Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update win_firewall_rule.py to include ICMP echo (ping) example #55013

Open
wants to merge 3 commits into
base: devel
from

Conversation

Projects
None yet
3 participants
@dlitster
Copy link

commented Apr 8, 2019

Added example of enabling ICMP protocol, as ping is commonly used for troubleshooting in automation scenarios. Equivalent netsh command is:
netsh advfirewall firewall add rule name='ICMP Allow incoming V4 echo request' protocol=icmpv4:8,any dir=in action=allow

+label: docsite_pr

SUMMARY
ISSUE TYPE
  • Bugfix Pull Request
  • Docs Pull Request
  • Feature Pull Request
  • New Module Pull Request
COMPONENT NAME
ADDITIONAL INFORMATION

Update win_firewall_rule.py
<!--- Your description here -->
Added example of enabling ICMP protocol, as ping is commonly used for troubleshooting in automation scenarios.  Equivalent netsh command is: 
netsh advfirewall firewall add rule name='ICMP Allow incoming V4 echo request' protocol=icmpv4:8,any dir=in action=allow

+label: docsite_pr
@dlitster

This comment has been minimized.

Copy link
Author

commented Apr 8, 2019

It wasn't clear to me from the documentation how to enable alternate protocols whose windows commands included strange protocol descriptors. This task worked for me, so I thought I'd add it.

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 8, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 8, 2019

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/modules/windows/win_firewall_rule.py:125:1: W293 blank line contains whitespace
lib/ansible/modules/windows/win_firewall_rule.py:126:52: W291 trailing whitespace

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/modules/windows/win_firewall_rule.py:126:2: E311 EXAMPLES is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 1 error:

lib/ansible/modules/windows/win_firewall_rule.py:126:2: error EXAMPLES: syntax error: expected <block end>, but found '<block sequence start>'

click here for bot help

Remove yaml-breaking space
Removed extraneous space that caused validation to fail.
@dlitster
Copy link
Author

left a comment

Fixed whitespace that broke yaml validation.

@ansibot ansibot removed the ci_verified label Apr 9, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 9, 2019

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/modules/windows/win_firewall_rule.py:125:1: W293 blank line contains whitespace
lib/ansible/modules/windows/win_firewall_rule.py:126:51: W291 trailing whitespace

click here for bot help

@ansibot ansibot added the ci_verified label Apr 9, 2019

@@ -122,4 +122,14 @@
profiles: private
state: present
enabled: yes

This comment has been minimized.

Copy link
@jborean93

jborean93 Apr 9, 2019

Contributor

There's 4 spaces here that need to be removed.

@@ -122,4 +122,14 @@
profiles: private
state: present
enabled: yes
- name: Firewall rule to allow ICMP v4 echo (ping)

This comment has been minimized.

Copy link
@jborean93

jborean93 Apr 9, 2019

Contributor

You have some whitespace at the end of this line that needs to be removed

- name: Firewall rule to allow ICMP v4 echo (ping)
win_firewall_rule:
name: ICMP Allow incoming V4 echo request

This comment has been minimized.

Copy link
@jborean93

jborean93 Apr 9, 2019

Contributor

Is there not already a builtin rule that we can just enable?

profiles: private
action: allow
direction: in
protocol: "icmpv4:8,any"

This comment has been minimized.

Copy link
@jborean93

jborean93 Apr 9, 2019

Contributor

Is there any documentation around this protocol?

This comment has been minimized.

Copy link
@dlitster

dlitster Apr 12, 2019

Author

Is there not already a builtin rule that we can just enable?
I didn't find one, and none of the examples on the internet worked for me, e.g.

  • name: Allow ICMP
    win_firewall_rule:
    name: File and Printer Sharing (Echo Request - ICMPv4-In)
    action: allow
    direction: in
    enabled: yes
    from #32478

Environment:
ansible 2.7.9 on OSX via homebrew
Windows 7 SP1, Windows 8.1, Windows 10 update 1809

Is there any documentation around this protocol?
I didn't find any ansible documentation around this, but there are many examples on the internet of using the "netsh advfirewall" command to accomplish this:
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
https://www.howtogeek.com/howto/windows-vista/allow-pings-icmp-echo-request-through-your-windows-vista-firewall/

I found this switch statement in ansible/lib/ansible/modules/windows/win_firewall_rule.ps1 that suggests this is possible, but I don't know how ansible is invoking that script...
switch -wildcard ($protocol) {
"tcp" { return [System.Net.Sockets.ProtocolType]::Tcp -as [int] }
"udp" { return [System.Net.Sockets.ProtocolType]::Udp -as [int] }
"icmpv4*" { return [System.Net.Sockets.ProtocolType]::Icmp -as [int] }
"icmpv6*" { return [System.Net.Sockets.ProtocolType]::IcmpV6 -as [int] }
default { throw "Unknown protocol '$protocol'." }
}

Apologies for the delay in responding.

@ansibot ansibot removed the needs_triage label Apr 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.