Block internet access accept windows update??
-
I have pfsense and untangle on my network, and yet I cannot figure out an easy way to let a small subnet only see windows update, and logmein.com - any ideas?
i have some VLAN'd subnets: 10.0.0.0/24 - 10.0.4.0/24, and I want to grab a small group of computers on 10.0.3.32/27 and pretty much stop all internet, accept for updates and logmein.
I am using Untangle free edition, so I cant add a 2nd policy for this without subscribing to a monthly fee. On pfsense, I tried to get squid+squidguard to work, but it seems I am doing to things in reverse of what it was intended - block all and only allow xyz, I am having trouble figuring out an easy way to do this in squid. no caching needed, just filter out the entire internet accept update.microsoft.com.
-
On pfSense add three firewall rules for the interface on 10.0.3.32/27 in this order:
1. Allow everything to IP address of update.microsoft.com
2. Allow everything to IP address of logmein.com
3. Block everything.The firewall rules are processed top down, first match terminates rule processing.
You haven't said anything that would suggest squid is needed for this particular issue.
You haven't given full details of your configuration so you might need to tweak this a bit to work in your specific configuration.
-
that would be nice - accept that IP changes regularly due to load balancing.
I have already done similar by allowing the logmein and ms cidr blocks - but this also allows things like live.com, hotmail, etc - not wanted.
-
depends
easiest way create rules that based alias change the lan net to single or alias
create an alias with the ips you wish to have access to the internet or use network and only allow it that way x.x.x.x/24I usually create a couple of rules
one that allows ports 1-79 (tcp/udp) and one that allows 81- 1000 (tcp/udp) that way if people have email clients they work behind the system but web surfing is dead . ( you can create a third rule if you want to omit the https port 443 if you want )
in your case probably would add in a rule for the ports for logmein too ( what ever they are) i believe microsoft updates use a specific port 443then create an alias firewall rule that allows port 80 to certain ips or range that you wish to have access to the internet. that way client email will work and so should windows updates but web surfing is limited to those who are found with in the alias ip range
if you keep the maxium port at 1000 then there are very few if any proxy servers that use anything under this port range. so it be but surfing via proxy port usually sucks any ways..
oops miss read your first post I thought you wanted updates on all computer and websurfing to only a select few. but the rules still apply just block port 80 and any thing over a 1000 or only allow port 443 and what every log me in ports are
it still works though you might have access to other 443 site then you just allow microsoft 443 ports and what ever else 443 websites you might want. it pretty hard to surf with out port 80 for most people. if you still having problems with windows update because of lack of port 80 simple fix to that is schedule port 80 in during down times and have your computer do their updates during that time periodas a added foot note: if they have hotmail login page booked mark that will still show up. but once they log in it switches form https to http and the page will fail to load as do all most web based emails for the most part .. just pointing this out so you do not get perturbed when you first try and then complain it does not work..