search

thatrevguy / windows_firewall

Apache License 2.0
8 stars 14 forks source link

Issue applying a windows_firewall rule when a local_port or remote_port is defined with "IPHTTPS". #8

Closed vegetableZucchini closed 6 years ago

vegetableZucchini commented 6 years ago

JSON rules:

    "Core Networking - IPHTTPS (TCP-In)": {
      "description": "Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.",
      "application_name": "System",
      "protocol": 6,
      "local_ports": "IPHTTPS",
      "remote_ports": "*",
      "local_addresses": "*",
      "remote_addresses": "*",
      "direction": 1,
      "interface_types": "All",
      "enabled": true,
      "grouping": "@FirewallAPI.dll,-25000",
      "profiles": 2147483647,
      "action": 1
    },
    "Core Networking - IPHTTPS (TCP-Out)": {
      "description": "Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.",
      "application_name": "C:\\Windows\\system32\\svchost.exe",
      "service_name": "iphlpsvc",
      "protocol": 6,
      "local_ports": "*",
      "remote_ports": "IPHTTPS",
      "local_addresses": "*",
      "remote_addresses": "*",
      "direction": 2,
      "interface_types": "All",
      "enabled": true,
      "grouping": "@FirewallAPI.dll,-25000",
      "profiles": 2147483647,
      "action": 1
    },

Error output by Puppet:

Error: /Stage[main]/Windows_firewall/Windows_firewall[windows_firewall]/Firewall_rule[Core Networking - IPHTTPS (TCP-In)]: Could not evaluate: (in OLE method `localports': )
    OLE error code:8007000D in <Unknown>
      <No Description>
    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Windows_firewall/Windows_firewall[windows_firewall]/Firewall_rule[Core Networking - IPHTTPS (TCP-Out)]: Could not evaluate: (in OLE method `remoteports': )
    OLE error code:8007000D in <Unknown>
      <No Description>
    HRESULT error code:0x80020009
      Exception occurred.
thatrevguy commented 6 years ago

What version of puppet and windows did this error occur on?

Looking at the config I'd suspect 'IPHTTPS' is not a valid input value for the remote/local port attributes. You might be wanting to try 'IPHTTPSIn' and 'IPHTTPSOut' instead.

It appears this is a symptom of how HNetCfg.FwPolicy2 displays rule attribute values in the powershell script:

$SystemRules = (New-Object -ComObject HNetCfg.FwPolicy2).Rules
$Rule = $SystemRules | where {$_.name -eq "Active Directory Domain Controller (RPC-EPMAP)
$Rule.LocalPorts
> RPC-EPMap
"}

versus

Get-NetFirewallRule -DisplayName "Active Directory Domain Controller (RPC-EPMAP)" | Get-NetFirewallPortFilter
> LocalPort     : RPCEPMap
vegetableZucchini commented 6 years ago

Puppet version is 2017.2.3 And the node is 2008R2

IPHTTPS appears to be correct according to https://technet.microsoft.com/en-us/library/dd759069(v=ws.11).aspx

But I'll try your recommendation. Thank you