Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Permit Windows Update

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 7 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AdamTheManTyler
      last edited by

      Can anyone tell me how to create an address object that would cover all Windows update internet resources on a pfsense firewall? We have a restricted network and I need to create a firewall rule to permit Windows update. The current solution of using the firewall Alias definition isn't working. M$ gives this list of destinations, not sure you can add a wildcard to a pfsense firewall?

      *.download.windowsupdate.com
      *.windowsupdate.com
      *.windowsupdate.microsoft.com
      definitionupdates.microsoft.com
      download.microsoft.com
      download.windowsupdate.com
      ds.download.windowsupdate.com
      go.microsoft.com
      ntservicepack.microsoft.com
      windowsupdate.com
      windowsupdate.microsoft.com
      wustat.windows.com
      www.microsoft.com
      www.update.microsoft.com

      http://definitionupdates.microsoft.com/
      http://www.microsoft.com/security/
      http://go.microsoft.com/
      http://ds.download.windowsupdate.com/
      http://www.update.microsoft.com/
      http://download.microsoft.com/
      http://download.windowsupdate.com/

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @AdamTheManTyler
        last edited by

        @adamthemantyler You can't use wildcards in an alias.

        One solution would be to set up squid and squidguard and then point your clients to it. Add those domains to a squidguard whitelist and deny everything else. It's kind of a kludgy solution but it should work.

        A 1 Reply Last reply Reply Quote 0
        • A
          AdamTheManTyler @KOM
          last edited by

          @kom squid is an extension package to pfsense? This replaces the firewall mechanism or just extends it? Have any links you can forward along for config examples?

          Regards,
          Adam Tyler

          KOMK 1 Reply Last reply Reply Quote 0
          • KOMK
            KOM @AdamTheManTyler
            last edited by

            @adamthemantyler Squid is a web proxy and squidguard is an URL filter. Both are packages for pfSense. Full deployment and configuration is a large topic. Start with the docs:

            A Brief Introduction to Web Proxies and Reporting: Squid, SquidGuard, and Lightsquid

            Squid, SquidGuard, and Lightsquid on pfSense 2.4

            A 1 Reply Last reply Reply Quote 0
            • A
              AdamTheManTyler @KOM
              last edited by

              @kom Thanks.

              Dang. Seems like a lot of effort when all we need is a simple wildcard allow rule. Strange that isn't a native feature of the pfsense device.

              Regards,
              Adam Tyler

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @AdamTheManTyler
                last edited by

                @adamthemantyler Aliases using hostnames are updated periodically by pfSense. A wildcard *.windowsupdate.com doesn't necessarily mean that a.windowsupdate.com has the same IP as b.windowsupdate.com, as I think MS means to allow anyname.windowsupdate.com (it would be entered in IE using the *, for example).

                Brainstorming, could you accomplish this by using domain overrides in DNS to allow DNS lookups only for those hostnames?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                A 1 Reply Last reply Reply Quote 0
                • A
                  AdamTheManTyler @SteveITS
                  last edited by AdamTheManTyler

                  @steveits Yea, I get it. for a traditional fqdn alias, the firewall is basically just resolving the url periodically and adding the IPs proactively.

                  The wildcard alias could be anything and can't work the same way. The firewall would have to watch for DNS queries and on the fly add resolved IPs that were returned for any query matching *.windowsupdate.com for example. This gets further complicated if your client is using the DoH protocol and DNS queries are encrypted making them invisible to the firewall. Thank you Firefox and Chrome.

                  It's crazy to me that Microsoft can't provide a static list of IP addresses associated with their update service. The further introduction of CDNs makes it even more impossible.

                  Regards,
                  Adam Tyler

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • AndyRHA
                    AndyRH
                    last edited by

                    Have you considered setting up an internal update site for Windows?

                    o||||o
                    7100-1u

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      AdamTheManTyler @AndyRH
                      last edited by AdamTheManTyler

                      @andyrh WSUS? We actually run it already, but all clients are directed to the public internet for the downloads. We only leverage WSUS for policy. Ie.. update approvals. Our environment is laid out in such a way that going to the internet makes more sense compared with hosting the update repository ourselves.

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @AdamTheManTyler
                        last edited by

                        @adamthemantyler said in Permit Windows Update:

                        It's crazy to me that Microsoft can't provide a static list of IP addresses associated with their update service

                        Really ?
                        The day they, Microsoft, publish such a list, you'll assist at the beginning of the end of Microsoft.
                        Stockholders and half planet earth (the Windows users) will get very angry.
                        These IP's will get DOOSsed by some 'anti' (MS) group, so they are inaccessible, so PC's don't get updated any more. Do you see where this goes ?

                        So, not crazy.
                        You're just missing bit of info that explains the (a possible) situation ;)
                        And yes, of course, I also would love to see a firewall rule that permits something like "*.whatever.tld" as a literal, but you already mentioned that this is not gona happen soon.
                        This is not a "pfSense" issue, it's how firewall work.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        A 1 Reply Last reply Reply Quote 0
                        • A
                          AdamTheManTyler @Gertjan
                          last edited by

                          @gertjan A company like Microsoft with an unlimited budget is capable of dealing with distributed denial of service attacks. The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense. It is only how this firewall works until the pfsense development team changes it. I work with other firewall devices that do this all day long.

                          You seem very sure of yourself, wonder how many other folks think you're an a** hat like I do...

                          Oh wait, make sure I put the winky face in here so you feel like I was just kidding. ;)

                          GertjanG NogBadTheBadN 2 Replies Last reply Reply Quote 0
                          • GertjanG
                            Gertjan @AdamTheManTyler
                            last edited by

                            an unlimited budget

                            That's why I threw in the "share holders" word : they have something to say - if not everything.
                            Sure, they can publish these IPs. For some reason, they don't.
                            The "DOS" phrase was just an example, as I don't work for them.

                            The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense.

                            At a firewall level, that is, right ? To be used in a firewall rule.
                            All it has, is the somewhat limited Aliases.

                            Be : I'm curious : what firewall can handle "*.domain.com" ? Not using some Squid or other proxy approach, but at a firewall level ?
                            pfSense can't. Maybe it's a budget thing.

                            You seem very sure of yourself

                            I was actually citing the manual. I do not (want to) pretend knowing more then that.
                            This is a user to user forum. Not a tech support chat.
                            So, yes, until I know more, I'm pretty sure of what I know now. I'll keep on learning.
                            What other people think wasn't an issue, and is actually a good thing : I want them to think.

                            You seem very sure of yourself

                            Then that makes us 2 (winky)

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • NogBadTheBadN
                              NogBadTheBad @AdamTheManTyler
                              last edited by NogBadTheBad

                              @adamthemantyler said in Permit Windows Update:

                              "The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense."

                              You could use pfBlocker-NG and create an alias permit using the Microsoft ASN numbers.

                              Andy

                              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                              A 1 Reply Last reply Reply Quote 0
                              • A
                                AdamTheManTyler @NogBadTheBad
                                last edited by AdamTheManTyler

                                @nogbadthebad Hello! Crafting firewall policy around an organizations AS isn't something I've thought of before, clever. Based on M$s AS, I should be able to deduce what public networks they own. Couple of issues I can think of right away though.

                                1. Would pfBlocker-NG automatically poll subnets related to a particular AS and update on the fly? Or would this be something that would have to be manually babysat?

                                2. This is all for not if Microsoft is using a 3rd party CDN to redistribute updates. Those destinations would no longer be owned by Microsoft.

                                Regards,
                                Adam Tyler

                                NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                • NogBadTheBadN
                                  NogBadTheBad @AdamTheManTyler
                                  last edited by NogBadTheBad

                                  @adamthemantyler

                                  1. You can configure pfBlocker-NG to pull the new list every hour up to Weekly automatically, the ASN contents wouldn't change too often.

                                  2. Yup correct, you may need to add Akamai, etc ... if stuff stops.

                                  Screenshot 2021-08-27 at 15.41.16.png

                                  Andy

                                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                  A 1 Reply Last reply Reply Quote 0
                                  • A
                                    AdamTheManTyler @NogBadTheBad
                                    last edited by

                                    @nogbadthebad Cool..

                                    Only pain point is adding a service like Akamai to this blanket whitelist rule. Doing that would allow much more access than intended. T completely unrelated IP blocks used by other entities for any purpose.. Hmm..

                                    Regards,
                                    Adam Tyler

                                    NogBadTheBadN KOMK 2 Replies Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad @AdamTheManTyler
                                      last edited by NogBadTheBad

                                      @adamthemantyler I'm a Mac guy, does the M$ update use non 80/433 ports, you could only allow the update ports through the alias / firewall rule.

                                      Andy

                                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                      1 Reply Last reply Reply Quote 0
                                      • KOMK
                                        KOM @AdamTheManTyler
                                        last edited by

                                        @adamthemantyler You might want to revisit your policy of not using your WSUS server to update your clients. Seems like that would be the simplest solution for you.

                                        R 1 Reply Last reply Reply Quote 2
                                        • R
                                          rmac1813 @KOM
                                          last edited by

                                          @KOM this is not a good solution as wsus needs to be allowed internet access as well

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            rmac1813
                                            last edited by rmac1813

                                            here's a list that can be imported as an alias of supernets microsoft update uses/owns
                                            used https://geo-lookup.ipify.org/ to look up blocked IP's and then correlate to a block/asn owned by m$

                                            windowsupdate.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.windowsupdate.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
go.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
dl.delivery.mp.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
wustat.windows.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
67.24.0.0/13 Entry added Tue, 28 Nov 2023 00:22:34 -0800
8.240.0.0/12 Entry added Tue, 28 Nov 2023 00:23:48 -0800
51.10.0.0/15 MICROSOFT-CORP-MSN-AS-BLOCK
104.40.0.0/13  MICROSOFT-CORP-MSN-AS-BLOCK
52.160.0.0/11  MICROSOFT-CORP-MSN-AS-BLOCK
13.64.0.0/11 Entry added Thu, 25 Jan 2024 14:26:53 -0800
172.160.0.0/11 Entry added Thu, 25 Jan 2024 14:38:23 -0800
20.160.0.0/12 Entry added Thu, 25 Jan 2024 14:43:38 -0800
40.76.0.0/14 Entry added Thu, 25 Jan 2024 14:44:19 -0800
20.64.0.0/10 Entry added Thu, 25 Jan 2024 14:45:14 -0800
40.127.0.0/16 Entry added Thu, 25 Jan 2024 14:50:01 -0800
51.140.0.0/14 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.160.0.0/11 Entry added Mon, 21 Mar 2022 14:31:36 -0700
20.48.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 Entry added Mon, 21 Mar 2022 14:31:36 -0700
104.107.104.0/22 Entry added Mon, 21 Mar 2022 14:31:36 -0700
40.80.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 microsoft
20.48.0.0/12 Entry added Sat, 02 Apr 2022 18:27:56 -0700
52.160.0.0/11 Entry added Sat, 02 Apr 2022 18:27:56 -0700
51.140.0.0/14 microsoft
20.184.0.0/13 Entry added Fri, 08 Apr 2022 10:02:16 -0700
40.126.0.0/18 Entry added Fri, 08 Apr 2022 10:03:26 -0700
20.40.0.0/13 Entry added Fri, 08 Apr 2022 14:57:24 -0700
52.242.97.97/11 Entry added Fri, 08 Apr 2022 14:58:28 -0700
13.91.16.69/11 Entry added Fri, 08 Apr 2022 14:59:38 -0700
51.10.0.0/15 Entry added Fri, 27 May 2022 18:10:58 -0700
13.107.4.0/24 Entry added Fri, 27 May 2022 18:12:13 -0700
40.112.0.0/13 Entry added Fri, 27 May 2022 18:20:55 -0700
40.125.0.0/17 Entry added Fri, 27 May 2022 18:28:46 -0700
52.224.0.0/11 Entry added Fri, 27 May 2022 18:35:24 -0700
13.107.42.0/24 Entry added Fri, 27 May 2022 18:53:55 -0700
52.152.0.0/13 Entry added Fri, 27 May 2022 18:59:37 -0700
104.40.0.0/13 Entry added Fri, 27 May 2022 19:01:05 -0700
204.79.197.0/24 Entry added Fri, 27 May 2022 19:18:44 -0700
40.74.0.0/15 Entry added Fri, 27 May 2022 19:26:09 -0700
104.84.224.0/22 Entry added Fri, 27 May 2022 19:36:17 -0700
51.116.0.0/16 Entry added Fri, 27 May 2022 19:48:04 -0700
13.64.0.0/11 Entry added Fri, 27 May 2022 20:04:08 -0700
20.64.0.0/10 Entry added Fri, 27 May 2022 20:06:22 -0700
96.7.232.0/22 Entry added Fri, 27 May 2022 20:08:21 -0700
184.30.160.0/19 Entry added Fri, 27 May 2022 20:14:38 -0700
40.127.0.0/16 Entry added Sat, 28 May 2022 10:02:46 -0700
8.240.0.0/12 Entry added Sun, 21 Aug 2022 16:44:27 -0700
54.192.80.0/22 Entry added Sun, 21 Aug 2022 16:45:10 -0700
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.