent']
name: name:
@ -48,58 +36,46 @@ options:
required: true required: true
direction: direction:
description: description:
- Is this rule for inbound or outbound traffic - Is this rule for inbound or outbound traffic.
required: true required: true
choices: ['in', 'out'] choices: ['in', 'out']
action: action:
description: description:
- What to do with the items this rule is for - What to do with the items this rule is for.
required: true required: true
choices: ['allow', 'block', 'bypass'] choices: ['allow', 'block', 'bypass']
description: description:
description: description:
- Description for the firewall rule - Description for the firewall rule.
localip: localip:
description: description:
- The local ip address this rule applies to - The local ip address this rule applies to.
default: 'any' default: 'any'
remoteip: remoteip:
description: description:
- The remote ip address/range this rule applies to - The remote ip address/range this rule applies to.
default: 'any' default: 'any'
localport: localport:
description: description:
- The local port this rule applies to - The local port this rule applies to.
remoteport: remoteport:
description: description:
- The remote port this rule applies to - The remote port this rule applies to.
program: program:
description: description:
- The program this rule applies to - The program this rule applies to.
service: service:
description: description:
- The service this rule applies to - The service this rule applies to.
protocol: protocol:
description: description:
- The protocol this rule applies to - The protocol this rule applies to.
default: 'any' default: 'any'
profiles: profiles:
description: description:
- The profile this rule applies to - The profile this rule applies to.
default: 'domain,private,public' default: 'domain,private,public'
aliases: [ 'profile' ] aliases: [ 'profile' ]
force:
description:
- Replace any existing rule by removing it first.
default: 'no'
choices: [ 'no', 'yes' ]
notes:
- The implementation uses C(netsh advfirewall) underneath, a pure-Powershell
reimplementation would be more powerful.
- Modifying existing firewall rules is not possible, the module does allow
replacing complete rules based on name, but that works by removing the
existing rule completely, and recreating it with provided information
(when using C(force)).
''' '''
EXAMPLES = r''' EXAMPLES = r'''

View file

@ -2,11 +2,8 @@
win_firewall_rule: win_firewall_rule:
name: http name: http
state: absent state: absent
action: "{{ item }}" action: allow
direction: in direction: in
with_items:
- allow
- block
- name: Add firewall rule - name: Add firewall rule
win_firewall_rule: win_firewall_rule:
@ -82,7 +79,7 @@
direction: in direction: in
protocol: tcp protocol: tcp
- name: Add different firewall rule - name: Change firewall rule
win_firewall_rule: win_firewall_rule:
name: http name: http
enabled: yes enabled: yes
@ -91,31 +88,12 @@
action: block action: block
direction: in direction: in
protocol: tcp protocol: tcp
ignore_errors: yes register: change_firewall_rule
register: add_different_firewall_rule_without_force
- name: Check that creating different firewall rule without enabling force setting fails - name: Check that changing firewall rule succeeds
assert: assert:
that: that:
- add_different_firewall_rule_without_force.failed == true - change_firewall_rule.changed == true
- add_different_firewall_rule_without_force.changed == false
- name: Add different firewall rule with force setting
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: block
direction: in
protocol: tcp
force: yes
register: add_different_firewall_rule_with_force
- name: Check that creating different firewall rule with enabling force setting succeeds
assert:
that:
- add_different_firewall_rule_with_force.changed == true
- name: Add firewall rule when remoteip is range - name: Add firewall rule when remoteip is range
win_firewall_rule: win_firewall_rule:
@ -127,7 +105,6 @@
action: allow action: allow
direction: in direction: in
protocol: tcp protocol: tcp
force: yes
- name: Add same firewall rule when remoteip is range (again) - name: Add same firewall rule when remoteip is range (again)
win_firewall_rule: win_firewall_rule:
@ -156,7 +133,6 @@
action: allow action: allow
direction: in direction: in
protocol: tcp protocol: tcp
force: yes
- name: Add same firewall rule when remoteip in CIDR notation (again) - name: Add same firewall rule when remoteip in CIDR notation (again)
win_firewall_rule: win_firewall_rule:
@ -181,11 +157,10 @@
enabled: yes enabled: yes
state: present state: present
localport: 80 localport: 80
remoteip: 192.168.0.0/255.255.255.0 remoteip: 192.168.1.0/255.255.255.0
action: allow action: allow
direction: in direction: in
protocol: tcp protocol: tcp
force: yes
- name: Add same firewall rule when remoteip contains a netmask (again) - name: Add same firewall rule when remoteip contains a netmask (again)
win_firewall_rule: win_firewall_rule:
@ -193,7 +168,7 @@
enabled: yes enabled: yes
state: present state: present
localport: 80 localport: 80
remoteip: 192.168.0.0/255.255.255.0 remoteip: 192.168.1.0/255.255.255.0
action: allow action: allow
direction: in direction: in
protocol: tcp protocol: tcp
@ -214,7 +189,6 @@
action: allow action: allow
direction: in direction: in
protocol: tcp protocol: tcp
force: yes
- name: Add same firewall rule when remoteip is IPv4 (again) - name: Add same firewall rule when remoteip is IPv4 (again)
win_firewall_rule: win_firewall_rule:
@ -232,3 +206,122 @@
assert: assert:
that: that:
- add_firewall_rule_with_ipv4_remoteip_again.changed == false - add_firewall_rule_with_ipv4_remoteip_again.changed == false
- name: Add firewall rule when remoteip contains a netmask
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.2.0/255.255.255.0
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip in CIDR notation
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.2.0/24
action: allow
direction: in
protocol: tcp
register: add_same_firewall_rule_with_cidr_remoteip
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask or CIDR
assert:
that:
- add_same_firewall_rule_with_cidr_remoteip.changed == false
- name: Add firewall rule with multiple ports
win_firewall_rule:
name: http
enabled: yes
state: present
localport: '80,81'
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_with_multiple_ports
- name: Check that creating firewall rule with multiple ports succeeds with a change
assert:
that:
- add_firewall_rule_with_multiple_ports.changed == true
- name: Add firewall rule with interface types
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
interfacetypes: 'ras,lan,wireless'
register: add_firewall_rule_with_interface_types
- name: Check that creating firewall rule with interface types succeeds with a change
assert:
that:
- add_firewall_rule_with_interface_types.changed == true
- name: Add firewall rule with interface type 'any'
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
interfacetypes: any
register: add_firewall_rule_with_interface_type_any
- name: Check that creating firewall rule with interface type 'any' succeeds with a change
assert:
that:
- add_firewall_rule_with_interface_type_any.changed == true
- name: Add firewall rule with edge traversal option 'deferapp'
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
edge: deferapp
register: add_firewall_rule_with_edge_traversal
# Setup action creates ansible_distribution_version variable
- action: setup
- name: Check that creating firewall rule with enge traversal option 'deferapp' succeeds with a change
assert:
that:
- add_firewall_rule_with_edge_traversal.changed == true
# Works on windows >= Windows 7/Windows Server 2008 R2
when: ansible_distribution_version | version_compare('6.1', '>=')
- name: Add firewall rule with 'authenticate' secure flag
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
security: authenticate
register: add_firewall_rule_with_secure_flags
- name: Check that creating firewall rule with secure flag 'authenticate' succeeds with a change
assert:
that:
- add_firewall_rule_with_secure_flags.changed == true
# Works on windows >= Windows 8/Windows Server 2012
when: ansible_distribution_version | version_compare('6.2', '>=')