Block internet access accept windows update??



  • I have pfsense and untangle on my network, and yet I cannot figure out an easy way to let a small subnet only see windows update, and logmein.com - any ideas?

    i have some VLAN'd subnets: 10.0.0.0/24 - 10.0.4.0/24, and I want to grab a small group of computers on 10.0.3.32/27 and pretty much stop all internet, accept for updates and logmein.

    I am using Untangle free edition, so I cant add a 2nd policy for this without subscribing to a monthly fee. On pfsense, I tried to get squid+squidguard to work, but it seems I am doing to things in reverse of what it was intended - block all and only allow xyz, I am having trouble figuring out an easy way to do this in squid. no caching needed, just filter out the entire internet accept update.microsoft.com.



  • On pfSense add three firewall rules for the interface on 10.0.3.32/27 in this order:

    1. Allow everything to IP address of update.microsoft.com
    2. Allow everything to IP address of logmein.com
    3. Block everything.

    The firewall rules are processed top down, first match terminates rule processing.

    You haven't said anything that would suggest squid is needed for this particular issue.

    You haven't given full details of your configuration so you might need to tweak this a bit to work in your specific configuration.



  • that would be nice - accept that IP changes regularly due to load balancing.

    I have already done similar by allowing the logmein and ms cidr blocks - but this also allows things like live.com, hotmail, etc - not wanted.



  • depends

    easiest way  create rules that  based  alias  change the lan net to single or alias
    create an alias with the ips you wish to have access to the internet or use network and only allow it that way x.x.x.x/24

    I usually  create a couple of rules
    one that allows ports 1-79 (tcp/udp) and one that allows 81- 1000 (tcp/udp)   that way if people have email clients they work behind the system but web surfing is dead . ( you can create a third rule if you want to omit the https port 443 if you want )
    in your case probably would add in a rule for the ports for logmein too ( what ever they are)  i believe microsoft updates use a specific port  443

    then  create an alias  firewall rule that allows port 80 to certain ips or range that you wish to have access to the internet. that way client email will work and  so should windows updates but web surfing is limited to those who are found with in the alias ip range

    if you keep the maxium port at 1000 then there are very few if any proxy servers that use anything under this port range. so it be  but surfing via proxy port usually sucks any ways..


    oops miss read your first post I thought  you wanted updates on all computer and websurfing  to only a select few. but the rules still apply  just block port 80  and any thing over a 1000 or only allow  port 443 and what every log me in ports are
    it still works though you might have access to other 443 site then you just allow microsoft  443 ports and what ever else 443 websites you might want. it pretty  hard to surf with out port 80 for most people.  if you still having problems with windows update  because of lack of port 80  simple fix to that is schedule  port 80 in during down times and have your computer do their updates during that time period

    as a added foot note: if they have hotmail login page booked mark that will still show up. but once  they log in it switches form https to http and the page will fail to load as do all  most web based emails for the most part .. just pointing this out so you do not get perturbed when you first try and then complain it does not work..


Log in to reply