Block the entire LAN from doing "windows update" and only allow the WSUS servers



  • Hi there,

    I would like to block the entire LAN from doing "windows update" and only allow the WSUS servers to do this.

    Is it possible to do this only with Aliases and Rules? I do not use Proxy!

    Example:
    Aliases Name: WSUS_Aliases
    *.windowsupdate.microsoft.com
    *.update.microsoft.com
    *.windowsupdate.com
    *.download.windowsupdate.com
    download.microsoft.com
    wustat.windows.com
    ntservicepack.microsoft.com

    PS: Does pfsense understand what an asterisk is?

    Rules:
    Protocol: TCP Source: WSUSSevers AND Destination: WSUS_Aliases AND Destination Port 80, 443 PERMIT
    Protocol: TCP Source: LAN_Subnet AND Destination: WSUS_Aliases AND Destination Port 80, 443 BLOCK

    Thanks,
    César


  • Netgate Administrator

    Not with only aliases and rules. Those destinations are going to resolve to many, many IPs and if you create an alias using them each will only have a single IP. And, no, you can't use an asterisk like that.

    The only way I could imagine doing that is blocking them using DNS with pfBlocker. Allow the WSUS servers to use a different DNS server so it can resolve them.

    I can imagine blocking download.microsoft.com might cause other issues though.

    Steve



  • You should use GPO (Group Policy Objects) to accomplish this on the Windows clients themselves. Here is a Microsoft article to get you started. There are many other tutorials to be found with a Google search.

    Managing WSUS Client computers

    In my personal opinion, attempting to accomplish this with DNS blocking or firewall rules is a recipe for extreme frustration. You will wind up breaking a lot of other needed services with IP lists that are too broad.


  • LAYER 8 Netgate

    Yup. And if you find anyone bypassing your GPO somehow, grab a wrench and go pay them a visit.


Log in to reply