f6ac4361e7
* win_firewall_rule - support ICMP types and codes * Update main.yml * Add more examples and change type to list
474 lines
12 KiB
YAML
474 lines
12 KiB
YAML
- name: Remove potentially leftover firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
state: absent
|
|
action: allow
|
|
direction: in
|
|
|
|
- name: Add firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule
|
|
|
|
- name: Check that creating new firewall rule succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule.changed == true
|
|
|
|
- name: Add same firewall rule (again)
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_again
|
|
|
|
- name: Check that creating same firewall rule succeeds without a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_again.changed == false
|
|
|
|
- name: Remove firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: absent
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: remove_firewall_rule
|
|
|
|
- name: Check that removing existing firewall rule succeeds with a change
|
|
assert:
|
|
that:
|
|
- remove_firewall_rule.changed == true
|
|
|
|
- name: Remove absent firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: absent
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: remove_absent_firewall_rule
|
|
|
|
- name: Check that removing non existing firewall rule succeeds without a change
|
|
assert:
|
|
that:
|
|
- remove_absent_firewall_rule.changed == false
|
|
|
|
- name: Add firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Change firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: block
|
|
direction: in
|
|
protocol: tcp
|
|
register: change_firewall_rule
|
|
|
|
- name: Check that changing firewall rule succeeds
|
|
assert:
|
|
that:
|
|
- change_firewall_rule.changed == true
|
|
|
|
- name: Disable firewall rule
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: no
|
|
|
|
- name: Get the actual values from the changed firewall rule
|
|
win_shell: '(New-Object -ComObject HNetCfg.FwPolicy2).Rules | Where-Object { $_.Name -eq "http" } | Foreach-Object { $_.LocalPorts; $_.Enabled; $_.Action; $_.Direction; $_.Protocol }'
|
|
register: firewall_rule_actual
|
|
|
|
- name: Ensure that disabling the rule did not change the previous values
|
|
assert:
|
|
that:
|
|
- "firewall_rule_actual.stdout_lines[0] == '80'" # LocalPorts = 80
|
|
- "firewall_rule_actual.stdout_lines[1] == 'False'" # Enabled = False
|
|
- "firewall_rule_actual.stdout_lines[2] == '0'" # Action = block
|
|
- "firewall_rule_actual.stdout_lines[3] == '1'" # Direction = in
|
|
- "firewall_rule_actual.stdout_lines[4] == '6'" # Protocol = tcp
|
|
|
|
- name: Add firewall rule when remoteip is range
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.1-192.168.0.5
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Add same firewall rule when remoteip is range (again)
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.1-192.168.0.5
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_with_range_remoteip_again
|
|
|
|
- name: Check that creating same firewall rule when remoteip is range succeeds without a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_range_remoteip_again.changed == false
|
|
|
|
- name: Add firewall rule when remoteip in CIDR notation
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.0/24
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Add same firewall rule when remoteip in CIDR notation (again)
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.0/24
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_with_cidr_remoteip_again
|
|
|
|
- name: Check that creating same firewall rule succeeds without a change when remoteip in CIDR notation
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_cidr_remoteip_again.changed == false
|
|
|
|
- name: Add firewall rule when remoteip contains a netmask
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.1.0/255.255.255.0
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Add same firewall rule when remoteip contains a netmask (again)
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.1.0/255.255.255.0
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_remoteip_contains_netmask_again
|
|
|
|
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_remoteip_contains_netmask_again.changed == false
|
|
|
|
- name: Add firewall rule when remoteip is IPv4
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.1
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Add same firewall rule when remoteip is IPv4 (again)
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.0.1
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_with_ipv4_remoteip_again
|
|
|
|
- name: Check that creating same firewall rule when remoteip is IPv4 succeeds without a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_ipv4_remoteip_again.changed == false
|
|
|
|
- name: Add firewall rule when remoteip contains a netmask
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.2.0/255.255.255.0
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
|
|
- name: Add same firewall rule when remoteip in CIDR notation
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
remoteip: 192.168.2.0/24
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_same_firewall_rule_with_cidr_remoteip
|
|
|
|
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask or CIDR
|
|
assert:
|
|
that:
|
|
- add_same_firewall_rule_with_cidr_remoteip.changed == false
|
|
|
|
- name: Add firewall rule with multiple ports
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: '80,81'
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
register: add_firewall_rule_with_multiple_ports
|
|
|
|
- name: Check that creating firewall rule with multiple ports succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_multiple_ports.changed == true
|
|
|
|
- name: Add firewall rule with interface types in string format
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
interfacetypes: 'ras,lan,wireless'
|
|
register: add_firewall_rule_with_string_interface_types
|
|
|
|
- name: Check that creating firewall rule with interface types in string format succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_string_interface_types.changed == true
|
|
|
|
- name: Add firewall rule with interface types in list format
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
interfacetypes: [ras, lan]
|
|
register: add_firewall_rule_with_list_interface_types
|
|
|
|
- name: Check that creating firewall rule with interface types in list format succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_list_interface_types.changed == true
|
|
|
|
- name: Add firewall rule with interface type 'any'
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
interfacetypes: any
|
|
register: add_firewall_rule_with_interface_type_any
|
|
|
|
- name: Check that creating firewall rule with interface type 'any' succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_interface_type_any.changed == true
|
|
|
|
- name: Add firewall rule with edge traversal option 'deferapp'
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
edge: deferapp
|
|
register: add_firewall_rule_with_edge_traversal
|
|
|
|
# Setup action creates ansible_distribution_version variable
|
|
- action: setup
|
|
|
|
- name: Check that creating firewall rule with enge traversal option 'deferapp' succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_edge_traversal.changed == true
|
|
# Works on windows >= Windows 7/Windows Server 2008 R2
|
|
when: ansible_distribution_version is version('6.1', '>=')
|
|
|
|
- name: Add firewall rule with 'authenticate' secure flag
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
security: authenticate
|
|
register: add_firewall_rule_with_secure_flags
|
|
|
|
- name: Check that creating firewall rule with secure flag 'authenticate' succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_secure_flags.changed == true
|
|
# Works on windows >= Windows 8/Windows Server 2012
|
|
when: ansible_distribution_version is version('6.2', '>=')
|
|
|
|
- name: Add firewall rule with profiles in string format
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
profiles: 'domain,public'
|
|
register: add_firewall_rule_with_string_profiles
|
|
|
|
- name: Check that creating firewall rule with profiles in string format succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_string_profiles.changed == true
|
|
|
|
- name: Set firewall rule profile back to 'all'
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
profiles: [Domain, Public, Private]
|
|
register: add_firewall_rule_with_string_profiles
|
|
|
|
- name: Check that setting firewall rule profile back to 'all' succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_string_profiles.changed == true
|
|
|
|
- name: Add firewall rule with profiles in list format
|
|
win_firewall_rule:
|
|
name: http
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
profiles: [Domain, Private]
|
|
register: add_firewall_rule_with_list_profiles
|
|
|
|
- name: Check that creating firewall rule with profiles in list format succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_list_profiles.changed == true
|
|
|
|
# Test for variable expansion in the path
|
|
- name: Add rule with path that needs to be expanded
|
|
win_firewall_rule:
|
|
name: VarExpansionTest
|
|
enabled: yes
|
|
state: present
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
program: '%SystemRoot%\system32\svchost.exe'
|
|
|
|
- name: Add same rule with path that needs to be expanded
|
|
win_firewall_rule:
|
|
name: VarExpansionTest
|
|
enabled: yes
|
|
state: present
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
program: '%SystemRoot%\system32\svchost.exe'
|
|
register: add_firewall_rule_with_var_expand_path
|
|
|
|
- name: Check that creating same firewall rule with expanded vars identified
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_var_expand_path.changed == false
|
|
|
|
- name: Add firewall rule for application group
|
|
win_firewall_rule:
|
|
name: Rule for application group
|
|
enabled: yes
|
|
state: present
|
|
localport: 80
|
|
action: allow
|
|
direction: in
|
|
protocol: tcp
|
|
group: application
|
|
register: add_firewall_rule_with_group
|
|
|
|
- name: Check that creating firewall rule for application group succeeds with a change
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_group.changed == true
|
|
|
|
# Test icmptypecode
|
|
- name: Add rule with icmptypecode
|
|
win_firewall_rule:
|
|
name: icmptest
|
|
enabled: yes
|
|
state: present
|
|
action: allow
|
|
direction: in
|
|
protocol: icmpv4
|
|
icmp_type_code: '8:*'
|
|
register: add_firewall_rule_with_icmptypecode
|
|
|
|
- name: Check that creating same firewall rule with expanded vars identified
|
|
assert:
|
|
that:
|
|
- add_firewall_rule_with_icmptypecode.changed == true
|