OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: dietzelmann on October 21, 2019, 08:55:46 pm

Title: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: dietzelmann on October 21, 2019, 08:55:46 pm
Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising
Quote
HIGH-END SECURITY MADE EASY
I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:
Code: [Select]
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
Has somebody  ever made Windows Updates and Anydesk work with OPNsense?



sources:
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: mimugmail on October 22, 2019, 05:37:00 am
Arent whitelists in proxy capable doing regex?
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: dietzelmann on October 22, 2019, 08:40:26 am
Quote from: mimugmail on October 22, 2019, 05:37:00 am
Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: mimugmail on October 22, 2019, 09:18:40 am
Screenshot please
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: hbc on October 22, 2019, 11:22:32 am
Quote from: dietzelmann on October 22, 2019, 08:40:26 am
Quote from: mimugmail on October 22, 2019, 05:37:00 am
Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.

You have to take care with regex, since OPNsense escapes some(?) - at least one - important regex expression itself. Maybe good for users with less requirements and simple regex, but bad for powerusers.

E.g. the important impressions (.*) or (.+) are escaped to (\.*) and (\.+).

So I guess your regex
Code: [Select]
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/is transcoded to:
Code: [Select]
^https?://([A-Za-z0-9\.-]*\.)?windowsupdate\.com/
The dot is autoescaped by OPNsense. I would recommend the devs not to change and escape regex in proxy configuration when saving config, because it may change the match.

Since running anyway a patch over my processed squid.conf, I fix these regex in this step.
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: chemlud on October 22, 2019, 04:08:36 pm
May I ask: How does it work with sophos? Are the IP's to your wildcard domains resolved and access is allowed based on this list of IPs? What happens if MS telemetry or what ever is in the same IP range?

Or does the sophos block DNS requests for anything other than your whitelisted domains?


Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: mimugmail on October 22, 2019, 06:34:48 pm
Via Sophos with Proxy
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: dietzelmann on October 24, 2019, 08:56:39 pm
I made it work by allowing all Microsoft IPs based on this csv: https://www.microsoft.com/en-us/download/details.aspx?id=53602

One problem solved - new problem created by activating web proxy / filter.

I have exact the same problem now as it is written here: https://forum.opnsense.org/index.php?topic=6648.0 but since May 2018 no solution.
Title: Re: Allow Wildcard Firewall Rules - Windows Updates + Anydesk
Post by: opnsenseuser on October 25, 2019, 09:31:46 am
Quote from: dietzelmann on October 21, 2019, 08:55:46 pm
Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising
Quote
HIGH-END SECURITY MADE EASY
I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::
  • *.net.anydesk.com [TCP] 80,443,6568
  • *.update.microsoft.com [TCP] 80,443
  • *.update.microsoft.com [TCP] 80,443
  • download.windowsupdate.com [TCP] 80,443

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:
Code: [Select]
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
Has somebody  ever made Windows Updates and Anydesk work with OPNsense?



sources:
  • https://support.anydesk.com/Firewall
  • https://answers.microsoft.com/en-us/windows/forum/all/how-to-add-outbound-rule-in-windows-firewall-to/7f9c04c1-5216-47d9-9de3-64cc19eb796d

with pfsense there is a solution. (german board)
https://forum.netgate.com/topic/119256/squid-ssl-filtering-liefert-windows-10-update-fehler-0x801901f7 (https://forum.netgate.com/topic/119256/squid-ssl-filtering-liefert-windows-10-update-fehler-0x801901f7)

with opnsense no 100% solution
https://forum.opnsense.org/index.php?topic=6648.0 (https://forum.opnsense.org/index.php?topic=6648.0)