search

webalexeu / puppet-windows_firewall

Manage the windows firewall with Puppet
Apache License 2.0
0 stars 1 forks source link

Rule delete doesnt appear to be working. #30

Open ekleditz opened 3 weeks ago

ekleditz commented 3 weeks ago

Add a rule called test

Ask it to be deleted via:

windows_firewall_rule { 'test': ensure => absent; }

Expected that rule will be removed but it isn't being deleted.

Win 11

webalexeu commented 3 weeks ago

Hello,

Did you create the rule with Puppet or manually ? If you create it manually, did you create it with the GUI or using Powershell/Netsh?

Can you give the output of those commands? puppet resource windows_firewall_rule 'test' Get-NetFirewallRule -Name 'test' Get-NetFirewallRule -DisplayName 'test'

Regards, Alex

ekleditz commented 3 weeks ago

Hi Alex,

Rule was created by hand to test this.

Interesting output from those commands

PS C:> puppet resource windows_firewall_rule 'test' windows_firewall_rule { 'test': ensure => 'absent', provider => 'windows_firewall_rule', } PS C:> Get-NetFirewallRule -Name 'test' Get-NetFirewallRule : No MSFT_NetFirewallRule objects found with property 'InstanceID' equal to 'test'. Verify the value of the property and retry. At line:1 char:1

PS C:> Get-NetFirewallRule -DisplayName 'test'

Name : {c2ab7554-e6c9-49ed-92f5-2cd830f8236a} DisplayName : test Description : DisplayGroup : Group : Enabled : True Profile : Domain, Private, Public Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local RemoteDynamicKeywordAddresses : {} PolicyAppId : PackageFamilyName :

webalexeu commented 3 weeks ago

Puppet module is using firewall rule name as identifier because it's unique. By default, when you create a rule, it's the display name that is populated (you can have multiple rules with the same display name) and the name is auto-generated with an identifier

But if you have created the rule using puppet, it should have populated the name correctly (Module is using the resource title as firewall name by default)

Can you please share the puppet code you use to create the firewall rule?

Could you please also try this to delete the test one ?

windows_firewall_rule { '{c2ab7554-e6c9-49ed-92f5-2cd830f8236a}':
  ensure => absent;
}
ekleditz commented 3 weeks ago

Sorry..i had misread your response and edited my post a bit after. My rule was created by hand.

Using the InstanceID does get the test rule clobbered.

Doesn't look like this will work for my specific use case this time around (I'm trying to delete a rule created by an app) but its good to know i can kill ones that i have previously created with this module easily enough.

Thanks!

edit: on a side note I now know why I was unable to edit that same stupid app created rule to look like I wanted after it was created. Couldn't figure out what i was doing wrong but its the same as with the delete

webalexeu commented 2 weeks ago

Can you give more context on your use case?

Using the purge feature can maybe be a solution but it's requiring a new release that will accept some arguments to purge specific rules

ekleditz commented 2 weeks ago

I have an app im deploying (via puppet and choco) that creates its own firewall rules when it installs. The issue is that app makes its rule incompletely so im trying to have the module delete the rule the app makes on its own and replace it with one that's correct.

The second part works great but the first part doesn't. Not the end of the world and its more of a cleanup and tidy thing for me.