DMZ rule/out, allow windows update servers only
Is there a way to make sure that servers in DMZ are only able to communicate with WindowsUpdate servers on 80+443?
(So no other sites 80/443 should be reachable)
I've made aliases:
But it seems the "wildcard-FQDN" are needed as well to get it function.
Server = Pfsense 2.0 RC3 on Dell PE T110
with proxy it would be doable
if you're having AD, then it can be determined to use only wsus servers and that is all different story and forum
It seems to work like this… forget the wildcards in FQDN's in aliases...
(Only proof is, did one succesfull update with DMZ/2k8R2, 3 updates of yesterday)
Add Alias "WinUpdate":
Add DMZ Firewall-rule:
Proto Source Port Destination Port Gateway Queue
- DMZserver * WinUpdate * * none
Before I had protocol and ports specified, that seems have been too narrow... It seems to work now... But don't know why actually (compared with previous rule setup) Maybe some ICMP/ping is needed for startup of the updater?!?