Author: arkurth
Date: Fri Feb 12 18:58:22 2010
New Revision: 909558
URL: http://svn.apache.org/viewvc?rev=909558&view=rev
Log:
VCL-301
Added disable_hibernation() and disable_ceip() (customer experience improvement
program) subroutines to Windows.pm and added calls from pre_capture().
Modified Windows.pm::reg_add() to allow 0 to be passed as the registry data
argument.
Added DisableSR=1 registry key to Windows.pm::disable_system_restore(). It had
only been setting the DisableConfig key.
Updated the SSH firewall subroutines in Version_6.pm. A single SSH command is
executed which consists of multiple netsh.exe commands chained together. The
existing SSH rules need to be deleted and then the desired rule is added in the
same SSH command. It would occasionally hang because the SSH connection is
broken when the rules are deleted. I added the get_firewall_state() sub. When
the SSH firewall rules are modified, the firewall state is first checked -- on
or off. If it's on, it gets turned off, the SSH rules are modified, then
turned back on. This should prevent the SSH process from hanging. Also
updated other firewall subroutines for consistency.
Modified:
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm Fri Feb 12
18:58:22 2010
@@ -258,6 +258,26 @@
=item *
+ Disable hibernation
+
+=cut
+
+ if (!$self->disable_hibernation()) {
+ notify($ERRORS{'WARNING'}, 0, "unable to disable hibernation");
+ }
+
+=item *
+
+ Disable Windows Customer Experience Improvement program
+
+=cut
+
+ if (!$self->disable_ceip()) {
+ notify($ERRORS{'WARNING'}, 0, "unable to disable Windows
Customer Experience Improvement program");
+ }
+
+=item *
+
Disable Internet Explorer configuration page
=cut
@@ -2280,7 +2300,7 @@
}
my $registry_data = shift;
- if (!defined($registry_data) || !$registry_data) {
+ if (!defined($registry_data)) {
notify($ERRORS{'WARNING'}, 0, "registry data was not passed
correctly as an argument");
return;
}
@@ -3315,7 +3335,7 @@
=head2 get_service_list
- Parameters : $service_name, $username, $password
+ Parameters :
Returns :
Description :
@@ -7573,6 +7593,7 @@
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]
"DisableConfig"=dword:00000001
+"DisableSR"=dword:00000001
EOF
# Import the string into the registry
@@ -8303,6 +8324,93 @@
#/////////////////////////////////////////////////////////////////////////////
+=head2 disable_hibernation
+
+ Parameters : None
+ Returns : If successful: true
+ If failed: false
+ Description : Disables hibernation mode.
+
+=cut
+
+sub disable_hibernation {
+ my $self = shift;
+ unless (ref($self) && $self->isa('VCL::Module')) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called
as a VCL::Module module object method");
+ return;
+ }
+
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
+
+ # Run powercfg.exe to disable hibernation
+ my $powercfg_command = 'powercfg.exe -HIBERNATE OFF';
+ my ($powercfg_exit_status, $powercfg_output) =
run_ssh_command($computer_node_name, $management_node_keys, $powercfg_command,
'', '', 1);
+ if (defined($powercfg_exit_status) && $powercfg_exit_status == 0) {
+ notify($ERRORS{'OK'}, 0, "disabled hibernation");
+ }
+ elsif ($powercfg_exit_status) {
+ notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation,
exit status: $powercfg_exit_status, output:\n" . join("\n", @$powercfg_output));
+ return;
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to
disable hibernation");
+ return;
+ }
+
+ # Delete hiberfil.sys
+ if (!$self->delete_file('$SYSTEMDRIVE/hiberfil.sys')) {
+ notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation,
hiberfil.sys could not be deleted");
+ return;
+ }
+
+ return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 disable_ceip
+
+ Parameters : None
+ Returns : If successful: true
+ If failed: false
+ Description : Disables the Windows Customer Experience Improvement Program
+ features.
+
+=cut
+
+sub disable_ceip {
+ my $self = shift;
+ if (ref($self) !~ /windows/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return;
+ }
+
+ # Attempt to set the CEIPEnable key
+ my $registry_key_software =
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows';
+ if ($self->reg_add($registry_key_software, 'CEIPEnable', 'REG_DWORD',
0)) {
+ notify($ERRORS{'OK'}, 0, "set the CEIPEnable software registry
key to 0");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable
registry key to 0");
+ return;
+ }
+
+ # Attempt to set the CEIPEnable policy key
+ my $registry_key_policy =
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows';
+ if ($self->reg_add($registry_key_policy, 'CEIPEnable', 'REG_DWORD', 0))
{
+ notify($ERRORS{'OK'}, 0, "set the CEIPEnable policy registry
key to 0");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable
policy registry key to 0");
+ return;
+ }
+
+ return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
1;
__END__
Modified:
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
(original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
Fri Feb 12 18:58:22 2010
@@ -29,7 +29,8 @@
=head1 DESCRIPTION
This module provides VCL support for Windows version 6.x operating systems.
- Version 6.x Windows OS's include Windows Vista and Windows Server 2008.
+ Version 6.x Windows OS's include Windows Vista, Windows Server 2008, and
+ Windows 7.
=cut
@@ -181,7 +182,7 @@
return;
}
- notify($ERRORS{'DEBUG'}, 0, "beginning Windows version 6 (Vista, Server
2008) post-load tasks");
+ notify($ERRORS{'DEBUG'}, 0, "beginning Windows version 6 post-load
tasks");
=item 1
@@ -218,7 +219,7 @@
=cut
- notify($ERRORS{'DEBUG'}, 0, "Windows version 6 (Vista, Server 2008)
post-load tasks complete");
+ notify($ERRORS{'DEBUG'}, 0, "Windows version 6 post-load tasks
complete");
return 1;
}
@@ -847,8 +848,8 @@
$add_rule_command .= ' ;';
$add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow ping from any address"';
- $add_rule_command .= ' description="Allows incoming ping (ICMP type 8)
messages from any address"';
+ $add_rule_command .= ' name="VCL: allow ping to/from any address"';
+ $add_rule_command .= ' description="Allows incoming ping (ICMP type 8)
messages to/from any address"';
$add_rule_command .= ' protocol=icmpv4:8,any';
$add_rule_command .= ' action=allow';
$add_rule_command .= ' enable=yes';
@@ -910,8 +911,8 @@
$add_rule_command .= ' ;';
$add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow incoming ping to: ' .
$private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming ping (ICMP type 8)
messages to: ' . $private_ip_address . '"';
+ $add_rule_command .= ' name="VCL: allow ping to ' . $private_ip_address
. '"';
+ $add_rule_command .= ' description="Allows incoming ping (ICMP type 8)
messages to ' . $private_ip_address . '"';
$add_rule_command .= ' protocol=icmpv4:8,any';
$add_rule_command .= ' action=allow';
$add_rule_command .= ' enable=yes';
@@ -966,9 +967,12 @@
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) =
run_ssh_command($computer_node_name, $management_node_keys, $netsh_command);
- if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object
already exists)/i) {
+ if (defined($netsh_output) && @$netsh_output[-1] =~ /Ok/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to disallow
ping");
}
+ elsif (defined($netsh_output) && @$netsh_output[-1] =~ /No rules
match/i) {
+ notify($ERRORS{'OK'}, 0, "no firewall rules exist which enable
ping");
+ }
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to
disallow ping, exit status: $netsh_exit_status, output:\...@{$netsh_output}");
return;
@@ -985,9 +989,18 @@
=head2 firewall_enable_rdp
- Parameters :
+ Parameters : Remote IP address (optional) or 'private' (optional)
Returns : 1 if succeeded, 0 otherwise
- Description :
+ Description : Adds Windows firewall rules to allow RDP traffic. There are 3
+ modes:
+ 1. No argument is passed: RDP is allowed to/from any IP address
+
+ 2. IP address argument is passed: RDP is allowed from the remote
+ IP address specified and to the local private IP address. The
+ argument can be a single IP address or in CIDR format.
+
+ 3. The string 'private' is passed: RDP is allowed only to the
+ local private IP address.
=cut
@@ -998,20 +1011,49 @@
return;
}
- # Check if the remote IP was passed as an argument
- my $remote_ip = shift;
- if (!defined($remote_ip)) {
- $remote_ip = 'any';
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
+
+ my $remote_ip;
+ my $rule_name;
+ my $rule_description;
+
+ # Check if 'private' or IP address argument was passed
+ my $argument = shift;
+ if ($argument) {
+ # Check if argument is an IP address
+ if ($argument =~ /^[\d\.\/]+$/) {
+ $remote_ip = $argument;
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP for remote IP
address: $remote_ip");
+ $rule_name = "VCL: allow RDP port 3389 from $remote_ip";
+ $rule_description = "Allows incoming TCP port 3389
traffic from $remote_ip";
+ }
+ elsif ($argument eq 'private') {
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP for private IP
address only");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "argument may only be
'private' or an IP address in the form xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/yy");
+ return;
+ }
}
- elsif ($remote_ip !~ /[\d\.\/]/) {
- notify($ERRORS{'WARNING'}, 0, "remote IP address argument is
not a valid IP address: $remote_ip");
+ else {
+ # No argument was passed, RDP will be opened to/from any address
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP to/from any IP
address");
$remote_ip = 'any';
+ $rule_name = "VCL: allow RDP port 3389 to/from any address";
+ $rule_description = "Allows incoming TCP port 3389 traffic
to/from any address";
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
+ # Get the computer's private IP address
+ my $private_ip_address = $self->get_private_ip_address();
+ if (!$private_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP
address");
+ if ($argument && $argument eq 'private') {
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall
rule to enable RDP to private IP address");
+ return;
+ }
+ }
- # First delete any rules which allow ping and then add a new rule
my $add_rule_command;
# Set the key to allow remote connections whenever enabling RDP
@@ -1020,27 +1062,48 @@
# Set the key to allow connections from computers running any version
of Remote Desktop
$add_rule_command .= 'reg.exe ADD
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\WinStations\\RDP-Tcp" /t REG_DWORD /v UserAuthentication /d 0 /f ; ';
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' ;';
+ # First delete any rules which allow ping and then add a new rule
+ $add_rule_command .= "netsh.exe advfirewall firewall delete rule";
+ $add_rule_command .= " name=all";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " ;";
+
+ # Add the rule to open RDP for the private IP address if the private IP
address was found
+ # No need to add the rule if the remote IP is any because it will be
opened universally
+ if ($private_ip_address && (!$remote_ip || ($remote_ip && $remote_ip ne
'any'))) {
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"VCL: allow RDP port 3389 to
$private_ip_address\"";
+ $add_rule_command .= " description=\"Allows incoming RDP (TCP
port 3389) traffic to $private_ip_address\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=$private_ip_address";
+ $add_rule_command .= " ;";
+ }
+
+ # Add the rule to open RDP for the remote public IP address
+ if ($remote_ip) {
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"$rule_name\"";
+ $add_rule_command .= " description=\"$rule_description\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=any";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " remoteip=" . $remote_ip;
+ }
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow RDP from address: ' .
$remote_ip . '"';
- $add_rule_command .= ' description="Allows incoming TCP port 3389
traffic from address: ' . $remote_ip . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=any';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' remoteip=' . $remote_ip;
+ # Set $remote_ip for output messages if it isn't defined
+ $remote_ip = 'private only' if !$remote_ip;
# Add the firewall rule
my ($add_rule_exit_status, $add_rule_output) =
run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
-
if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The
object already exists)/i) {
notify($ERRORS{'OK'}, 0, "added firewall rule to enable RDP
from $remote_ip");
}
@@ -1073,58 +1136,7 @@
return;
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
-
- # Get the computer's private IP address
- my $private_ip_address = $self->get_private_ip_address();
- if (!$private_ip_address) {
- notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP
address");
- return;
- }
-
- # First delete any rules which allow RDP and then add a new rule
- my $add_rule_command;
-
- # Set the key to allow remote connections whenever enabling RDP
- $add_rule_command .= 'reg.exe ADD
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /t
REG_DWORD /v fDenyTSConnections /d 0 /f ; ';
-
- # Set the key to allow connections from computers running any version
of Remote Desktop
- $add_rule_command .= 'reg.exe ADD
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\WinStations\\RDP-Tcp" /t REG_DWORD /v UserAuthentication /d 0 /f ; ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' ;';
-
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow RDP port 3389 to: ' .
$private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming RDP (TCP port 3389)
traffic to: ' . $private_ip_address . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=' . $private_ip_address;
-
- # Add the firewall rule
- my ($add_rule_exit_status, $add_rule_output) =
run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
-
- if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The
object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable RDP to:
$private_ip_address");
- }
- elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable RDP to: $private_ip_address, exit status: $add_rule_exit_status,
output:\...@{$add_rule_output}");
- return;
- }
- else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable RDP to: $private_ip_address");
- return;
- }
-
- return 1;
+ return $self->firewall_enable_rdp('private');
}
#/////////////////////////////////////////////////////////////////////////////
@@ -1193,45 +1205,99 @@
return;
}
+ # Check if 'private' argument was passed
+ my $enable_private = shift;
+ if ($enable_private && $enable_private !~ /private/i) {
+ notify($ERRORS{'WARNING'}, 0, "argument may only be the string
'private': $enable_private");
+ return;
+ }
+
+ my $rule_name;
+ my $rule_description;
+ my $rule_localip;
+ if ($enable_private) {
+ # Get the computer's private IP address
+ my $private_ip_address = $self->get_private_ip_address();
+ if (!$private_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "unable to retrieve
private IP address");
+ return;
+ }
+
+ $rule_name = "VCL: allow SSH port 22 to $private_ip_address";
+ $rule_description = "Allows incoming SSH (TCP port 22) traffic
to $private_ip_address";
+ $rule_localip = $private_ip_address;
+ }
+ else {
+ $rule_name = "VCL: allow SSH port 22 to/from any address";
+ $rule_description = "Allows incoming SSH (TCP port 22) traffic
to/from any address";
+ $rule_localip = "any";
+ }
+
my $management_node_keys = $self->data->get_management_node_keys();
my $computer_node_name = $self->data->get_computer_node_name();
- # First delete any rules which allow ping and then add a new rule
- my $add_rule_command = '/bin/cygstart.exe ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' ;';
+ # Assemble a chain of commands
+ my $add_rule_command;
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow SSH port 22 from any address"';
- $add_rule_command .= ' description="Allows incoming SSH (TCP port 22)
traffic from any address"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=any';
- $add_rule_command .= ' remoteip=any';
+ # Get the firewall state - "ON" or "OFF"
+ # Turn firewall off before altering SSH exceptions or command may hang
+ my $firewall_state = $self->get_firewall_state() || 'ON';
+ if ($firewall_state eq 'ON') {
+ notify($ERRORS{'DEBUG'}, 0, "firewall is on, it will be turned
off while SSH port exceptions are altered");
+ $add_rule_command .= 'netsh.exe advfirewall set currentprofile
state off ; sleep 1 ; ';
+ }
+
+ # The existing matching rules must be deleted first or they will remain
in effect
+ $add_rule_command .= "netsh.exe advfirewall firewall delete rule";
+ $add_rule_command .= " name=all";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=22";
+ $add_rule_command .= " ;";
+
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"$rule_name\"";
+ $add_rule_command .= " description=\"$rule_description\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=22";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=$rule_localip";
+ $add_rule_command .= " remoteip=any";
# Add the firewall rule
my ($add_rule_exit_status, $add_rule_output) =
run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The
object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH
from any address");
+ notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH to
address: $rule_localip");
}
elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH from any address, exit status: $add_rule_exit_status,
output:\...@{$add_rule_output}");
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH to address: $rule_localip, exit status: $add_rule_exit_status,
output:\...@{$add_rule_output}");
return;
}
else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH from any address");
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH to address: $rule_localip");
return;
}
+ # Turn the firewall back on after SSH exceptions are set
+ if ($firewall_state eq 'ON') {
+ my $firewall_enable_command = 'netsh.exe advfirewall set
currentprofile state on';
+ my ($firewall_enable_exit_status, $firewall_enable_output) =
run_ssh_command($computer_node_name, $management_node_keys,
$firewall_enable_command);
+ if (defined($firewall_enable_output) &&
@$firewall_enable_output[-1] =~ /Ok/i) {
+ notify($ERRORS{'OK'}, 0, "turned on firewall after
turning it off to alter SSH port exceptions");
+ }
+ elsif (defined($firewall_enable_exit_status)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to turn on
firewall after turning it off to alter SSH port exceptions, exit status:
$firewall_enable_exit_status, output:\...@{$firewall_enable_output}");
+ return;
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to turn on
firewall after turning it off to alter SSH port exceptions");
+ return;
+ }
+ }
+
return 1;
}
@@ -1252,60 +1318,71 @@
return;
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
-
- # Get the computer's private IP address
- my $private_ip_address = $self->get_private_ip_address();
- if (!$private_ip_address) {
- notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP
address");
+ return $self->firewall_enable_ssh('private');
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_firewall_state
+
+ Parameters : None
+ Returns : If successful: string "ON" or "OFF"
+ Description : Determines if the Windows firewall is on or off. Returns "ON"
+ if either the Public or Private firewall profile is on. Returns
+ "OFF" only if all current firewall profiles are off.
+
+=cut
+
+sub get_firewall_state {
+ my $self = shift;
+ if (ref($self) !~ /windows/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
return;
}
- # First delete any rules which allow ping and then add a new rule
- my $add_rule_command = '/bin/cygstart.exe ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' ;';
-
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow SSH port 22 to: ' .
$private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming SSH (TCP port 22)
traffic to: ' . $private_ip_address . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=' . $private_ip_address;
-
- # Add the firewall rule
- my ($add_rule_exit_status, $add_rule_output) =
run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
- if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The
object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH to:
$private_ip_address");
+ # Run netsh.exe to get the state of the current firewall profile
+ my $netsh_command = 'netsh.exe advfirewall show currentprofile state';
+ my ($netsh_exit_status, $netsh_output) =
run_ssh_command($computer_node_name, $management_node_keys, $netsh_command, '',
'', 0);
+ if (defined($netsh_output)) {
+ notify($ERRORS{'DEBUG'}, 0, "retrieved firewall state");
}
- elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH to: $private_ip_address, exit status: $add_rule_exit_status,
output:\...@{$add_rule_output}");
+ elsif (defined($netsh_exit_status)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve firewall
state, exit status: $netsh_exit_status, output:\...@{$netsh_output}");
return;
}
else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to
enable SSH to: $private_ip_address");
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve firewall
state");
return;
}
- return 1;
+ # Get the lines containing 'State'
+ # There are multiple for the Private and Public profiles
+ my @state_lines = grep(/State/, @$netsh_output);
+ if (!...@state_lines) {
+ notify($ERRORS{'WARNING'}, 0, "unable to find 'State' line in
output:\n" . join("\n", @$netsh_output));
+ return;
+ }
+
+ # Loop through lines, if any contain "ON", return "ON"
+ for my $state_line (@state_lines) {
+ if ($state_line =~ /on/i) {
+ notify($ERRORS{'OK'}, 0, "returning firewall state:
ON");
+ return "ON";
+ }
+ elsif ($state_line !~ /off/i) {
+ notify($ERRORS{'WARNING'}, 0, "firewall state line does
not contain ON or OFF");
+ return;
+ }
+ }
+
+ # No state lines were found containing "ON", return "OFF"
+ notify($ERRORS{'OK'}, 0, "returning firewall state: OFF");
+ return "OFF";
}
-##############################################################################
-
-=head1 UTILITY FUNCTIONS
-
-=cut
-
#/////////////////////////////////////////////////////////////////////////////
=head2 run_sysprep
Modified:
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
(original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
Fri Feb 12 18:58:22 2010
@@ -150,13 +150,11 @@
Disable the following services:
- * IP Helper (iphlpsvc) - Provides tunnel connectivity using IPv6 transition
technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS
* Function Discovery Resource Publication (FDResPub) - Publishes this
computer and resources attached to this computer so they can be discovered over
the network. If this service is stopped, network resources will no longer be
published and they will not be discovered by other computers on the network.
=cut
my @services = (
- 'iphlpsvc',
'FDResPub',
);
for my $service (@services) {
