From e6876ff2659ee0ab6319cfd58f16471bd2f066c5 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sun, 11 May 2025 14:34:38 +0200 Subject: [PATCH] =?UTF-8?q?windows:=20don=E2=80=99t=20disable=20builtin=20?= =?UTF-8?q?firewall=20rules=20before=20setting=20our=20own?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Oops. --- roles/windows/tasks/firewall.yml | 27 ++++++++++++++------------- roles/windows/tasks/firewall_rule.yml | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/roles/windows/tasks/firewall.yml b/roles/windows/tasks/firewall.yml index aa0d2d7..e95f94c 100644 --- a/roles/windows/tasks/firewall.yml +++ b/roles/windows/tasks/firewall.yml @@ -1,16 +1,3 @@ -- name: Disable some builtin rules - win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False" - changed_when: false # no way to tell - loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True - - "AllJoyn Router" - - "File and Printer Sharing" - - "mDNS" - - "OpenSSH Server" - - "Secure World Wide Web Services (HTTPS)" - - "Secure World Wide Web Services (QUIC)" - - "Windows Remote Management" - - "World Wide Web Services (HTTP)" - - name: Allow ICMP win_firewall_rule: name: Allow incoming ICMP @@ -45,3 +32,17 @@ loop_control: label: "{{ service.name }}" loop_var: service + +- name: Disable some builtin rules + win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False" + changed_when: false # no way to tell + failed_when: false # fails if the group doesn’t exist + loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True + - "AllJoyn Router" + - "File and Printer Sharing" + - "mDNS" + - "OpenSSH Server" + - "Secure World Wide Web Services (HTTPS)" + - "Secure World Wide Web Services (QUIC)" + - "Windows Remote Management" + - "World Wide Web Services (HTTP)" diff --git a/roles/windows/tasks/firewall_rule.yml b/roles/windows/tasks/firewall_rule.yml index eedf9c9..49f6fca 100644 --- a/roles/windows/tasks/firewall_rule.yml +++ b/roles/windows/tasks/firewall_rule.yml @@ -1,4 +1,4 @@ -- name: Allow service +- name: "Allow service {{ service.name }}" win_firewall_rule: name: "Allow incoming {{ service.name }} for {{ remoteip }}" group: "{{ service.name }}"