windows: set up firewall

roles/windows/tasks/firewall.yml

@@ -0,0 +1,47 @@
+- name: Disable some builtin rules
+  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
+  changed_when: false # no way to tell
+  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
+    - "AllJoyn Router"
+    - "File and Printer Sharing"
+    - "mDNS"
+    - "OpenSSH Server"
+    - "Secure World Wide Web Services (HTTPS)"
+    - "Secure World Wide Web Services (QUIC)"
+    - "Windows Remote Management"
+    - "World Wide Web Services (HTTP)"
+
+- name: Allow ICMP
+  win_firewall_rule:
+    name: Allow incoming ICMP
+    action: allow
+    enabled: true
+    direction: in
+    protocol: icmpv4
+    icmp_type_code:
+      - '0:*' # echo reply
+      - '3:*' # destination unreachable
+      - '8:*' # echo request
+      - '11:*' # time exceeded
+      - '12:*' # parameter problem
+
+- name: Allow ICMPv6
+  win_firewall_rule:
+    name: Allow incoming ICMPv6
+    action: allow
+    enabled: true
+    direction: in
+    protocol: icmpv6
+    icmp_type_code:
+      - '1:*' # destination unreachable
+      - '2:*' # packet too big
+      - '3:*' # time exceeded
+      - '4:*' # parameter problem
+      - '128:*' # echo request
+      - '129:*' # echo reply
+
+- include_tasks: firewall_rule.yml
+  loop: "{{ services }}"
+  loop_control:
+    label: "{{ service.name }}"
+    loop_var: service

roles/windows/tasks/firewall_rule.yml

@@ -0,0 +1,14 @@
+- name: Allow service
+  win_firewall_rule:
+    name: "Allow incoming {{ service.name }} for {{ remoteip }}"
+    group: "{{ service.name }}"
+    action: allow
+    enabled: true
+    direction: in
+    protocol: "{{ service.protocol.value }}"
+    localport: "{{ service.ports | join(',') }}"
+    remoteip: "{{ remoteip }}"
+  loop: "{{ service | allowed_prefixes | default(['any'], true) }}"
+  loop_control:
+    label: "{{ remoteip }}"
+    loop_var: remoteip

roles/windows/tasks/interface_address.yml

@@ -7,7 +7,8 @@
   changed_when: "not result.stderr or 'Instance MSFT_NetIPAddress already exists' not in result.stderr"
   failed_when: false
 
-- set_fact:
+- name: Get gateway for prefix
+  set_fact:
     prefix: "{{ prefixes | selectattr('prefix', '==', address.address|ipaddr('subnet')) | first }}"
 
 - name: Set gateway

roles/windows/tasks/main.yml

@@ -1,9 +1,13 @@
-- include_tasks: interface.yml
+- name: Set up interfaces
+  include_tasks: interface.yml
   loop: "{{ interfaces }}"
   loop_control:
     label: "{{ interface.name }}"
     loop_var: interface
 
+- name: Set up firewall
+  include_tasks: firewall.yml
+
 - name: Disable SSH password authentication
   win_lineinfile:
     path: c:\ProgramData\ssh\sshd_config