Allow Wildcard Firewall Rules - Windows Updates + Anydesk

Started by dietzelmann, October 21, 2019, 08:55:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 21, 2019, 08:55:46 PM Last Edit: October 21, 2019, 08:57:19 PM by dietzelmann
Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising
QuoteHIGH-END SECURITY MADE EASY
I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::

  • *.net.anydesk.com [TCP] 80,443,6568
  • *.update.microsoft.com [TCP] 80,443
  • *.update.microsoft.com [TCP] 80,443
  • download.windowsupdate.com [TCP] 80,443

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:
Code Select
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/

Has somebody  ever made Windows Updates and Anydesk work with OPNsense?




sources:
October 22, 2019, 05:37:00 AM #1
Arent whitelists in proxy capable doing regex?
October 22, 2019, 08:40:26 AM #2
Quote from: mimugmail on October 22, 2019, 05:37:00 AM
Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.
October 22, 2019, 09:18:40 AM #3
Screenshot please
October 22, 2019, 11:22:32 AM #4
Quote from: dietzelmann on October 22, 2019, 08:40:26 AM
Quote from: mimugmail on October 22, 2019, 05:37:00 AM
Arent whitelists in proxy capable doing regex?

Maybe but I haven't found a working solution in any site (stackoverflow or here). At least my regex which works fine on Sophos UTM isn't working with OPNsense.

You have to take care with regex, since OPNsense escapes some(?) - at least one - important regex expression itself. Maybe good for users with less requirements and simple regex, but bad for powerusers.

E.g. the important impressions (.*) or (.+) are escaped to (\.*) and (\.+).

So I guess your regex
Code Select
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
is transcoded to:
Code Select
^https?://([A-Za-z0-9\.-]*\.)?windowsupdate\.com/

The dot is autoescaped by OPNsense. I would recommend the devs not to change and escape regex in proxy configuration when saving config, because it may change the match.

Since running anyway a patch over my processed squid.conf, I fix these regex in this step.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
October 22, 2019, 04:08:36 PM #5
May I ask: How does it work with sophos? Are the IP's to your wildcard domains resolved and access is allowed based on this list of IPs? What happens if MS telemetry or what ever is in the same IP range?

Or does the sophos block DNS requests for anything other than your whitelisted domains?


kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 22, 2019, 06:34:48 PM #6
Via Sophos with Proxy
October 24, 2019, 08:56:39 PM #7
I made it work by allowing all Microsoft IPs based on this csv: https://www.microsoft.com/en-us/download/details.aspx?id=53602

One problem solved - new problem created by activating web proxy / filter.

I have exact the same problem now as it is written here: https://forum.opnsense.org/index.php?topic=6648.0 but since May 2018 no solution.
October 25, 2019, 09:31:46 AM #8
Quote from: dietzelmann on October 21, 2019, 08:55:46 PM
Hey guys,

I'm currently using Sophos UTM and I want to migrate my firewalls to OPNsense. Since OPNsense is advertising
QuoteHIGH-END SECURITY MADE EASY
I'd have never thought that easy peasy tasks on Sophos UTM need expert knowledge on OPNsense.

I've read a few threads where people struggeld with allowing wildcard domains in OPNsense. And I can confirm it's definitely a pain in the ass. I'm already trying it since a few days to make Windows Updates and AnyDesk work.

Todo -> allow these Domains::

  • *.net.anydesk.com [TCP] 80,443,6568
  • *.update.microsoft.com [TCP] 80,443
  • *.update.microsoft.com [TCP] 80,443
  • download.windowsupdate.com [TCP] 80,443

With Sophos UTM this is an easy job since Windows Updates are proconfigured as a service.

All other * wildcards can be handled with a regex like this:
Code Select
^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/

Has somebody  ever made Windows Updates and Anydesk work with OPNsense?




sources:

with pfsense there is a solution. (german board)
https://forum.netgate.com/topic/119256/squid-ssl-filtering-liefert-windows-10-update-fehler-0x801901f7

with opnsense no 100% solution
https://forum.opnsense.org/index.php?topic=6648.0

Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
Print
Go Up Pages1
User actions