Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows_firewall_rule has potentially dangerous defaults #8811

Happycoil opened this issue Aug 13, 2019 · 0 comments


Copy link

commented Aug 13, 2019


The default behavior of windows_firewall_rule if the rule doesn't exist is to create an "any any any" rule which opens for all traffic on any port. If you intend to enable a default rule like so:

windows_firewall_rule "SomeDefaultRule With A Verbose Nam-AndPorts" do
  enabled true

It'll create a new rule without giving any feedback to the user that the name was misspelled and you just inadvertently opened up your firewall to anything. This problem is compounded by the fact that the resource relies on the Name attribute internally, but DisplayName is surfaced in the GUI. Multiple default rules with different Names and identical DisplayNames exist.

I'd suggest we change the defaults, perhaps defaulting firewall_action to :block. That would mean having to explicitly pass a firewall_action for all new rules, but it would be safer.

Chef Version


Platform Version


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.