How to block in Windows10 Telemetry with pfsense

robi

@n3by:

yes it looks ok.

It's not ok as per your description, because it's a pass rule, not a block rule.

robi

@KOM:

yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

Huh?  Windows Update domains shouldn't be included in your telemetry alias.

Which are the Windows Update domains, btw?

I found these:

windowsupdate.microsoft.com	 
update.microsoft.com	 
windowsupdate.com	 
download.windowsupdate.com	 
wustat.windows.com	 
ntservicepack.microsoft.com	 

Are there any others?

Sea Monkey

@robi:

@n3by:

yes it looks ok.

It's not ok as per your description, because it's a pass rule, not a block rule.

It's two rules.

Harvy66

Setup a WSUS server, whitelist that to talk to Microsoft, and block all clients?

I'm torn between Linux and FreeBSD. Linux has better Steam support, but a lot of stuff is being done in FreeBSD to increase comparability. ZFS and Jails are very attractive, even on a desktop.

2chemlud

Whenever I have the choice, M$-shyt has been replaced by opensuse or PC-BSD (the later has a steeper learning curve and is not so well supported, but is free of systemd). Big plus: you can both run with KDE desktop, which made it much easier to switch between these two, and btw the handling is not sooo far away from Windows xp/7…

2chemlud

PS: Here

http://techne.alaya.net/?p=12499

you can find a long list of IPs and host names to block for Windows telemetry.

2chemlud

…just for the record:

I uninstalled on Win 7 pro 64/32 (various computers) the following KBs:

97 1033
290 2907
295 2664
299 0214
302 1917
302 2345
303 5583
304 4374
305 0265
306 2345
306 5987
306 8708
307 5249
307 5851
308 0149
308 3325

and in addition I set up a block rule with loggin for an alias containing all the IPs and host names listed here

http://techne.alaya.net/?p=12499

As you might expect, the firewall log is full of blocked "MS telemetry" this morning.

2chemlud

…just to add:

Had my PC-BSD 10 PC up today for updating. Really amazing, I found in the firewall logs repeated access of this computer to an IP blocked for MS Telemetry.

WHAT has PC-BSD with MS-Telemetry in common? Or is it more correctly NSA telemetry featured by Microshyte?

I'm surprised!


KOM

That IP address is a-msedge.net and it takes you to Bing.

2chemlud

So basically you think it's Firefox? But I have no Bing (removed it from search options in Firefox), I use no Bing, I've never been there in my whole live… Firefox was running in PRIVATE mode all the time btw...

So: why does my OS/Browser try to contact OVER AND OVER AGAIN something I've never asked to contact? Things are not really getting better at this point...

KOM

No idea.

2chemlud

…sometimes I really think about starting a 24/7 wireshark session on all networks... storage space is so cheap nowadays. How about an integration into pfSense?

KOM

How about an integration into pfSense?

pfSense already has a Capture Packet function.  You want Wireshark??

2chemlud

But is 24/7 feasible on an embedded nano? Not really, I guess. Maybe I set up a Linux machine and start copying the whole internet traffic…

But overall: This story really frustrates me...

cmb

Wireshark is just a GUI to pcap data, you wouldn't run that on the firewall given it has no X and will never have X. You can feed Wireshark over SSH, or run tcpdump on the firewall dumping to disk if you have plenty of disk space.

It's extremely unlikely PCBSD is communicating with anything to do with Microsoft. Whatever telemetry blocking list you have is way over-blocking I expect. It also seems to block critical portions of Windows update, which is likely the bulk of the attempts you're seeing.

doktornotor

@cmb:

Whatever telemetry blocking list you have is way over-blocking I expect. It also seems to block critical portions of Windows update, which is likely the bulk of the attempts you're seeing.

Yes. Things like HPHosts that block this without thinking break Windows updates.

2chemlud

Nope, Windows update just works fine on the Win-machines in the network, no problem at all.

But please, it's the local IP of my PC-BSD 10 running on an old Dell Precision 670, no question about that. No Windows involved. No software other than Firefox was running a the time of the blockings in the firewall log. And the log is FULL of these blocks.

I REALLY have no idea what is going on here…

KOM

And you're sure that this PC-BSD box isn't running a browser that is trying to talk to Bing, for whatever reason?  Otherwise, I really can't see a *BSD distro needing to talk to Microsoft for anything.

2chemlud

What could make Firefox with No-script in private mode make talk to Bing, except using Bing, is this the question? Honestly, I don't know!

KOM

Perhaps it's a beacon or something on some page you were on that it talking to Bing?  Some other plugin you're running?  I have no idea either, just wild guesses.