rc/servers
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

windows: set up firewall

Browse source
This commit is contained in:
Timotej Lazar 2025-05-11 12:54:26 +02:00
parent 91de26af57
commit 66298da9c7
4 changed files with 68 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
roles/windows/tasks/firewall.yml Normal file
View file

@ -0,0 +1,47 @@
- name: Disable some builtin rules
win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
changed_when: false # no way to tell
loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
- "AllJoyn Router"
- "File and Printer Sharing"
- "mDNS"
- "OpenSSH Server"
- "Secure World Wide Web Services (HTTPS)"
- "Secure World Wide Web Services (QUIC)"
- "Windows Remote Management"
- "World Wide Web Services (HTTP)"
- name: Allow ICMP
win_firewall_rule:
name: Allow incoming ICMP
action: allow
enabled: true
direction: in
protocol: icmpv4
icmp_type_code:
- '0:*' # echo reply
- '3:*' # destination unreachable
- '8:*' # echo request
- '11:*' # time exceeded
- '12:*' # parameter problem
- name: Allow ICMPv6
win_firewall_rule:
name: Allow incoming ICMPv6
action: allow
enabled: true
direction: in
protocol: icmpv6
icmp_type_code:
- '1:*' # destination unreachable
- '2:*' # packet too big
- '3:*' # time exceeded
- '4:*' # parameter problem
- '128:*' # echo request
- '129:*' # echo reply
- include_tasks: firewall_rule.yml
loop: "{{ services }}"
loop_control:
label: "{{ service.name }}"
loop_var: service

14
roles/windows/tasks/firewall_rule.yml Normal file
View file

@ -0,0 +1,14 @@
- name: Allow service
win_firewall_rule:
name: "Allow incoming {{ service.name }} for {{ remoteip }}"
group: "{{ service.name }}"
action: allow
enabled: true
direction: in
protocol: "{{ service.protocol.value }}"
localport: "{{ service.ports | join(',') }}"
remoteip: "{{ remoteip }}"
loop: "{{ service | allowed_prefixes | default(['any'], true) }}"
loop_control:
label: "{{ remoteip }}"
loop_var: remoteip

3
roles/windows/tasks/interface_address.yml
View file

@ -7,7 +7,8 @@
changed_when: "not result.stderr or 'Instance MSFT_NetIPAddress already exists' not in result.stderr" changed_when: "not result.stderr or 'Instance MSFT_NetIPAddress already exists' not in result.stderr"
failed_when: false failed_when: false
- set_fact: - name: Get gateway for prefix
set_fact:
prefix: "{{ prefixes | selectattr('prefix', '==', address.address|ipaddr('subnet')) | first }}" prefix: "{{ prefixes | selectattr('prefix', '==', address.address|ipaddr('subnet')) | first }}"
- name: Set gateway - name: Set gateway

6
roles/windows/tasks/main.yml
View file

@ -1,9 +1,13 @@
- include_tasks: interface.yml - name: Set up interfaces
include_tasks: interface.yml
loop: "{{ interfaces }}" loop: "{{ interfaces }}"
loop_control: loop_control:
label: "{{ interface.name }}" label: "{{ interface.name }}"
loop_var: interface loop_var: interface
- name: Set up firewall
include_tasks: firewall.yml
- name: Disable SSH password authentication - name: Disable SSH password authentication
win_lineinfile: win_lineinfile:
path: c:\ProgramData\ssh\sshd_config path: c:\ProgramData\ssh\sshd_config