Deploy: Firewall

[John-Holt-Tessella]

As a supported I want the firewall to be configured for all applications in ibex when I install it using the upgrade/install script so that I don't have to remember to do it and it can be the same on all machines.

Acceptance Criteria

1. All ports/programs are identified that accept incoming connections
2. Firewall rules are written on install for these
3. They are as specific as they can be without spending overly large amounts of time on it. E.g. if possible port, program, protocol and hostname of requesting machine (this may not be possible for all of epics)

[ChrisM-S]

The firewall has a slightly complicated deployment path. The most profitable is to ensure it is deployed as a local group policy to instrument machines (on build for W10). The firewall can be built automatically via a script on an existing base clone and then the complete profile saved in a policy.wfw file which can be imported in a single step by the group policy stage of the machine installation. This has the advantage that the .wfw file also can be applied manually and updated in one step remotely if necessary. For "instrument" machines in the domain, the policy can also be applied similarly although from the domain (just a single command ps-remote command for the whole profile).

this is a useful reference to the steps in deploying via group policy. https://www.rootusers.com/configure-firewall-rules-for-multiple-profiles-using-group-policy/