Allow Wildcard Firewall Rules - Windows Updates + Anydesk

[dietzelmann]

Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising

HIGH-END SECURITY MADE EASY

I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::

• *.net.anydesk.com [TCP] 80,443,6568
• *.update.microsoft.com [TCP] 80,443
• *.update.microsoft.com [TCP] 80,443
• download.windowsupdate.com [TCP] 80,443

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:

Code: [Select]

^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
Has somebody  ever made Windows Updates and Anydesk work with OPNsense?



sources:

• https://support.anydesk.com/Firewall
• https://answers.microsoft.com/en-us/windows/forum/all/how-to-add-outbound-rule-in-windows-firewall-to/7f9c04c1-5216-47d9-9de3-64cc19eb796d

[mimugmail]

Arent whitelists in proxy capable doing regex?

[dietzelmann]

Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.

[mimugmail]

Screenshot please

[hbc]

Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.

You have to take care with regex, since OPNsense escapes some(?) - at least one - important regex expression itself. Maybe good for users with less requirements and simple regex, but bad for powerusers.

E.g. the important impressions (.*) or (.+) are escaped to (\.*) and (\.+).

So I guess your regex

Code: [Select]

^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/is transcoded to:

Code: [Select]

^https?://([A-Za-z0-9\.-]*\.)?windowsupdate\.com/
The dot is autoescaped by OPNsense. I would recommend the devs not to change and escape regex in proxy configuration when saving config, because it may change the match.

Since running anyway a patch over my processed squid.conf, I fix these regex in this step.

[chemlud]

May I ask: How does it work with sophos? Are the IP's to your wildcard domains resolved and access is allowed based on this list of IPs? What happens if MS telemetry or what ever is in the same IP range?

Or does the sophos block DNS requests for anything other than your whitelisted domains?

[mimugmail]

Via Sophos with Proxy

[dietzelmann]

I made it work by allowing all Microsoft IPs based on this csv: https://www.microsoft.com/en-us/download/details.aspx?id=53602

One problem solved - new problem created by activating web proxy / filter.

I have exact the same problem now as it is written here: https://forum.opnsense.org/index.php?topic=6648.0 but since May 2018 no solution.

[opnsenseuser]

Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising

HIGH-END SECURITY MADE EASY

I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::

• *.net.anydesk.com [TCP] 80,443,6568
• *.update.microsoft.com [TCP] 80,443
• *.update.microsoft.com [TCP] 80,443
• download.windowsupdate.com [TCP] 80,443

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:

Code: [Select]

^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
Has somebody  ever made Windows Updates and Anydesk work with OPNsense?



sources:

• https://support.anydesk.com/Firewall
• https://answers.microsoft.com/en-us/windows/forum/all/how-to-add-outbound-rule-in-windows-firewall-to/7f9c04c1-5216-47d9-9de3-64cc19eb796d

with pfsense there is a solution. (german board)
https://forum.netgate.com/topic/119256/squid-ssl-filtering-liefert-windows-10-update-fehler-0x801901f7

with opnsense no 100% solution
https://forum.opnsense.org/index.php?topic=6648.0