W3cubDocs

/SaltStack

salt.modules.win_firewall

Module for configuring Windows Firewall using netsh

salt.modules.win_firewall.add_rule(name, localport, protocol='tcp', action='allow', dir='in', remoteip='any')

New in version 2015.5.0.

Add a new inbound or outbound rule to the firewall policy

Parameters:
  • name (str) -- The name of the rule. Must be unique and cannot be "all". Required.
  • localport (int) -- The port the rule applies to. Must be a number between 0 and 65535. Can be a range. Can specify multiple ports separated by commas. Required.
  • protocol (Optional[str]) --

    The protocol. Can be any of the following:

    • A number between 0 and 255
    • icmpv4
    • icmpv6
    • tcp
    • udp
    • any
  • action (Optional[str]) --

    The action the rule performs. Can be any of the following:

    • allow
    • block
    • bypass
  • dir (Optional[str]) -- The direction. Can be in or out.
  • remoteip (Optional [str]) --

    The remote IP. Can be any of the following:

    • any
    • localsubnet
    • dns
    • dhcp
    • wins
    • defaultgateway
    • Any valid IPv4 address (192.168.0.12)
    • Any valid IPv6 address (2002:9b3b:1a31:4:208:74ff:fe39:6c43)
    • Any valid subnet (192.168.1.0/24)
    • Any valid range of IP addresses (192.168.0.1-192.168.0.12)
    • A list of valid IP addresses

    Can be combinations of the above separated by commas.
Returns:

True if successful
Return type:

bool
Raises:

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.add_rule 'test' '8080' 'tcp'
salt '*' firewall.add_rule 'test' '1' 'icmpv4'
salt '*' firewall.add_rule 'test_remote_ip' '8000' 'tcp' 'allow' 'in' '192.168.0.1'

salt.modules.win_firewall.delete_rule(name=None, localport=None, protocol=None, dir=None, remoteip=None)

New in version 2015.8.0.

Delete an existing firewall rule identified by name and optionally by ports, protocols, direction, and remote IP.

Parameters:
  • name (str) -- The name of the rule to delete. If the name all is used you must specify additional parameters.
  • localport (Optional[str]) -- The port of the rule. If protocol is not specified, protocol will be set to tcp
  • protocol (Optional[str]) -- The protocol of the rule. Default is tcp when localport is specified
  • dir (Optional[str]) -- The direction of the rule.
  • remoteip (Optional[str]) -- The remote IP of the rule.
Returns:

True if successful
Return type:

bool
Raises:

CommandExecutionError -- If the command fails

CLI Example:

# Delete incoming tcp port 8080 in the rule named 'test'
salt '*' firewall.delete_rule 'test' '8080' 'tcp' 'in'

# Delete the incoming tcp port 8000 from 192.168.0.1 in the rule named
# 'test_remote_ip'
salt '*' firewall.delete_rule 'test_remote_ip' '8000' 'tcp' 'in' '192.168.0.1'

# Delete all rules for local port 80:
salt '*' firewall.delete_rule all 80 tcp

# Delete a rule called 'allow80':
salt '*' firewall.delete_rule allow80

salt.modules.win_firewall.disable(profile='allprofiles')

Disable firewall profile

Parameters: profile (Optional[str]) --

The name of the profile to disable. Default is allprofiles. Valid options are:

  • allprofiles
  • domainprofile
  • privateprofile
  • publicprofile
Returns: True if successful
Return type: bool
Raises: CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.disable

salt.modules.win_firewall.enable(profile='allprofiles')

New in version 2015.5.0.

Enable firewall profile

Parameters: profile (Optional[str]) --

The name of the profile to enable. Default is allprofiles. Valid options are:

  • allprofiles
  • domainprofile
  • privateprofile
  • publicprofile
Returns: True if successful
Return type: bool
Raises: CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.enable

salt.modules.win_firewall.get_all_profiles(store='local')

Gets all properties for all profiles in the specified store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters: store (str) --

The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

  • lgpo
  • local

Default is local
Returns: A dictionary containing the specified settings for each profile
Return type: dict

CLI Example:

# Get all firewall settings for all profiles
salt * firewall.get_all_settings

# Get all firewall settings for all profiles as defined by local group
# policy

salt * firewall.get_all_settings lgpo

salt.modules.win_firewall.get_all_settings(domain, store='local')

Gets all the properties for the specified profile in the specified store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain
    • public
    • private
  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

A dictionary containing the specified settings
Return type:

dict

CLI Example:

# Get all firewall settings for connections on the domain profile
salt * win_firewall.get_all_settings domain

# Get all firewall settings for connections on the domain profile as
# defined by local group policy
salt * win_firewall.get_all_settings domain lgpo

salt.modules.win_firewall.get_config()

Get the status of all the firewall profiles

Returns: A dictionary of all profiles on the system
Return type: dict
Raises: CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.get_config

salt.modules.win_firewall.get_rule(name='all')

New in version 2015.5.0.

Display all matching rules as specified by name

Parameters: name (Optional[str]) -- The full name of the rule. all will return all rules. Default is all
Returns: A dictionary of all rules or rules that match the name exactly
Return type: dict
Raises: CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.get_rule 'MyAppPort'

salt.modules.win_firewall.get_settings(profile, section, store='local')

Get the firewall property from the specified profile in the specified store as returned by netsh advfirewall.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain
    • public
    • private
  • section (str) --

    The property to query within the selected profile. Valid options are:

    • firewallpolicy : inbound/outbound behavior
    • logging : firewall logging settings
    • settings : firewall properties
    • state : firewalls state (on | off)
  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

A dictionary containing the properties for the specified profile
Return type:

dict
Raises:
  • CommandExecutionError -- If an error occurs
  • ValueError -- If the parameters are incorrect

CLI Example:

# Get the inbound/outbound firewall settings for connections on the
# local domain profile
salt * win_firewall.get_settings domain firewallpolicy

# Get the inbound/outbound firewall settings for connections on the
# domain profile as defined by local group policy
salt * win_firewall.get_settings domain firewallpolicy lgpo

salt.modules.win_firewall.rule_exists(name)

New in version 2016.11.6.

Checks if a firewall rule exists in the firewall policy

Parameters: name (str) -- The name of the rule
Returns: True if exists, otherwise False
Return type: bool

CLI Example:

# Is there a rule named RemoteDesktop
salt '*' firewall.rule_exists RemoteDesktop

salt.modules.win_firewall.set_firewall_settings(profile, inbound=None, outbound=None, store='local')

Set the firewall inbound/outbound settings for the specified profile and store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain
    • public
    • private
  • inbound (str) --

    The inbound setting. If None is passed, the setting will remain unchanged. Valid values are:

    • blockinbound
    • blockinboundalways
    • allowinbound
    • notconfigured

    Default is None

  • outbound (str) --

    The outbound setting. If None is passed, the setting will remain unchanged. Valid values are:

    • allowoutbound
    • blockoutbound
    • notconfigured

    Default is None

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

True if successful
Return type:

bool
Raises:
  • CommandExecutionError -- If an error occurs
  • ValueError -- If the parameters are incorrect

CLI Example:

# Set the inbound setting for the domain profile to block inbound
# connections
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound'

# Set the outbound setting for the domain profile to allow outbound
# connections
salt * firewall.set_firewall_settings domain='domain' outbound='allowoutbound'

# Set inbound/outbound settings for the domain profile in the group
# policy to block inbound and allow outbound
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound' outbound='allowoutbound' store='lgpo'

salt.modules.win_firewall.set_logging_settings(profile, setting, value, store='local')

Configure logging settings for the Windows firewall.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain
    • public
    • private
  • setting (str) --

    The logging setting to configure. Valid options are:

    • allowedconnections
    • droppedconnections
    • filename
    • maxfilesize
  • value (str) --

    The value to apply to the setting. Valid values are dependent upon the setting being configured. Valid options are:

    allowedconnections:

    • enable
    • disable
    • notconfigured

    droppedconnections:

    • enable
    • disable
    • notconfigured

    filename:

    • Full path and name of the firewall log file
    • notconfigured

    maxfilesize:

    • 1 - 32767
    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

True if successful
Return type:

bool
Raises:
  • CommandExecutionError -- If an error occurs
  • ValueError -- If the parameters are incorrect

CLI Example:

# Log allowed connections and set that in local group policy
salt * firewall.set_logging_settings domain allowedconnections enable lgpo

# Don't log dropped connections
salt * firewall.set_logging_settings profile=private setting=droppedconnections value=disable

# Set the location of the log file
salt * firewall.set_logging_settings domain filename C:\windows\logs\firewall.log

# You can also use environment variables
salt * firewall.set_logging_settings domain filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log

# Set the max file size of the log to 2048 Kb
salt * firewall.set_logging_settings domain maxfilesize 2048

salt.modules.win_firewall.set_settings(profile, setting, value, store='local')

Configure firewall settings.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain
    • public
    • private
  • setting (str) --

    The firewall setting to configure. Valid options are:

    • localfirewallrules
    • localconsecrules
    • inboundusernotification
    • remotemanagement
    • unicastresponsetomulticast
  • value (str) --

    The value to apply to the setting. Valid options are

    • enable
    • disable
    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

True if successful
Return type:

bool
Raises:
  • CommandExecutionError -- If an error occurs
  • ValueError -- If the parameters are incorrect

CLI Example:

# Merge local rules with those distributed through group policy
salt * firewall.set_settings domain localfirewallrules enable

# Allow remote management of Windows Firewall
salt * firewall.set_settings domain remotemanagement enable

salt.modules.win_firewall.set_state(profile, state, store='local')

Configure the firewall state.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters:
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain
    • public
    • private
  • state (str) --

    The firewall state. Valid options are:

    • on
    • off
    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo
    • local

    Default is local
Returns:

True if successful
Return type:

bool
Raises:
  • CommandExecutionError -- If an error occurs
  • ValueError -- If the parameters are incorrect

CLI Example:

# Turn the firewall off when the domain profile is active
salt * firewall.set_state domain off

# Turn the firewall on when the public profile is active and set that in
# the local group policy
salt * firewall.set_state public on lgpo

© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_firewall.html