Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows_firewall_rule has potentially dangerous defaults #8811

Open
Happycoil opened this issue Aug 13, 2019 · 0 comments

Comments

@Happycoil
Copy link
Contributor

commented Aug 13, 2019

Description

The default behavior of windows_firewall_rule if the rule doesn't exist is to create an "any any any" rule which opens for all traffic on any port. If you intend to enable a default rule like so:

windows_firewall_rule "SomeDefaultRule With A Verbose Nam-AndPorts" do
  enabled true
end

It'll create a new rule without giving any feedback to the user that the name was misspelled and you just inadvertently opened up your firewall to anything. This problem is compounded by the fact that the resource relies on the Name attribute internally, but DisplayName is surfaced in the GUI. Multiple default rules with different Names and identical DisplayNames exist.

I'd suggest we change the defaults, perhaps defaulting firewall_action to :block. That would mean having to explicitly pass a firewall_action for all new rules, but it would be safer.

Chef Version

14.7

Platform Version

Windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.