Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Permit Windows Update

    Scheduled Pinned Locked Moved
    Firewalling
    7
    20
    5.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AdamTheManTyler @Gertjan
      last edited by

      @gertjan A company like Microsoft with an unlimited budget is capable of dealing with distributed denial of service attacks. The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense. It is only how this firewall works until the pfsense development team changes it. I work with other firewall devices that do this all day long.

      You seem very sure of yourself, wonder how many other folks think you're an a** hat like I do...

      Oh wait, make sure I put the winky face in here so you feel like I was just kidding. ;)

      GertjanG NogBadTheBadN 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @AdamTheManTyler
        last edited by

        an unlimited budget

        That's why I threw in the "share holders" word : they have something to say - if not everything.
        Sure, they can publish these IPs. For some reason, they don't.
        The "DOS" phrase was just an example, as I don't work for them.

        The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense.

        At a firewall level, that is, right ? To be used in a firewall rule.
        All it has, is the somewhat limited Aliases.

        Be : I'm curious : what firewall can handle "*.domain.com" ? Not using some Squid or other proxy approach, but at a firewall level ?
        pfSense can't. Maybe it's a budget thing.

        You seem very sure of yourself

        I was actually citing the manual. I do not (want to) pretend knowing more then that.
        This is a user to user forum. Not a tech support chat.
        So, yes, until I know more, I'm pretty sure of what I know now. I'll keep on learning.
        What other people think wasn't an issue, and is actually a good thing : I want them to think.

        You seem very sure of yourself

        Then that makes us 2 (winky)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @AdamTheManTyler
          last edited by NogBadTheBad

          @adamthemantyler said in Permit Windows Update:

          "The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense."

          You could use pfBlocker-NG and create an alias permit using the Microsoft ASN numbers.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          A 1 Reply Last reply Reply Quote 0
          • A
            AdamTheManTyler @NogBadTheBad
            last edited by AdamTheManTyler

            @nogbadthebad Hello! Crafting firewall policy around an organizations AS isn't something I've thought of before, clever. Based on M$s AS, I should be able to deduce what public networks they own. Couple of issues I can think of right away though.

            1. Would pfBlocker-NG automatically poll subnets related to a particular AS and update on the fly? Or would this be something that would have to be manually babysat?

            2. This is all for not if Microsoft is using a 3rd party CDN to redistribute updates. Those destinations would no longer be owned by Microsoft.

            Regards,
            Adam Tyler

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @AdamTheManTyler
              last edited by NogBadTheBad

              @adamthemantyler

              1. You can configure pfBlocker-NG to pull the new list every hour up to Weekly automatically, the ASN contents wouldn't change too often.

              2. Yup correct, you may need to add Akamai, etc ... if stuff stops.

              Screenshot 2021-08-27 at 15.41.16.png

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              A 1 Reply Last reply Reply Quote 0
              • A
                AdamTheManTyler @NogBadTheBad
                last edited by

                @nogbadthebad Cool..

                Only pain point is adding a service like Akamai to this blanket whitelist rule. Doing that would allow much more access than intended. T completely unrelated IP blocks used by other entities for any purpose.. Hmm..

                Regards,
                Adam Tyler

                NogBadTheBadN KOMK 2 Replies Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @AdamTheManTyler
                  last edited by NogBadTheBad

                  @adamthemantyler I'm a Mac guy, does the M$ update use non 80/433 ports, you could only allow the update ports through the alias / firewall rule.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM @AdamTheManTyler
                    last edited by

                    @adamthemantyler You might want to revisit your policy of not using your WSUS server to update your clients. Seems like that would be the simplest solution for you.

                    R 1 Reply Last reply Reply Quote 2
                    • R
                      rmac1813 @KOM
                      last edited by

                      @KOM this is not a good solution as wsus needs to be allowed internet access as well

                      1 Reply Last reply Reply Quote 0
                      • R
                        rmac1813
                        last edited by rmac1813

                        here's a list that can be imported as an alias of supernets microsoft update uses/owns
                        used https://geo-lookup.ipify.org/ to look up blocked IP's and then correlate to a block/asn owned by m$

                        windowsupdate.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.windowsupdate.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
go.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
dl.delivery.mp.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
wustat.windows.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
67.24.0.0/13 Entry added Tue, 28 Nov 2023 00:22:34 -0800
8.240.0.0/12 Entry added Tue, 28 Nov 2023 00:23:48 -0800
51.10.0.0/15 MICROSOFT-CORP-MSN-AS-BLOCK
104.40.0.0/13  MICROSOFT-CORP-MSN-AS-BLOCK
52.160.0.0/11  MICROSOFT-CORP-MSN-AS-BLOCK
13.64.0.0/11 Entry added Thu, 25 Jan 2024 14:26:53 -0800
172.160.0.0/11 Entry added Thu, 25 Jan 2024 14:38:23 -0800
20.160.0.0/12 Entry added Thu, 25 Jan 2024 14:43:38 -0800
40.76.0.0/14 Entry added Thu, 25 Jan 2024 14:44:19 -0800
20.64.0.0/10 Entry added Thu, 25 Jan 2024 14:45:14 -0800
40.127.0.0/16 Entry added Thu, 25 Jan 2024 14:50:01 -0800
51.140.0.0/14 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.160.0.0/11 Entry added Mon, 21 Mar 2022 14:31:36 -0700
20.48.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 Entry added Mon, 21 Mar 2022 14:31:36 -0700
104.107.104.0/22 Entry added Mon, 21 Mar 2022 14:31:36 -0700
40.80.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 microsoft
20.48.0.0/12 Entry added Sat, 02 Apr 2022 18:27:56 -0700
52.160.0.0/11 Entry added Sat, 02 Apr 2022 18:27:56 -0700
51.140.0.0/14 microsoft
20.184.0.0/13 Entry added Fri, 08 Apr 2022 10:02:16 -0700
40.126.0.0/18 Entry added Fri, 08 Apr 2022 10:03:26 -0700
20.40.0.0/13 Entry added Fri, 08 Apr 2022 14:57:24 -0700
52.242.97.97/11 Entry added Fri, 08 Apr 2022 14:58:28 -0700
13.91.16.69/11 Entry added Fri, 08 Apr 2022 14:59:38 -0700
51.10.0.0/15 Entry added Fri, 27 May 2022 18:10:58 -0700
13.107.4.0/24 Entry added Fri, 27 May 2022 18:12:13 -0700
40.112.0.0/13 Entry added Fri, 27 May 2022 18:20:55 -0700
40.125.0.0/17 Entry added Fri, 27 May 2022 18:28:46 -0700
52.224.0.0/11 Entry added Fri, 27 May 2022 18:35:24 -0700
13.107.42.0/24 Entry added Fri, 27 May 2022 18:53:55 -0700
52.152.0.0/13 Entry added Fri, 27 May 2022 18:59:37 -0700
104.40.0.0/13 Entry added Fri, 27 May 2022 19:01:05 -0700
204.79.197.0/24 Entry added Fri, 27 May 2022 19:18:44 -0700
40.74.0.0/15 Entry added Fri, 27 May 2022 19:26:09 -0700
104.84.224.0/22 Entry added Fri, 27 May 2022 19:36:17 -0700
51.116.0.0/16 Entry added Fri, 27 May 2022 19:48:04 -0700
13.64.0.0/11 Entry added Fri, 27 May 2022 20:04:08 -0700
20.64.0.0/10 Entry added Fri, 27 May 2022 20:06:22 -0700
96.7.232.0/22 Entry added Fri, 27 May 2022 20:08:21 -0700
184.30.160.0/19 Entry added Fri, 27 May 2022 20:14:38 -0700
40.127.0.0/16 Entry added Sat, 28 May 2022 10:02:46 -0700
8.240.0.0/12 Entry added Sun, 21 Aug 2022 16:44:27 -0700
54.192.80.0/22 Entry added Sun, 21 Aug 2022 16:45:10 -0700
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post