Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to block all but Windows Updates for Servers

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PhilJans
      last edited by

      What about it?

      1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo
        last edited by

        just an idea

        there are complete microsoft domain and antivirus developer lists for pfBlockerNG + GeoIP IPv4, IPv6 block
        what, if you use it the other way around?

        microsoft is full of other telemetry, if you also block them with the internet, you may not get updates the way you want

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        P 1 Reply Last reply Reply Quote 1
        • P
          PhilJans @DaddyGo
          last edited by

          @DaddyGo Interesting.
          Right now it does not work, need to fix the plugin, but once it's done, I'll look for this.
          Thanks for the info

          1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo
            last edited by DaddyGo

            I am even thinking here, for example, of the Akamai CDN
            the biggest supplier of win update stuff

            Windows_telemetry_bl.txt
            Windows_telemetry_bl_2.txt
            Windows_telemetry_bl_3.txt

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            1 Reply Last reply Reply Quote 1
            • L
              louis2
              last edited by

              I try to do the same kind of things, because the risk / unwanted things are often not coming from the internet, but they are starting at your own computer / tv, etc.

              However it is almost a disaster. Because:

              • you not really know which FQDN Microsoft is using for what
              • it is changing
              • it is not a single server, but a cloud service
              • if you are using IPV6 it is even a bigger issue, since you cannot filter on source IP, because you do not know the (changing) IPV6-source IP.

              What I sometimes do is a combination of IPV4-source IP with an alias with FQDN's.
              And / or I override the domain in my DNS sending the IP to just "NoWhere"

              But I agree with @DaddyGo that pfBlockerNG is perhaps in this case the easiest option.

              Louis

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @louis2
                last edited by

                @louis2

                Privacy comes first and this is not respected by many manufacturers (such is the world today).
                Therefore we must act.

                BTW:
                "Thanks for your comment, but not relevant, they are just extract of the lists and they are constantly updated.

                Windows_telemetry_bl.txt
                Windows_telemetry_bl_2.txt
                Windows_telemetry_bl_3.txt

                Like:
                https://raw.githubusercontent.com/wlqY8gkVb9w1Ck5MVD4lBre9nWJez8/W10TelemetryBlocklist/master/W10TelemetryBlocklist

                https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist

                (but I don’t want to give tips, let everyone work out for knowledge)

                Not to mention that the original issue of the OP it wasn't that and you can see my name next to the 👍

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 0
                • R
                  Rod-It
                  last edited by Rod-It

                  You may simply not have been paying attention when you created these, but those aliases are for IPs, yet you've added URLs, you therefore need to change type from network to URL and re-add them.

                  Each type does give you a description below in the hint field

                  FYI if you add microsoft.com you dont also need to add it's subdomains, so update.microosft.com will also be allowed based on microsoft.com being allowed at the lower level.
                  The first 3 in your URLs cover all the others below.

                  You may be better with Squid or PfBlockerNG though as noted above and block specific domains, even if you only use PFBlockerNG for custom domains on a whitelist.

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo @Rod-It
                    last edited by DaddyGo

                    @Rod-It

                    Then once again for the sake of those who don’t pay attention (DNSBL!!!) 😌
                    I didn't make the lists, these are ready lists.

                    everyone uses or does not use them to their own taste

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    R 1 Reply Last reply Reply Quote 0
                    • L
                      louis2
                      last edited by

                      More problems nearby ....

                      Encrypted DNS, very necessary to protect against governments like “China” (and a lot others), are coming. But of course one big disadvantage ….. DNS-based blocking options ….. will be gone …

                      So lets enjoy the moment ..

                      Louis

                      DaddyGoD 1 Reply Last reply Reply Quote 0
                      • DaddyGoD
                        DaddyGo @louis2
                        last edited by DaddyGo

                        @louis2

                        exactly....

                        The biggest bullshit in the world is the DoH, and many more experts will have a say.

                        The current best solution, option:
                        Unbound + pfBlockerNG + DoT + DNSSEC + CF DNS

                        This should not be a matter of debate at this time.
                        And don't forget we raised it high (China), because we're stupid and we manufactured in everything with them, hahaha "Know - how" - "privacy", etc.
                        https://en.wikipedia.org/wiki/Know-how

                        BTW:

                        b34299c7-10bf-474e-be13-11fdf3126367-image.png

                        +++edit:
                        and now we are crying that china is approaching - we are like that and ready

                        Cats bury it so they can't see it!
                        (You know what I mean if you have a cat)

                        1 Reply Last reply Reply Quote 0
                        • R
                          Rod-It @DaddyGo
                          last edited by

                          @DaddyGo

                          Sorry, I am fully aware of DNSBL and suggested this as an option as well as squid, but I also answered the OPs question directly, their rules wont work with URLS under and IP field.

                          This does not need to be an argument or a push in the direction you would prefer to OP to go, so i therefore answered their specific question.

                          I'm not saying there aren't better ways to do what they want, but their question was why doesn't their rules work and it's because they have URLs in an IP field

                          DaddyGoD 1 Reply Last reply Reply Quote 0
                          • DaddyGoD
                            DaddyGo @Rod-It
                            last edited by

                            @Rod-It

                            nothing happened 🖐
                            it seems to work for the OP what I suggested as he thanked me afterwards

                            you wrote for OP, I wrote for @louis2 and here we slipped 😁

                            Cats bury it so they can't see it!
                            (You know what I mean if you have a cat)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.