Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to block in Windows10 Telemetry with pfsense

    Firewalling
    19
    80
    38044
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      n3by last edited by

      have a look here:

      https://github.com/WindowsLies/BlockWindows

      http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Do not use that, you cannot go back without using a "  restore point".

        ShutUp10 will prompt you to let it create one before it applies its changes.  I didn't bother as I can't see any scenario where I would need to undo that stuff.

        1 Reply Last reply Reply Quote 0
        • S
          Sea Monkey last edited by

          Please forgive me.  I'm a bit of a noob.  Do these look right?

          ![allow update.PNG](/public/imported_attachments/1/allow update.PNG)
          ![allow update.PNG_thumb](/public/imported_attachments/1/allow update.PNG_thumb)
          ![block telemetry.PNG](/public/imported_attachments/1/block telemetry.PNG)
          ![block telemetry.PNG_thumb](/public/imported_attachments/1/block telemetry.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • N
            n3by last edited by

            yes it looks ok.

            1 Reply Last reply Reply Quote 0
            • KOM
              KOM last edited by

              Your pass rule isn't required unless you've really locked down your LAN.  By default, LAN has full access out to everywhere.

              1 Reply Last reply Reply Quote 0
              • N
                n3by last edited by

                yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                1 Reply Last reply Reply Quote 0
                • KOM
                  KOM last edited by

                  yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                  Huh?  Windows Update domains shouldn't be included in your telemetry alias.

                  1 Reply Last reply Reply Quote 0
                  • N
                    n3by last edited by

                    some people want to block everyhing because MS can deliver an "security update" that will install telemetry and also use update hosts to get data from computer so this way is better, at least for me to have updates (allow only updates-block everything).

                    1 Reply Last reply Reply Quote 0
                    • KOM
                      KOM last edited by

                      I still don't see how this is a good solution.  Are you literally whitelisting every destination address you want access to and blocking everything else on the Internet?  Because MS can spin up a zillion new domains on a whim.

                      1 Reply Last reply Reply Quote 0
                      • N
                        n3by last edited by

                        MS can do whatever they want, but they must be able to make your computer to talk with any new domains ( and they can do this only with an allowed to install update ).
                        If now you block the telemetry C&C servers, there is no other way your computer will know to talk with new domains until you will install that update.

                        This is what we have for now, if we have another better way please elaborate ( except unplug the cable, stop using MS OS… ).

                        1 Reply Last reply Reply Quote 0
                        • R
                          robi last edited by

                          @n3by:

                          yes it looks ok.

                          It's not ok as per your description, because it's a pass rule, not a block rule.

                          1 Reply Last reply Reply Quote 0
                          • R
                            robi last edited by

                            @KOM:

                            yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                            Huh?  Windows Update domains shouldn't be included in your telemetry alias.

                            Which are the Windows Update domains, btw?

                            I found these:

                            windowsupdate.microsoft.com	 
                            update.microsoft.com	 
                            windowsupdate.com	 
                            download.windowsupdate.com	 
                            wustat.windows.com	 
                            ntservicepack.microsoft.com	 
                            

                            Are there any others?

                            1 Reply Last reply Reply Quote 0
                            • S
                              Sea Monkey last edited by

                              @robi:

                              @n3by:

                              yes it looks ok.

                              It's not ok as per your description, because it's a pass rule, not a block rule.

                              It's two rules.

                              1 Reply Last reply Reply Quote 0
                              • H
                                Harvy66 last edited by

                                Setup a WSUS server, whitelist that to talk to Microsoft, and block all clients?

                                I'm torn between Linux and FreeBSD. Linux has better Steam support, but a lot of stuff is being done in FreeBSD to increase comparability. ZFS and Jails are very attractive, even on a desktop.

                                1 Reply Last reply Reply Quote 0
                                • 2
                                  2chemlud Banned last edited by

                                  Whenever I have the choice, M$-shyt has been replaced by opensuse or PC-BSD (the later has a steeper learning curve and is not so well supported, but is free of systemd). Big plus: you can both run with KDE desktop, which made it much easier to switch between these two, and btw the handling is not sooo far away from Windows xp/7…

                                  1 Reply Last reply Reply Quote 0
                                  • 2
                                    2chemlud Banned last edited by

                                    PS: Here

                                    http://techne.alaya.net/?p=12499

                                    you can find a long list of IPs and host names to block for Windows telemetry.

                                    1 Reply Last reply Reply Quote 0
                                    • 2
                                      2chemlud Banned last edited by

                                      …just for the record:

                                      I uninstalled on Win 7 pro 64/32 (various computers) the following KBs:

                                      97 1033
                                      290 2907
                                      295 2664
                                      299 0214
                                      302 1917
                                      302 2345
                                      303 5583
                                      304 4374
                                      305 0265
                                      306 2345
                                      306 5987
                                      306 8708
                                      307 5249
                                      307 5851
                                      308 0149
                                      308 3325

                                      and in addition I set up a block rule with loggin for an alias containing all the IPs and host names listed here

                                      http://techne.alaya.net/?p=12499

                                      As you might expect, the firewall log is full of blocked "MS telemetry" this morning.

                                      1 Reply Last reply Reply Quote 0
                                      • 2
                                        2chemlud Banned last edited by

                                        …just to add:

                                        Had my PC-BSD 10 PC up today for updating. Really amazing, I found in the firewall logs repeated access of this computer to an IP blocked for MS Telemetry.

                                        WHAT has PC-BSD with MS-Telemetry in common? Or is it more correctly NSA telemetry featured by Microshyte?

                                        I'm surprised!

                                        ![BSD to MS 07.12.2015.JPG](/public/imported_attachments/1/BSD to MS 07.12.2015.JPG)
                                        ![BSD to MS 07.12.2015.JPG_thumb](/public/imported_attachments/1/BSD to MS 07.12.2015.JPG_thumb)

                                        1 Reply Last reply Reply Quote 0
                                        • KOM
                                          KOM last edited by

                                          That IP address is a-msedge.net and it takes you to Bing.

                                          1 Reply Last reply Reply Quote 0
                                          • 2
                                            2chemlud Banned last edited by

                                            So basically you think it's Firefox? But I have no Bing (removed it from search options in Firefox), I use no Bing, I've never been there in my whole live… Firefox was running in PRIVATE mode all the time btw...

                                            So: why does my OS/Browser try to contact OVER AND OVER AGAIN something I've never asked to contact? Things are not really getting better at this point...

                                            1 Reply Last reply Reply Quote 0
                                            • KOM
                                              KOM last edited by

                                              No idea.

                                              1 Reply Last reply Reply Quote 0
                                              • 2
                                                2chemlud Banned last edited by

                                                …sometimes I really think about starting a 24/7 wireshark session on all networks... storage space is so cheap nowadays. How about an integration into pfSense?

                                                1 Reply Last reply Reply Quote 0
                                                • KOM
                                                  KOM last edited by

                                                  How about an integration into pfSense?

                                                  pfSense already has a Capture Packet function.  You want Wireshark??

                                                  1 Reply Last reply Reply Quote 0
                                                  • 2
                                                    2chemlud Banned last edited by

                                                    But is 24/7 feasible on an embedded nano? Not really, I guess. Maybe I set up a Linux machine and start copying the whole internet traffic…

                                                    But overall: This story really frustrates me...

                                                    1 Reply Last reply Reply Quote 0
                                                    • C
                                                      cmb last edited by

                                                      Wireshark is just a GUI to pcap data, you wouldn't run that on the firewall given it has no X and will never have X. You can feed Wireshark over SSH, or run tcpdump on the firewall dumping to disk if you have plenty of disk space.

                                                      It's extremely unlikely PCBSD is communicating with anything to do with Microsoft. Whatever telemetry blocking list you have is way over-blocking I expect. It also seems to block critical portions of Windows update, which is likely the bulk of the attempts you're seeing.

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        doktornotor Banned last edited by

                                                        @cmb:

                                                        Whatever telemetry blocking list you have is way over-blocking I expect. It also seems to block critical portions of Windows update, which is likely the bulk of the attempts you're seeing.

                                                        Yes. Things like HPHosts that block this without thinking break Windows updates.

                                                        1 Reply Last reply Reply Quote 0
                                                        • 2
                                                          2chemlud Banned last edited by

                                                          Nope, Windows update just works fine on the Win-machines in the network, no problem at all.

                                                          But please, it's the local IP of my PC-BSD 10 running on an old Dell Precision 670, no question about that. No Windows involved. No software other than Firefox was running a the time of the blockings in the firewall log. And the log is FULL of these blocks.

                                                          I REALLY have no idea what is going on here…

                                                          1 Reply Last reply Reply Quote 0
                                                          • KOM
                                                            KOM last edited by

                                                            And you're sure that this PC-BSD box isn't running a browser that is trying to talk to Bing, for whatever reason?  Otherwise, I really can't see a *BSD distro needing to talk to Microsoft for anything.

                                                            1 Reply Last reply Reply Quote 0
                                                            • 2
                                                              2chemlud Banned last edited by

                                                              What could make Firefox with No-script in private mode make talk to Bing, except using Bing, is this the question? Honestly, I don't know!

                                                              1 Reply Last reply Reply Quote 0
                                                              • KOM
                                                                KOM last edited by

                                                                Perhaps it's a beacon or something on some page you were on that it talking to Bing?  Some other plugin you're running?  I have no idea either, just wild guesses.

                                                                1 Reply Last reply Reply Quote 0
                                                                • 2
                                                                  2chemlud Banned last edited by

                                                                  … no further plugins, except Cipherfox... ;-)

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • 2
                                                                    2chemlud Banned last edited by

                                                                    …btw, I did it in the past, with 2 bridged network adapters catch whole internet traffic with wireshark. Is it better to do it on the WAN or on the LAN interface of the pfSense?

                                                                    On the WAN side the local IP the traffic is comming from should gone, right?

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • C
                                                                      cmb last edited by

                                                                      Full of blocks to where? What IP(s)? PCBSD runs from a CDN, which might also host any number of other completely unrelated things. Doubt if Microsoft is among those as I believe they use akamai, but knowing list maintainers' penchant for over-blocking, it wouldn't be surprising if they blocked an entire CDN.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • 2
                                                                        2chemlud Banned last edited by

                                                                        The specific IP in the post above, same IP again and again.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • S
                                                                          sodasam last edited by

                                                                          :-\Hi,

                                                                          I tried to follow these instructions but pfsense is not allowing me to save these hosts as an alias or under any other type. Here is a snapshot of what I am doing https://imgur.com/XpW9uI8

                                                                          I would also like to block incoming tor exit nodes and I dont see any easy way to add the hundreds of IP's, does anyone know how that can be done on the command line?

                                                                          Can you kindly tell me the correct way to do this or how I can do it on the command line?

                                                                          Thanks!

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • KOM
                                                                            KOM last edited by

                                                                            The name of the alias may only consist of the characters "a-z, A-Z, 0-9 and _"

                                                                            You can embed images directly here.  No need to link to Imgur.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • S
                                                                              sodasam last edited by

                                                                              @KOM:

                                                                              The name of the alias may only consist of the characters "a-z, A-Z, 0-9 and _"

                                                                              Ok fine but how do I add all these urls?

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • KOM
                                                                                KOM last edited by

                                                                                Make an URL alias.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • S
                                                                                  sodasam last edited by

                                                                                  @KOM:

                                                                                  Make an URL alias.

                                                                                  That provides the same error and this:

                                                                                  The following input errors were detected:

                                                                                  The alias name must be less than 32 characters long, may not consist of only numbers, and may only contain the following characters a-z, A-Z, 0-9, _.
                                                                                  You must provide a valid URL. Could not fetch usable data from 'vortex.data.microsoft.com'.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • KOM
                                                                                    KOM last edited by

                                                                                    Well, considering I have no idea what you've done, all I can say is that it works fine for me and others.  Perhaps if you posted some actual useful information about your configuration, we might be able to help you.

                                                                                    An URL Alias is just an URL that points to a file on a web server, and pfSense will load that alias with the content of the text file.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense Plus
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy