Permit Windows Update

AdamTheManTyler

Can anyone tell me how to create an address object that would cover all Windows update internet resources on a pfsense firewall? We have a restricted network and I need to create a firewall rule to permit Windows update. The current solution of using the firewall Alias definition isn't working. M$ gives this list of destinations, not sure you can add a wildcard to a pfsense firewall?

*.download.windowsupdate.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
definitionupdates.microsoft.com
download.microsoft.com
download.windowsupdate.com
ds.download.windowsupdate.com
go.microsoft.com
ntservicepack.microsoft.com
windowsupdate.com
windowsupdate.microsoft.com
wustat.windows.com
www.microsoft.com
www.update.microsoft.com

http://definitionupdates.microsoft.com/
http://www.microsoft.com/security/
http://go.microsoft.com/
http://ds.download.windowsupdate.com/
http://www.update.microsoft.com/
http://download.microsoft.com/
http://download.windowsupdate.com/

KOM

@adamthemantyler You can't use wildcards in an alias.

One solution would be to set up squid and squidguard and then point your clients to it. Add those domains to a squidguard whitelist and deny everything else. It's kind of a kludgy solution but it should work.

AdamTheManTyler

@kom squid is an extension package to pfsense? This replaces the firewall mechanism or just extends it? Have any links you can forward along for config examples?

Regards,
Adam Tyler

KOM

@adamthemantyler Squid is a web proxy and squidguard is an URL filter. Both are packages for pfSense. Full deployment and configuration is a large topic. Start with the docs:

A Brief Introduction to Web Proxies and Reporting: Squid, SquidGuard, and Lightsquid

Squid, SquidGuard, and Lightsquid on pfSense 2.4

AdamTheManTyler

@kom Thanks.

Dang. Seems like a lot of effort when all we need is a simple wildcard allow rule. Strange that isn't a native feature of the pfsense device.

Regards,
Adam Tyler

SteveITS

@adamthemantyler Aliases using hostnames are updated periodically by pfSense. A wildcard *.windowsupdate.com doesn't necessarily mean that a.windowsupdate.com has the same IP as b.windowsupdate.com, as I think MS means to allow anyname.windowsupdate.com (it would be entered in IE using the *, for example).

Brainstorming, could you accomplish this by using domain overrides in DNS to allow DNS lookups only for those hostnames?

AdamTheManTyler

@steveits Yea, I get it. for a traditional fqdn alias, the firewall is basically just resolving the url periodically and adding the IPs proactively.

The wildcard alias could be anything and can't work the same way. The firewall would have to watch for DNS queries and on the fly add resolved IPs that were returned for any query matching *.windowsupdate.com for example. This gets further complicated if your client is using the DoH protocol and DNS queries are encrypted making them invisible to the firewall. Thank you Firefox and Chrome.

It's crazy to me that Microsoft can't provide a static list of IP addresses associated with their update service. The further introduction of CDNs makes it even more impossible.

Regards,
Adam Tyler

AndyRH

Have you considered setting up an internal update site for Windows?

AdamTheManTyler

@andyrh WSUS? We actually run it already, but all clients are directed to the public internet for the downloads. We only leverage WSUS for policy. Ie.. update approvals. Our environment is laid out in such a way that going to the internet makes more sense compared with hosting the update repository ourselves.

Gertjan

@adamthemantyler said in Permit Windows Update:

It's crazy to me that Microsoft can't provide a static list of IP addresses associated with their update service

Really ?
The day they, Microsoft, publish such a list, you'll assist at the beginning of the end of Microsoft.
Stockholders and half planet earth (the Windows users) will get very angry.
These IP's will get DOOSsed by some 'anti' (MS) group, so they are inaccessible, so PC's don't get updated any more. Do you see where this goes ?

So, not crazy.
You're just missing bit of info that explains the (a possible) situation ;)
And yes, of course, I also would love to see a firewall rule that permits something like "*.whatever.tld" as a literal, but you already mentioned that this is not gona happen soon.
This is not a "pfSense" issue, it's how firewall work.

AdamTheManTyler

@gertjan A company like Microsoft with an unlimited budget is capable of dealing with distributed denial of service attacks. The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense. It is only how this firewall works until the pfsense development team changes it. I work with other firewall devices that do this all day long.

You seem very sure of yourself, wonder how many other folks think you're an a** hat like I do...

Oh wait, make sure I put the winky face in here so you feel like I was just kidding. ;)

Gertjan

an unlimited budget

That's why I threw in the "share holders" word : they have something to say - if not everything.
Sure, they can publish these IPs. For some reason, they don't.
The "DOS" phrase was just an example, as I don't work for them.

The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense.

At a firewall level, that is, right ? To be used in a firewall rule.
All it has, is the somewhat limited Aliases.

Be : I'm curious : what firewall can handle "*.domain.com" ? Not using some Squid or other proxy approach, but at a firewall level ?
pfSense can't. Maybe it's a budget thing.

You seem very sure of yourself

I was actually citing the manual. I do not (want to) pretend knowing more then that.
This is a user to user forum. Not a tech support chat.
So, yes, until I know more, I'm pretty sure of what I know now. I'll keep on learning.
What other people think wasn't an issue, and is actually a good thing : I want them to think.

You seem very sure of yourself

Then that makes us 2 (winky)

NogBadTheBad

@adamthemantyler said in Permit Windows Update:

"The fact that *.domain.com isn't available on the pfsense platform is specific to pfsense."

You could use pfBlocker-NG and create an alias permit using the Microsoft ASN numbers.

AdamTheManTyler

@nogbadthebad Hello! Crafting firewall policy around an organizations AS isn't something I've thought of before, clever. Based on M$s AS, I should be able to deduce what public networks they own. Couple of issues I can think of right away though.

Would pfBlocker-NG automatically poll subnets related to a particular AS and update on the fly? Or would this be something that would have to be manually babysat?
This is all for not if Microsoft is using a 3rd party CDN to redistribute updates. Those destinations would no longer be owned by Microsoft.

Regards,
Adam Tyler

NogBadTheBad

@adamthemantyler

You can configure pfBlocker-NG to pull the new list every hour up to Weekly automatically, the ASN contents wouldn't change too often.
Yup correct, you may need to add Akamai, etc ... if stuff stops.

Screenshot 2021-08-27 at 15.41.16.png

AdamTheManTyler

@nogbadthebad Cool..

Only pain point is adding a service like Akamai to this blanket whitelist rule. Doing that would allow much more access than intended. T completely unrelated IP blocks used by other entities for any purpose.. Hmm..

Regards,
Adam Tyler

NogBadTheBad

@adamthemantyler I'm a Mac guy, does the M$ update use non 80/433 ports, you could only allow the update ports through the alias / firewall rule.

KOM

@adamthemantyler You might want to revisit your policy of not using your WSUS server to update your clients. Seems like that would be the simplest solution for you.

rmac1813

@KOM this is not a good solution as wsus needs to be allowed internet access as well

rmac1813

here's a list that can be imported as an alias of supernets microsoft update uses/owns
used https://geo-lookup.ipify.org/ to look up blocked IP's and then correlate to a block/asn owned by m$

windowsupdate.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.windowsupdate.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
go.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
dl.delivery.mp.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
wustat.windows.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
download.microsoft.com Entry added Mon, 21 Mar 2022 14:36:24 -0700
67.24.0.0/13 Entry added Tue, 28 Nov 2023 00:22:34 -0800
8.240.0.0/12 Entry added Tue, 28 Nov 2023 00:23:48 -0800
51.10.0.0/15 MICROSOFT-CORP-MSN-AS-BLOCK
104.40.0.0/13  MICROSOFT-CORP-MSN-AS-BLOCK
52.160.0.0/11  MICROSOFT-CORP-MSN-AS-BLOCK
13.64.0.0/11 Entry added Thu, 25 Jan 2024 14:26:53 -0800
172.160.0.0/11 Entry added Thu, 25 Jan 2024 14:38:23 -0800
20.160.0.0/12 Entry added Thu, 25 Jan 2024 14:43:38 -0800
40.76.0.0/14 Entry added Thu, 25 Jan 2024 14:44:19 -0800
20.64.0.0/10 Entry added Thu, 25 Jan 2024 14:45:14 -0800
40.127.0.0/16 Entry added Thu, 25 Jan 2024 14:50:01 -0800
51.140.0.0/14 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.160.0.0/11 Entry added Mon, 21 Mar 2022 14:31:36 -0700
20.48.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 Entry added Mon, 21 Mar 2022 14:31:36 -0700
104.107.104.0/22 Entry added Mon, 21 Mar 2022 14:31:36 -0700
40.80.0.0/12 Entry added Mon, 21 Mar 2022 14:31:36 -0700
52.136.0.0/13 microsoft
20.48.0.0/12 Entry added Sat, 02 Apr 2022 18:27:56 -0700
52.160.0.0/11 Entry added Sat, 02 Apr 2022 18:27:56 -0700
51.140.0.0/14 microsoft
20.184.0.0/13 Entry added Fri, 08 Apr 2022 10:02:16 -0700
40.126.0.0/18 Entry added Fri, 08 Apr 2022 10:03:26 -0700
20.40.0.0/13 Entry added Fri, 08 Apr 2022 14:57:24 -0700
52.242.97.97/11 Entry added Fri, 08 Apr 2022 14:58:28 -0700
13.91.16.69/11 Entry added Fri, 08 Apr 2022 14:59:38 -0700
51.10.0.0/15 Entry added Fri, 27 May 2022 18:10:58 -0700
13.107.4.0/24 Entry added Fri, 27 May 2022 18:12:13 -0700
40.112.0.0/13 Entry added Fri, 27 May 2022 18:20:55 -0700
40.125.0.0/17 Entry added Fri, 27 May 2022 18:28:46 -0700
52.224.0.0/11 Entry added Fri, 27 May 2022 18:35:24 -0700
13.107.42.0/24 Entry added Fri, 27 May 2022 18:53:55 -0700
52.152.0.0/13 Entry added Fri, 27 May 2022 18:59:37 -0700
104.40.0.0/13 Entry added Fri, 27 May 2022 19:01:05 -0700
204.79.197.0/24 Entry added Fri, 27 May 2022 19:18:44 -0700
40.74.0.0/15 Entry added Fri, 27 May 2022 19:26:09 -0700
104.84.224.0/22 Entry added Fri, 27 May 2022 19:36:17 -0700
51.116.0.0/16 Entry added Fri, 27 May 2022 19:48:04 -0700
13.64.0.0/11 Entry added Fri, 27 May 2022 20:04:08 -0700
20.64.0.0/10 Entry added Fri, 27 May 2022 20:06:22 -0700
96.7.232.0/22 Entry added Fri, 27 May 2022 20:08:21 -0700
184.30.160.0/19 Entry added Fri, 27 May 2022 20:14:38 -0700
40.127.0.0/16 Entry added Sat, 28 May 2022 10:02:46 -0700
8.240.0.0/12 Entry added Sun, 21 Aug 2022 16:44:27 -0700
54.192.80.0/22 Entry added Sun, 21 Aug 2022 16:45:10 -0700