OPNsense Forum
English Forums => General Discussion => Topic started by: jerrac on August 26, 2015, 09:42:20 pm
-
With all the kefluffle Windows 10's invasive monitoring has caused, I've started wondering how I could both block known monitoring destinations, and monitor traffic for new destinations.
I don't trust anything that runs on the same OS that is doing the monitoring. So using a firewall on Windows 10, or some kind of app on Android, isn't what I'm looking for.
Which led me to a hardware firewall.
I'd put the firewall between my modem and my router, then I'd configure it to block any outgoing data to a list of urls/ip addresses that are known to be destinations for OS spying. I'd also configure it to monitor for suspicious destinations. Then I'd make sure my mobile devices only communicated over the net via my VPN. The end result should be that I keep my privacy, even if Microsoft or Google don't respect the privacy settings I select.
So, has anyone configured their firewall to do what I just described?
Can OPNsense block destination urls as well as ip addresses? Like what you can get when you Google "list of windows telemetry urls".
Can OPNsense monitor traffic in a manner that would help figure out when updates change where the data is being sent?
-
Hi,
I found your request very interesting and so far I am reading about the telemetry service from Microsoft. Some Information about the DNS endpoint can be found here -> https://support.microsoft.com/en-us/kb/3022345
So my first step would be to keep an eye out for these DNS requests. But I need more time for a rule set.
Greetings
Loden_Richard
btw. more about ms telemetry data -> http://www.securityweek.com/microsoft-boosts-remote-data-collection-windows-7-and-8?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
P.p.s: I am trying to collect all necessary data for monitor that specific topic -> https://www.dslreports.com/forum/r30222844-Stop-Windows-10-From-Spying-On-You-36-DNS-Addresses-to-host-file~start=60 -> good information about multiple DNS entries
-
So, I found this http://someonewhocares.org/hosts/ just now. It's a hosts file, but I thought it might be a good place to start compiling a list of sites most people would want to block. It has windows 10 stuff at the bottom.
Are OPNsense rules easy to import and export? As in could I add a rule for each of those dns entries in that hosts file, then share the rules as a text file for others to use?
-
Nice list, thanks for sharing!
It's not so simple to push this into the host file, as it is being rewritten by the services running on the box pretty often. Modifying the code would work, or transforming this file into IP address lists that can be easily used with external URL aliases in firewall rules.
-
... or transforming this file into IP address lists that can be easily used with external URL aliases in firewall rules.
Something like that is what I was thinking of. Take all the urls in that file, tell OPNsense to block them, then export those rules in a form others can use.
So, from your comment about using ip addresses, can't we make rules about urls? Since the ip addresses that those urls point to are likely to change over time.
-
Yes, no, and maybe.
Yes: You can use squid proxy server to block URLs, but that will only work on HTTP(S).
No: pf(4) is a packet filter, and packets have no direct notion of domain names, only IP addresses.
Maybe: URLs could be resolved into a pool of its IP addresses (note that one domain name may have may IPs) before they are being fed into pf(4) via URL aliases.
Long term, the last option is what is most reliable and works on all services equally. If you are only worried about HTTP, however, that would be too much trouble.
Hope that helps. :)
-
Hi there,
if found a nice summary to disable (including removal of the windows 7 and 8 patches) Microsoft's telemetry services https://superuser.com/questions/972501/how-to-stop-microsoft-from-gathering-telemetry-data-from-windows-7-8-and-8-1.
Additionally rules for blocking the following hosts have to be created:
134.170.30.202
137.116.81.24
204.79.197.200
23.218.212.69
65.39.117.230
65.55.108.23
a-0001.a-msedge.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex.data.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
-
The reason I want firewall level blocking is that Microsoft can just undo all of the steps mentioned in that answer the next time you really do need to install updates. Especially since they are not telling you what the updates are anymore... At least on W10 and in the Windows Update program.