Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block the entire LAN from doing "windows update" and only allow the WSUS servers

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cfabre
      last edited by

      Hi there,

      I would like to block the entire LAN from doing "windows update" and only allow the WSUS servers to do this.

      Is it possible to do this only with Aliases and Rules? I do not use Proxy!

      Example:
      Aliases Name: WSUS_Aliases
      *.windowsupdate.microsoft.com
      *.update.microsoft.com
      *.windowsupdate.com
      *.download.windowsupdate.com
      download.microsoft.com
      wustat.windows.com
      ntservicepack.microsoft.com

      PS: Does pfsense understand what an asterisk is?

      Rules:
      Protocol: TCP Source: WSUSSevers AND Destination: WSUS_Aliases AND Destination Port 80, 443 PERMIT
      Protocol: TCP Source: LAN_Subnet AND Destination: WSUS_Aliases AND Destination Port 80, 443 BLOCK

      Thanks,
      César

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Not with only aliases and rules. Those destinations are going to resolve to many, many IPs and if you create an alias using them each will only have a single IP. And, no, you can't use an asterisk like that.

        The only way I could imagine doing that is blocking them using DNS with pfBlocker. Allow the WSUS servers to use a different DNS server so it can resolve them.

        I can imagine blocking download.microsoft.com might cause other issues though.

        Steve

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by bmeeks

          You should use GPO (Group Policy Objects) to accomplish this on the Windows clients themselves. Here is a Microsoft article to get you started. There are many other tutorials to be found with a Google search.

          Managing WSUS Client computers

          In my personal opinion, attempting to accomplish this with DNS blocking or firewall rules is a recipe for extreme frustration. You will wind up breaking a lot of other needed services with IP lists that are too broad.

          1 Reply Last reply Reply Quote 2
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yup. And if you find anyone bypassing your GPO somehow, grab a wrench and go pay them a visit.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.