search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
97 stars 150 forks source link

Cant create ICMP firewall rules on windows #156

Open docwho76 opened 7 years ago

docwho76 commented 7 years ago

Cookbook version

2.5.3

Chef-client version

12.18.31

Platform Details

Win 2012 (contrary to what your README.md says your code has worked on this platform fine)

Scenario:

Add ICMP firewall rules to only allow specific IP blocks

Steps to Reproduce:

default['foobar']['icmp_hosts'] = ["X.X.X.X/32", "Y.Y.Y.Y/16", "Z.Z.Z.Z/8", "#{node['test']['server']['ip']}" ]

icmp_hosts = node['foobar']['icmp_hosts'].join(',')

node['foobar']['icmp_hosts'].each do |source|
  firewall_rule "ICMP v4 from #{source}" do
    protocol   :icmp
    direction  :in
    source     source
    command    :allow
    action     :create
  end
end

Expected Result:

Firewall rules added to only allow ICMP from the specified icmp_host list

Actual Result:

Rule add fails in multiple ways.

  1. You specify "icmp" where it should be "icmpv4" 

         +firewall add rule name="ICMP v4 from X.X.X.X/23" description="ICMP v4 from X.X.X.X/23" dir=in service=any protocol=icmp localip=any localport=any interfacetype=any remoteip=X.X.X.X/23 remoteport=any action=allow

   ================================================================================
   Error executing action `restart` on resource 'firewall[default]'
   ================================================================================

   Mixlib::ShellOut::ShellCommandFailed
   ------------------------------------
   Expected process to exit with [0], but received '1'
   ---- Begin output of netsh advfirewall firewall add rule name="ICMP v4 from X.X.X.X/32" description="ICMP v4 from X.X.X.X/32" dir=in service=any protocol=icmp localip=any localport=any interfacetype=any remoteip=X.X.X.X/32 remoteport=any action=allow ----
   STDOUT: A specified protocol value is not valid.

   Usage: add rule name=<string>
  dir=in|out
  action=allow|block|bypass
  [program=<program path>]
  [service=<service short name>|any]
  [description=<string>]
  [enable=yes|no (default=yes)]
  [profile=public|private|domain|any[,...]]
  [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
  [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
     <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
  [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
  [remoteport=0-65535|<port range>[,...]|any (default=any)]
  [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
     tcp|udp|any (default=any)]
  [interfacetype=wireless|lan|ras|any]
  [rmtcomputergrp=<SDDL string>]
  [rmtusrgrp=<SDDL string>]
  [edge=yes|deferapp|deferuser|no (default=no)]
  [security=authenticate|authenc|authdynenc|authnoencap|notrequired
     (default=notrequired)]

   Remarks:

  - Add a new inbound or outbound rule to the firewall policy.
  - Rule name should be unique and cannot be "all".
  - If a remote computer or user group is specified, security must be
    authenticate, authenc, authdynenc, or authnoencap.
  - Setting security to authdynenc allows systems to dynamically
    negotiate the use of encryption for traffic that matches
    a given Windows Firewall rule. Encryption is negotiated based on
    existing connection security rule properties. This option
    enables the ability of a machine to accept the first TCP
    or UDP packet of an inbound IPsec connection as long as
    it is secured, but not encrypted, using IPsec.
    Once the first packet is processed, the server will
    re-negotiate the connection and upgrade it so that
    all subsequent communications are fully encrypted.
  - If action=bypass, the remote computer group must be specified when dir=in.
  - If service=any, the rule applies only to services.
  - ICMP type or code can be "any".
  - Edge can only be specified for inbound rules.
  - AuthEnc and authnoencap cannot be used together.
  - Authdynenc is valid only when dir=in.
  - When authnoencap is set, the security=authenticate option becomes an
    optional parameter.

   Examples:

  Add an inbound rule with no encapsulation security for browser.exe:
  netsh advfirewall firewall add rule name="allow browser"
  dir=in program="c:\programfiles\browser\browser.exe"
  security=authnoencap action=allow

  Add an outbound rule for port 80:
  netsh advfirewall firewall add rule name="allow80"
  protocol=TCP dir=out localport=80 action=block

  Add an inbound rule requiring security and encryption
  for TCP port 80 traffic:
  netsh advfirewall firewall add rule
  name="Require Encryption for Inbound TCP/80"
  protocol=TCP dir=in localport=80 security=authdynenc
  action=allow

  Add an inbound rule for browser.exe and require security
  netsh advfirewall firewall add rule name="allow browser"
  dir=in program="c:\program files\browser\browser.exe"
  security=authenticate action=allow

  Add an authenticated firewall bypass rule for group
  acmedomain\scanners identified by a SDDL string:
  netsh advfirewall firewall add rule name="allow scanners"
  dir=in rmtcomputergrp=<SDDL string> action=bypass
  security=authenticate

  Add an outbound allow rule for local ports 5000-5010 for udp-
  Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
   STDERR:
   ---- End output of netsh advfirewall firewall add rule name="ICMP v4 from X.X.X.X/32" description="ICMP v4 from X.X.X.X/32" dir=in service=any protocol=icmp localip=any localport=any interfacetype=any remoteip=X.X.X.X/32 remoteport=any action=allow ----
   Ran netsh advfirewall firewall add rule name="ICMP v4 from X.X.X.X/32" description="ICMP v4 from X.X.X.X/32" dir=in service=any protocol=icmp localip=any localport=any interfacetype=any remoteip=X.X.X.X/32 remoteport=any action=allow returned 1

  2. You specify a "localport" and "remoteport" setting of "any", both of these are not needed at all and also causes the command to fail to add if you try to work around problem #1 by specifying protocol 1 instead of :icmp.

+firewall add rule name="ICMP v4 from Y.Y.Y.Y/23" description="ICMP v4 from Y.Y.Y.Y/23" dir=in service=any protocol=1 localip=any localport=any interfacetype=any remoteip=Y.Y.Y.Y/23 remoteport=any action=allow

       ================================================================================
       Error executing action `restart` on resource 'firewall[default]'
       ================================================================================

       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '1'
       ---- Begin output of netsh advfirewall firewall add rule name="ICMP v4 from Y.Y.Y.Y/23" description="ICMP v4 from Y.Y.Y.Y/23" dir=in service=any protocol=1 localip=any localport=any interfacetype=any remoteip=Y.Y.Y.Y/23 remoteport=any action=allow ----

       STDOUT: Ports can only be specified if the protocol is TCP or UDP.

       Usage: add rule name=<string>
      dir=in|out
      action=allow|block|bypass
      [program=<program path>]
      [service=<service short name>|any]
      [description=<string>]
      [enable=yes|no (default=yes)]
      [profile=public|private|domain|any[,...]]
      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
      [remoteport=0-65535|<port range>[,...]|any (default=any)]
      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
         tcp|udp|any (default=any)]
      [interfacetype=wireless|lan|ras|any]
      [rmtcomputergrp=<SDDL string>]
      [rmtusrgrp=<SDDL string>]
      [edge=yes|deferapp|deferuser|no (default=no)]
      [security=authenticate|authenc|authdynenc|authnoencap|notrequired
         (default=notrequired)]

       Remarks:

      - Add a new inbound or outbound rule to the firewall policy.
      - Rule name should be unique and cannot be "all".
      - If a remote computer or user group is specified, security must be
        authenticate, authenc, authdynenc, or authnoencap.
      - Setting security to authdynenc allows systems to dynamically
        negotiate the use of encryption for traffic that matches
        a given Windows Firewall rule. Encryption is negotiated based on
        existing connection security rule properties. This option
        enables the ability of a machine to accept the first TCP
        or UDP packet of an inbound IPsec connection as long as
        it is secured, but not encrypted, using IPsec.
        Once the first packet is processed, the server will
        re-negotiate the connection and upgrade it so that
        all subsequent communications are fully encrypted.
      - If action=bypass, the remote computer group must be specified when dir=in.
      - If service=any, the rule applies only to services.
      - ICMP type or code can be "any".
      - Edge can only be specified for inbound rules.
      - AuthEnc and authnoencap cannot be used together.
      - Authdynenc is valid only when dir=in.
      - When authnoencap is set, the security=authenticate option becomes an
        optional parameter.

       Examples:

      Add an inbound rule with no encapsulation security for browser.exe:
      netsh advfirewall firewall add rule name="allow browser"
      dir=in program="c:\programfiles\browser\browser.exe"
      security=authnoencap action=allow

      Add an outbound rule for port 80:
      netsh advfirewall firewall add rule name="allow80"
      protocol=TCP dir=out localport=80 action=block

      Add an inbound rule requiring security and encryption
      for TCP port 80 traffic:
      netsh advfirewall firewall add rule
      name="Require Encryption for Inbound TCP/80"
      protocol=TCP dir=in localport=80 security=authdynenc
      action=allow

      Add an inbound rule for browser.exe and require security
      netsh advfirewall firewall add rule name="allow browser"
      dir=in program="c:\program files\browser\browser.exe"
      security=authenticate action=allow

      Add an authenticated firewall bypass rule for group
      acmedomain\scanners identified by a SDDL string:
      netsh advfirewall firewall add rule name="allow scanners"
      dir=in rmtcomputergrp=<SDDL string> action=bypass
      security=authenticate

      Add an outbound allow rule for local ports 5000-5010 for udp-
      Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
       STDERR:
       ---- End output of netsh advfirewall firewall add rule name="ICMP v4 from Y.Y.Y.Y/23" description="ICMP v4 from Y.Y.Y.Y/23" dir=in service=any protocol=0 localip=any localport=any interfacetype=any remoteip=Y.Y.Y.Y/23 remoteport=any action=allow ----
       Ran netsh advfirewall firewall add rule name="ICMP v4 from Y.Y.Y.Y/23" description="ICMP v4 from Y.Y.Y.Y/23" dir=in service=any protocol=0 localip=any localport=any interfacetype=any remoteip=Y.Y.Y.Y/23 remoteport=any action=allow returned 1
martinb3 commented 7 years ago

I am unassigning myself here -- I could use someone more familiar with the Windows side of things in order to build out the build_rule and rule_up_to_date methods in the Windows helper.

alexandrezia commented 7 years ago

On windows you must specify protocol version like:

protocol :icmpv4 or protocol :icmpv6

However this will generate other error, icmp rules must not specify 'port', I've submitted a pull request to fix this port issue: https://github.com/chef-cookbooks/firewall/pull/174

tiago-cruz-movile commented 6 years ago

Thanks @alexandrezia,

This patch worked with charm, using windows 10.0.14393 (2016) :+1:

px4n commented 6 years ago

Thanks @alexandrezia , worked wonderfully using Windows 7.