FAQ
Hey David

Below are some examples. Note these are used on embedded Windows 7
(6.1.7601) and I've never tested them on servers (we run mostly Linux
servers). I also have examples for XP (5.1.2600) if you want, it's a lot
different.

The first 6 are just for enabling the firewall and allowing exceptions.
Obviously you may not want to enable the non-domain profiles.

# Enable firewall
# Note: In Windows7, it seems the gui doesn't reflect enabling/disabling
the firewall in the registry until a reboot.
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}

registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}

registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':
ensure => present,
type => 'dword',
data => '1',
}

# Allow exceptions
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}

registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}

registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':
ensure => present,
type => 'dword',
data => '0',
}

Here's an example for opening a port:

# enable Edge
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':
ensure => present,
type => 'string',
data =>
'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',
}

Some other examples

# enable public ping
registry_value {
'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':
ensure => present,
type => 'string',
data =>
'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',
}

# disable Remote Assistant
# Note: when you set this in Advanced System Settings it also changes a
bunch of firewall rules that we aren't doing yet
registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote
Assistance\fAllowToGetHelp':
ensure => present,
type => 'dword',
data => '0',
}

hth,

Adam
On Tuesday, March 5, 2013 8:36:15 AM UTC-6, david....@struq.com wrote:

Hi Adam,

I would be interested in seeing an example of a firewall config managed by
the registry module. Is that possible?

Thanks,
David.
On Friday, February 15, 2013 5:13:04 AM UTC, ad wrote:

Hey Jim,

As someone who generally hates using execs unless I absolutely have to, I
would recommend using the Puppet Labs registry module. I can dig out some
examples tomorrow if you like.

Adam
On Thursday, February 14, 2013 9:29:52 AM UTC-6, jim wrote:

Hello all,

I'm currently running 2.7.19 (Puppet Enterprise 2.7.0)

I want to use puppet to add / amend or delete windows firewall rules, is
there a tidy way of doing this ????

exec { "Check_MK_Firewall_Rule_create":
command => 'C:\Windows\System32\netsh.exe advfirewall firewall add rule
name="Check_MK" dir=in action=allow protocol=TCP localport=6556',
unless => 'C:\Windows\System32\netsh.exe advfirewall firewall show rule
name="Check_MK"',
}

## If I remove the unless statement, it will keep add the same rule over
and over again, which will make the firewall rule list un-manageable


exec { "Check_MK_Firewall_Rule_enable":
command => 'C:\Windows\System32\netsh.exe advfirewall firewall set rule
name="Check_MK" new enable=Yes',
}

## When I do a puppet run it keeps running this, is there a way to only
run if disabled ???

Hope this make sense

regards

James
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 8 of 12 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedFeb 14, '13 at 3:29p
activeMar 12, '13 at 2:44p
posts12
users7
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase