Skip to content

Latest commit

 

History

History
555 lines (286 loc) · 12.9 KB

REFERENCE.md

File metadata and controls

555 lines (286 loc) · 12.9 KB

Reference

Table of Contents

Resource types

Resource types

windows_firewall_global

Manage windows global firewall settings

Properties

The following properties are available in the windows_firewall_global type.

authzcomputergrp

Configures the computers that are authorized to establish tunnel mode connections

authzcomputergrptransport

Authz computer transport

authzusergrp

Configures the users that are authorized to establish tunnel mode connections

authzusergrptransport

Authz user group transport

boottimerulecategory

Boot time rule category

consecrulecategory

"con sec rule category

defaultexemptions

Valid values: none, neighbordiscovery, icmp, dhcp, notconfigured

Configures the default IPsec exemptions. Default is to exempt IPv6 neighbordiscovery protocol and DHCP from IPsec

firewallrulecategory

Firewall rule category

forcedh

Valid values: yes, no

configures the option to use DH to secure key exchange

ipsecthroughnat

Valid values: never, serverbehindnat, serverandclientbehindnat, notconfigured

Configures when security associations can be established with a computer behind a network address translator

keylifetime

Sets main mode key lifetime in minutes and sessions

saidletimemin

Configures the security association idle time in minutes

secmethods

configures the main mode list of proposals

statefulftp

Valid values: enable, disable, notconfigured

Stateful FTP

statefulpptp

Valid values: enable, disable, notconfigured

Stateful PPTP

stealthrulecategory

Stealth rule category

strongcrlcheck

Configures how CRL checking is enforced

Parameters

The following parameters are available in the windows_firewall_global type.

name

namevar

Not used (reference only)

provider

The specific backend to use for this windows_firewall_global resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

windows_firewall_group

Enable/Disable windows firewall group

Properties

The following properties are available in the windows_firewall_group type.

enabled

Valid values: true, false

Whether the rule group is enabled (true or false)

Default value: true

Parameters

The following parameters are available in the windows_firewall_group type.

name

namevar

Name of the rule group to enable/disable

provider

The specific backend to use for this windows_firewall_group resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

windows_firewall_ipsec_rule

Manage Windows Firewall with Puppet

Properties

The following properties are available in the windows_firewall_ipsec_rule type.

description

This parameter provides information about the firewall rule

Default value: ''

display_group

This parameter specifies the source string for the DisplayGroup parameter (read-only)

display_name

Specifies the localized, user-facing name of the firewall rule being created

enabled

Valid values: true, false

This parameter specifies that the rule object is administratively enabled or administratively disabled (true or false)

Default value: true

ensure

Valid values: present, absent

How to ensure this firewall rule (present or absent)

Default value: present

inbound_security

Valid values: none, require, request

This parameter determines the degree of enforcement for security on inbound traffic

Default value: none

interface_type

Valid values: any, wired, wireless, remote_access

Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule

Default value: any

local_address

Specifies that network packets with matching IP addresses match this rule (hostname not allowed), use an array to pass more then one

Default value: any

local_port

Specifies that network packets with matching IP port numbers match this rule, use an array to pass more then one

Default value: any

mode

Valid values: none, transport, tunnel

Specifies the type of IPsec mode connection that the IPsec rule defines (None, Transport, or Tunnel)

Default value: transport

outbound_security

Valid values: none, require, request

This parameter determines the degree of enforcement for security on outbound traffic

Default value: none

phase1auth_set

Valid values: none, default, computerkerberos, anonymous

Gets the main mode rules that are associated with the given phase 1 authentication set to be created

phase2auth_set

Valid values: none, default, userkerberos

Gets the IPsec rules that are associated with the given phase 2 authentication set to be created

profile

Valid values: domain, private, public, any

Specifies one or more profiles to which the rule is assigned

Default value: any

protocol

Valid values: tcp, udp, icmpv4, icmpv6, %r{^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$}

This parameter specifies the protocol for an IPsec rule

remote_address

Specifies that network packets with matching IP addresses match this rule (hostname not allowed), use an array to pass more then one

Default value: any

remote_port

This parameter value is the second end point of an IPsec rule, use an array to pass more then one

Default value: any

Parameters

The following parameters are available in the windows_firewall_ipsec_rule type.

name

namevar

Name of this rule

provider

The specific backend to use for this windows_firewall_ipsec_rule resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

windows_firewall_profile

Enable/Disable windows firewall profile

Properties

The following properties are available in the windows_firewall_profile type.

filename

Name and location of the firewall log

firewallpolicy

Configures default inbound and outbound behavior

inboundusernotification

Valid values: enable, disable, notconfigured

Notify user when a program listens for inbound connections

localconsecrules

Valid values: enable, disable, notconfigured

Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store

localfirewallrules

Valid values: enable, disable, notconfigured

Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store

logallowedconnections

Valid values: enable, disable, notconfigured

log allowed connections

logdroppedconnections

Valid values: enable, disable, notconfigured

log dropped connections

maxfilesize

maximum size of log file in KB

remotemanagement

Valid values: enable, disable, notconfigured

Allow remote management of Windows Firewall

state

Valid values: on, off, true, false

State of this firewall profile

unicastresponsetomulticast

Valid values: enable, disable, notconfigured

Control stateful unicast response to multicast

Parameters

The following parameters are available in the windows_firewall_profile type.

name

namevar

Name of the profile to work on

provider

The specific backend to use for this windows_firewall_profile resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

windows_firewall_rule

Manage Windows Firewall with Puppet

Properties

The following properties are available in the windows_firewall_rule type.

action

Valid values: block, allow

What to do when this rule matches (Accept/Reject)

authentication

Valid values: notrequired, required, noencap

Specifies that authentication or encryption is required on firewall rules (authentication, encryption)

Default value: notrequired

description

Description of this rule

Default value: ''

direction

Valid values: inbound, outbound

Direction the rule applies to (inbound/outbound)

display_group

group that the rule belongs to (read-only)

display_name

Display name for this rule

edge_traversal_policy

Valid values: block, allow, defer_to_user, defer_to_app

Apply rule to encapsulated traffic (?) - see: https://serverfault.com/questions/89824/windows-advanced-firewall-what-does-edge-traversal-mean#89846

Default value: block

enabled

Valid values: true, false

Whether the rule is enabled (true or false)

Default value: true

encryption

Valid values: notrequired, required, dynamic

Specifies that authentication or encryption is required on firewall rules (authentication, encryption)

Default value: notrequired

ensure

Valid values: present, absent

How to ensure this firewall rule (present or absent)

Default value: present

icmp_type

Protocol type to use (with ICMPv4/ICMPv6)"

Values should be:

  • Just the type (3) ICMP type code: 0 through 255.
  • ICMP type code pairs: 3:4 (type 3, code 4)
  • any
interface_type

Valid values: any, wired, wireless, remote_access

Interface types this rule applies to

Default value: any

local_address

the local IP the rule targets (hostname not allowed), use an array to pass more then one

Default value: any

local_port

the local port the rule targets, use an array to pass more then one

local_user

Specifies that matching IPsec rules of the indicated user accounts are created

Default value: any

profile

Valid values: domain, private, public, any

Which profile(s) this rule belongs to, use an array to pass more then one

Default value: any

program

Path to program this rule applies to

Default value: any

protocol

Valid values: any, tcp, udp, icmpv4, icmpv6, %r{^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$}

the protocol the rule targets

Default value: any

remote_address

the remote IP the rule targets (hostname not allowed), use an array to pass more then one

Default value: any

remote_machine

Specifies that matching IPsec rules of the indicated computer accounts are created

Default value: any

remote_port

the remote port the rule targets, use an array to pass more then one

Default value: any

remote_user

Specifies that matching IPsec rules of the indicated user accounts are created

Default value: any

service

service names this rule applies to

Default value: any

Parameters

The following parameters are available in the windows_firewall_rule type.

name

namevar

Name of this rule

provider

The specific backend to use for this windows_firewall_rule resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.