Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rules for blocking automatic windows update

    Firewalling
    6
    11
    19137
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Adam2 last edited by

      Hi

      Can anyone point me in the right direction in regards to  blocking automatic windows updates and Symantec Antivirus updates. Those two are using up alot of bandwidth, I already have a plan to manual distribute all updates through 1 machine only as opposed to having everyone connected to the net for the purpose.

      Thanks

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Easiest way would probably be to resolve the hostnames that are used for the updates to some wrong IP. You could do that by using the dns forwarder or your local dns server in case you are using not the pfsense for dns.

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          That will be difficult to reliably block without using something like squid. If this is a corporate environment, you should use group policy to force your machines to update via WSUS, then you don't have to worry about blocking it. For Symantec, you should be using the central update features in their corporate version and again won't have to worry about blocking it.

          1 Reply Last reply Reply Quote 0
          • A
            Adam2 last edited by

            Hi hoba, cmb

            I've tried the dns forwarder but but that didn't help because am having the samethings in my log this morning.

            @cmb Am not on a corporate enviroment so I can't use the group policy. I do however have the squid package installed, how can achive what I want with it?

            Many thanks

            1 Reply Last reply Reply Quote 0
            • Cry Havok
              Cry Havok last edited by

              Since Adam2 decided the best route was to PM me asking for help, I'll post my comments here:

              If you have a question, ask it in the forum.  If I have something to add to a thread I will, if I don't then I won't.  PMing me asking me to look at a particular thread (unless you're one of the pfSense team, or a mod, in which case I'm assuming you're prompting me for a good reason) will just annoy me.

              We will now return you to your previously scheduled insanity…

              1 Reply Last reply Reply Quote 0
              • A
                Adam2 last edited by

                my apologies Cry Havok, I did not mean to annoy anyone in anyway, it is just that I was simply trying to ask  you  to look into the thread “when you had time” and also you are one of the experienced users who was online at that time. Besides I hadn’t seen the tagline “If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.”

                I hope you understand my situation

                Thanks

                1 Reply Last reply Reply Quote 0
                • Cry Havok
                  Cry Havok last edited by

                  It wasn't there before, your PM was the straw that "broke the camel's back" as it were.

                  Keep in mind that everybody here (with the possible exception of the core team, but I suspect it also applies to them) is giving up their time to help folks like yourself.  Acting as if you assume that you're entitled to help, regardless of your intentions, is always going to annoy people.  You're only entitled to help if you're paying people for that help.

                  Back to your question, take a look at the Access Control tab in the proxy configuration.  There's a field for blacklisting URLs etc.  "All" you have to do is put the appropriate entries in there.  You could probably start with something like:

                  (^|.)update.microsoft.com$
                  (^|.)windowsupdate.microsoft.com$

                  If the Symantec updates use a dedicated host then you can do something similar, if you force Symantec through Squid then the logs will tell you if it uses a dedicated update server.  You'll probably have to add your download server to the Unrestricted box, or allow it to bypass Squid.  You'll also want to ensure that you block direct outbound access to 80/TCP and 443/TCP in the firewall rules tab for the LAN port.

                  1 Reply Last reply Reply Quote 0
                  • K
                    Kris.J last edited by

                    The best practice way to do this, as mentioned above:

                    1.  Setup a WSUS 3.0 server.  Download WSUS free here:  http://technet.microsoft.com/en-us/wsus/default.aspx

                    2.  Adjust your pfSense firwall rules accordingly to let your fresh WSUS 3.0 server get updates.

                    3.  Setup Group Policy (or deploy a quick registry hack) that configures the Automatic Updates service on all workstations to talk to your WSUS 3.0 server.

                    I'm seeing a lot of what I call "right tool for the job" sort of stuff here – people asking how to make pfSense do things that are better done another way.

                    Like trying to turn a 10mm bolt with an adjustable wrench - a 10mm wrench or socket is what you need.

                    pfSense is not an adjustable wrench, nor is it a 10mm wrench or socket.  It's quite a more specialized tool, for very specific applications.

                    Coming from a Cisco background, I always compare to what I'd do with a PIX.  I wouldn't try to do application level filtering in a PIX - so I wouldn't try to do it in pfSense either.  That's not what a firewall is for IMO.

                    I did it for the lulz.

                    1 Reply Last reply Reply Quote 0
                    • A
                      Adam2 last edited by

                      thanks alot for your understanding, I will be careful with my future posting.

                      Am going to do as both of you said and keep you posted on how it goes

                      Thanks again

                      1 Reply Last reply Reply Quote 0
                      • K
                        kapara last edited by

                        You can also edit the registry to disable Windows Update on a per user basis:

                        Start regedit.exe on the machine where you want to disable Windows Update.
                        Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
                        From the Edit menu, select New, DWORD value.
                        Enter a name of NoWindowsUpdate, and press Enter.
                        Double-click NoWindowsUpdate, and set it to 1.
                        Close regedit.

                        You don't need to reboot. If the user tries to start Windows Update, the system will display the following error message:

                        Windows Update was disabled by your system Administrator.

                        Skype ID:  Marinhd

                        1 Reply Last reply Reply Quote 0
                        • A
                          Adam2 last edited by

                          Okay I think the block has taken effect cuz there is no traffic to the restricted address.

                          @Kapara nice tips I will do that (maybe create a .bat file for that registry tweak) or just disable the automatic update from the GUI

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post