short thoughts‎ > ‎

Manage Windows 2003 and 2008 Firewall rules with Chef

posted Jun 6, 2012, 8:01 PM by Steve Craig
Introducing Cerberus - the Microsoft Windows 2003 / 2008 firewall manager for chef

Smashrun runs primarily on a combination of Windows 2003 and Windows 2008 servers, with vmware as the primary virtualization platform.  The infrastructure supporting smashrun is thin, as the company operates on a lean shoe-string budget.  As such, primary access control is done on the nodes themselves, rather than centrally on dedicated hardware firewall devices.  Additionally, there is a certain amount of dynamism to the smashrun environment (servers, workstations, and laptops change IP addresses not infrequently) that needed to be taken into account when thinking about providing network access.

This all meant that a solution to easily managing windows firewall rules needed to be created.  Since chef manages other aspects of smashrun's servers, why not the windows firwall rules?  Thus Cerberus was written, in order to simplify the process of managing windows firewall rules.

The key thought behind Cerberus' modus operandi was simple: define the permitted ports and protocols in one databag, and then the permitted IP addresses and ranges in another.  Any IP inside the ip_permit databag would have access to any of the declared ports.

Windows Firewall now comes in two flavors: "netsh firewall", which is version 1 for Windows XP and 2003; and, "netsh advfirewall", which is version 2 for Visa, Windows 7, 2008 and beyond.  The Cerberus cookbook takes two completely different approaches to implementing firewall rules - playing to the particular available strengths, in my humble opinion - for Windows 2003 and 2008 ... while maintaining only one unified location and format for declaring firewall rules (a la Chef data bags).

So, for Windows 2003, there are a number of ways to manage firewall rules:
- via Group Policy (the preferred method for AD sites)
- during server build (unattend.ini file)
- netsh via settings from the Netfw.inf file (found in the following location: %windir%\Inf\Netfw.inf)
- netsh via the commandline for each individual rule

Each of these is not without merit; however, the clear winner for Windows 2003, fitting quite nicely with my general "hybrid approach" to utilizing Chef, is "netsh with settings provided by netfw.inf file".  My "hybrid approach" to utilizing Chef for configuration management is simply to have Chef utilize tools that a human operator could use themselves.  I like the idea of generating batch files, vb scripts, powershell, or SQL (via erb templates) that Chef can maintain and then can be used by human beings as well.

The other two nice things about the netfw.inf method are:
1. it lends itself nicely to version control
2. Chef's built-in natural excellent template handling ensures that the only time the netsh command is run is when the template (firewall rules) actually changes

So that is how it goes with Windows 2003.  A basic template contains the general rule framework, and is fleshed out with the contents of two data bags: one bag that contains the permitted IPs (either hosts or network ranges), and the second bag that contains the permitted ports and protocols.
When the Windows Firewall log file is enabled, Windows Firewall generates a plaintext security log file (Pfirewall.log), which is found in %Windir%\pfirewall.log. The security log has two sections: the header and the body.

For Windows 2008, Microsoft removed the netsh.inf functionality, and also began storing firewall rule references inside the registry.  These two things complicated matters a bit; however, my cookbook "kronos," which manages Windows 2003 and 2008 Scheduled Tasks needs to support similar requirements for Windows 2008, so I borrowed a bit from that.

The Windows 2008 version of cerberus uses the exact same data bags as 2003; however, all rule names are prefixed with "cerberus_" and those managed rules are destroyed and re-created on each run.  In some ways, this is not quite as elegant as the templated method used by Windows 2003 (y u do extra work?) but it does have the advantage of supporting the existence of both managed and non-managed firewall rules.

Thanks for taking the time to stop by!