Comments (20)
From @octagonprogramming on Jul 30, 2019 23:53
!component =lib/ansible/modules/windows/win_firewall_rule.ps1
from community.windows.
From @ShachafGoldstein on Aug 03, 2019 14:05
Removing the state
parameter in your example give the expected result you mentioned
You can see in the docs that the state
param is only used for removal/addition
from community.windows.
From @octagonprogramming on Aug 05, 2019 18:15
I removed this parameter and am still getting the same result. Specifically in the case of the rules for Cortana, it will just create a new rule.
from community.windows.
From @ShachafGoldstein on Aug 06, 2019 20:51
Are you sure it adds a new rule without the state
parameter?
from community.windows.
From @octagonprogramming on Aug 07, 2019 15:18
Yes I tested this when the suggestion was made. It only appears to be a problem with the rules that I specified in the sample code as well.
Also the state parameter is by default set to present.
from community.windows.
From @ShachafGoldstein on Aug 07, 2019 16:04
Your'e right about the state.
On my machines I get the error when running
- name: Disable Microsofts Built in Rules
win_firewall_rule:
name: Cortana
action: allow
direction: in
enabled: no
if you run the powershell lines with the user you use for ansible, what is the output?
$name = "Cortana"
$fw = New-Object -ComObject HNetCfg.FwPolicy2
$existingRule = $fw.Rules | Where-Object { $_.Name -eq $name }
if ($existingRule -is [System.Array]) {
Fail-Json $result "Multiple firewall rules with name '$name' found."
}
from community.windows.
From @octagonprogramming on Aug 09, 2019 23:12
My apologies for the delay I had to set up a new testing environment and this time the target system is a windows 2016 LTSB but still having the same issue with the firewall rule as I ran the firewall module and got the same result.
Here is my output for the powershell lines:
changed: [<host>] => {
"changed": true,
"cmd": "$name = \"Cortana\"\n$fw = New-Object -ComObject HNetCfg.FwPolicy2\n\n$existingRule = $fw.Rules | Where-Object { $_.Name -eq $name }\n\nif ($existingRule -is [System.Array]) {\n Fail-Json $result \"Multiple firewall rules with name '$name' found.\"\n}",
"delta": "0:00:01.078182",
"end": "2019-08-09 10:42:56.757763",
"rc": 0,
"start": "2019-08-09 10:42:55.679581",
"stderr": "",
"stderr_lines": [],
"stdout": "",
"stdout_lines": []
}
from community.windows.
From @ShachafGoldstein on Aug 10, 2019 11:25
I meant running it yourself on the machine in a Powershell window.
I can't replicate this issue on any machine I tried.
Maybe a permissions issue? can you try running with a stronger user if not currently?
from community.windows.
From @octagonprogramming on Aug 12, 2019 15:36
Ah, well in that case there is no output when run on the target machine.
Current user is Administrator and running powershell as administrator.
from community.windows.
From @ShachafGoldstein on Aug 12, 2019 17:03
Can you post the output of $fw = New-Object -ComObject HNetCfg.FwPolicy2; $fw.Rules.name
from community.windows.
From @octagonprogramming on Aug 12, 2019 17:11
There is no output for this either.
from community.windows.
From @octagonprogramming on Aug 12, 2019 17:15
When running this I get the name for all rules on the system
$fw.Rules | select-object -property name
from community.windows.
From @octagonprogramming on Aug 12, 2019 17:20
In the output of the above command the is what is shown for the name of Cortana:
@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
from community.windows.
From @octagonprogramming on Aug 12, 2019 17:26
Using the above hash I got the expected fail for the rule
Code:
- name: Testing
win_firewall_rule:
name: '@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}'
action: allow
direction: in
enabled: no
Result:
fatal: [<host>]: FAILED! => {
"changed": false,
"msg": "Multiple firewall rules with name '@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}' found."
}
from community.windows.
From @octagonprogramming on Aug 12, 2019 17:59
On further review it was discovered that how the com object is seeing the rule v.s. how powershell is seeing the rule.
For example comparing how both view the rule cortana:
Powershell
Command
Get-NetFirewallRule -DisplayName 'Cortana'
Sample Output
Name : {961222A4-CB5D-4336-A5F2-60C3F3CF25C8}
DisplayName : Cortana
Description : Search the web and Windows
DisplayGroup : Cortana
Group : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Enabled : False
Profile : Domain, Private, Public
Platform : {6.2+}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner : S-1-5-21-2732372105-1916055189-1631554620-1002
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
Using com object
Commands
$fw = New-Object -ComObject HNetCfg.FwPolicy2
$fw.Rules | Where-Object { $_.Name -match 'cortana' }
Sample Output
Name : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Description : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}
ApplicationName :
serviceName :
Protocol : 256
LocalPorts :
RemotePorts :
LocalAddresses : *
RemoteAddresses : *
IcmpTypesAndCodes :
Direction : 1
Interfaces :
InterfaceTypes : All
Enabled : True
Grouping : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Profiles : 7
EdgeTraversal : True
Action : 1
EdgeTraversalOptions : 1
LocalAppPackageId : S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
LocalUserOwner : S-1-5-21-2732372105-1916055189-1631554620-1001
LocalUserAuthorizedList :
RemoteUserAuthorizedList :
RemoteMachineAuthorizedList :
SecureFlags : 0
from community.windows.
From @octagonprogramming on Aug 12, 2019 18:02
As you can see above the 'Group' from the powershell command output is what the COM is gettting for the name and description of the rule which would explain why it is creating an entirely new rule as the name does not match.
from community.windows.
From @ShachafGoldstein on Aug 12, 2019 18:50
I see.
On my machine (insider) I have both simple Cortana rules and the type with the @{} name.
The only solution I see is using the full name as you did.
if we try to change the condition to be anything other then equal we can cause a lot of issues.
from community.windows.
From @frogstarr78 on Aug 12, 2019 22:41
Couldn't you use the built in powershell modules for handling firewall rules?
from community.windows.
From @jborean93 on Aug 12, 2019 23:02
Couldn't you use the built in powershell modules for handling firewall rules?
I haven't read the actual conversation here but no not right now, these modules were only added in Server 2012 and newer and the COM object is used so we can run this module on Server 2008 and 2008 R2.
from community.windows.
So while this isn't a fix I'm posting this here for future reference. To convert the resource id string that some of these rules use we can use something like ConvertFrom-IndirectString. This would allow us to convert the raw string from the firewall rule and compare to the human readable value in the future.
Also with #127, we can now edit multiple rules at the same time that match the name
or group
.
from community.windows.
Related Issues (20)
- iis_webbinding IPv6 Problem
- improper string handling (evaluation) in community.windows.win_timezone
- Security scanners flag tests/integration/targets/win_psmodule_info/files/ansiblevault.0.3.0.nupkg
- user account not set correctly in created scheduled task when user is a domain user.
- Provide ability to add DHCP Options to win_dhcp_lease
- Provide ability to create a DHCP Scope
- Support IPv6 in win_dhcp_lease
- "The DISM PS module needs to be installed, this can be done through the windows-adk chocolately package" HOT 1
- Windows privileges to use the windows.win_dns_record module
- win_iis_webapplication is not idempotent. Absent state does not work as expected.
- Invalid error with the win_unzip module when attempting to unzip a zip file
- win_unzip breaks when using beta Pscx version 4
- win_dns_record: state changed but nothing is done when adding record HOT 3
- win_iis_webapppool cannot add multiple env vars
- Can not create scheduled task that runs only on last day of month
- Win_hotfix module fails to install cumulative update for Windows 11
- win_credential creates credentials for the become user HOT 2
- Unable to Install 'VirtualMachinePlatform' Feature on Windows Server 2022 using win_feature Module HOT 1
- adding "use_system_account" to work with GMSA accounts HOT 1
- win_feature : possibility to bypass WSUS server
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from community.windows.