- name: Allow ICMP
  win_firewall_rule:
    name: Allow incoming ICMP
    action: allow
    enabled: true
    direction: in
    protocol: icmpv4
    icmp_type_code:
      - '0:*' # echo reply
      - '3:*' # destination unreachable
      - '8:*' # echo request
      - '11:*' # time exceeded
      - '12:*' # parameter problem

- name: Allow ICMPv6
  win_firewall_rule:
    name: Allow incoming ICMPv6
    action: allow
    enabled: true
    direction: in
    protocol: icmpv6
    icmp_type_code:
      - '1:*' # destination unreachable
      - '2:*' # packet too big
      - '3:*' # time exceeded
      - '4:*' # parameter problem
      - '128:*' # echo request
      - '129:*' # echo reply

- include_tasks: firewall_rule.yml
  loop: "{{ services }}"
  loop_control:
    label: "{{ service.name }}"
    loop_var: service

- name: Disable some builtin rules
  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
  changed_when: false # no way to tell
  failed_when: false # fails if the group doesn’t exist
  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
    - "AllJoyn Router"
    - "File and Printer Sharing"
    - "mDNS"
    - "OpenSSH Server"
    - "Secure World Wide Web Services (HTTPS)"
    - "Secure World Wide Web Services (QUIC)"
    - "Windows Remote Management"
    - "World Wide Web Services (HTTP)"