LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 04-24-2008, 08:51 AM   #1
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Rep: Reputation: 30
What firewall ip addresses do I open to allow Microsoft updates?


Arrrrghhhh!

I HATE MICROSOFT! Why can't they be like linux, and have ONE ip address for their update servers?

We have publicly accessible windows pc's behind a proxy firewall (debian+shorewall+squid+dansguardian). Users MUST get a proxy account to access the Internet.

We use Mozilla Firefox as default browser for many reasons, works great with proxy, safer, etc. Microsoft Exploder works poorly with proxy's (gee what a suprise). The only way to get these Windoze pc's updated is directly through the firewall.

I've been watching my logs (tail -F /var/log/messages) to see what ip addresses a windoze machine needs to get updates. The list is LONG! So far, I've practically opened up half the damn Internet, and STILL can't get it working.

So far, I've opened up this:
(in my shorewall /etc/shorewall/rules)

Code:
# allow access to microsoft for windows updates
HTTP/ACCEPT	loc	net:207.46.0.0/16
HTTPS/ACCEPT	loc	net:207.46.0.0/16
HTTP/ACCEPT	loc	net:65.55.184.0/24
HTTPS/ACCEPT	loc	net:65.55.184.0/24
HTTP/ACCEPT	loc	net:207.68.160.0/24
This is taking forever. I've googled, and haven't found anyone who has a list of IP's to open. Has anyone done this? I need updates for both Windows 2000 and Windows XP (no Vista here yet).

Thanks for reading
 
Old 04-24-2008, 08:58 AM   #2
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Perhaps a similar but clearer (???) way of determining the necessary IPs and ports would be to run Wireshark on the firewall box if possible, and note what ports/IPs/ protocols are being used by the Windoze update software.
Atleast you may get a better idea of exactly what is going on?
I suspect the output would be similar to what you get from var/log/messages, but probably with less 'extra junk' mixed in..

I hear you re: why can't they use a lot less IPs to do the job-- it is a a hassle. I thankfully no longer use Windoze, but I do sympathize

Good luck!

Last edited by GrapefruiTgirl; 04-24-2008 at 11:57 AM. Reason: typo
 
Old 04-24-2008, 09:43 AM   #3
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Haven't tried wireshark. I am using psad (port scan attack detector). It does a great job at sending me email alerts on attacks, does reverse dns lookup for me, etc. Very useful.

I'm still working on the list, it's up to 21 IP networks so far!!!! Microsoft, YOU SUCK!!!
 
Old 04-24-2008, 09:50 AM   #4
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
I suggest you to setup a windows 2003 wsus server which have full permission to direct access internet.
All your windows client point to wsus server for update. It save back your bandwith and you no need to headache the security setting.
 
Old 04-24-2008, 10:08 AM   #5
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
We don't own win2003 and never will. I'm trying to replace all windows with linux. I do have a 2000 server, and it looks like wsus will run on it. However, I would still have the same problem. I refuse to give the 2000 server unrestricted access to the Internet. Even though it's a hands-off machine, if it did get infected, it would have free run.

OK, I think I've got it!!!

I just updated an XP machine, and a 2000 machine. I had to open up ALL OF THIS on my firewall:

Code:
# allow access to microsoft for windows updates
HTTP/ACCEPT     loc     net:207.46.0.0/16
HTTPS/ACCEPT    loc     net:207.46.0.0/16
HTTP/ACCEPT     loc     net:65.55.184.0/24
HTTPS/ACCEPT    loc     net:65.55.184.0/24
HTTP/ACCEPT     loc     net:207.68.160.0/24
HTTP/ACCEPT     loc     net:69.147.114.0/24
HTTP/ACCEPT     loc     net:65.55.200.0/24
HTTPS/ACCEPT    loc     net:65.55.200.0/24
HTTP/ACCEPT     loc     net:68.142.118.0/24
HTTP/ACCEPT     loc     net:192.221.99.0/24
HTTP/ACCEPT     loc     net:209.73.188.0/24
HTTP/ACCEPT     loc     net:216.109.127.0/24
HTTP/ACCEPT     loc     net:4.23.40.0/24
HTTP/ACCEPT     loc     net:206.33.52.0/24
HTTP/ACCEPT     loc     net:204.160.126.0/24
HTTP/ACCEPT     loc     net:198.78.220.0/24
HTTP/ACCEPT     loc     net:209.18.38.0/24
HTTPS/ACCEPT    loc     net:65.55.192.0/24
HTTP/ACCEPT     loc     net:198.78.200.0/24
HTTP/ACCEPT     loc     net:131.107.115.0/24
HTTP/ACCEPT     loc     net:64.4.52.0/24
21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.

OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...

I hope this thread helps some people
 
Old 04-24-2008, 10:42 AM   #6
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Bitdefender:

If anyone is interested, here is what you need to use Bitdefender, the free online virus scan/clean (requires explorer, will not work with firefox).

Code:
# allow access to bitdefender.com for free online virus scan
HTTP/ACCEPT     loc     net:66.223.50.0/24
HTTP/ACCEPT     loc     net:193.164.155.0/24
HTTP/ACCEPT     loc     net:66.40.145.0/24
HTTP/ACCEPT     loc     net:216.207.68.0/24
HTTP/ACCEPT     loc     net:168.215.74.0/24
HTTP/ACCEPT     loc     net:209.170.75.0/24
HTTP/ACCEPT     loc     net:209.51.185.0/24
HTTP/ACCEPT     loc     net:8.17.64.0/24
HTTP/ACCEPT     loc     net:199.7.51.0/24
HTTP/ACCEPT     loc     net:199.7.54.0/24
I always make an icon on the (windows) desktop that points to:

http://www.bitdefender.com/scan8/ie.html
 
Old 12-02-2009, 09:55 AM   #7
JiLoa
LQ Newbie
 
Registered: Dec 2009
Posts: 0

Rep: Reputation: 0
Quote:
Originally Posted by drokmed View Post
We don't own win2003 and never will. I'm trying to replace all windows with linux. I do have a 2000 server, and it looks like wsus will run on it. However, I would still have the same problem. I refuse to give the 2000 server unrestricted access to the Internet. Even though it's a hands-off machine, if it did get infected, it would have free run.

OK, I think I've got it!!!

{snip}

21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.

OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...

Are you serious? You'd rather expose all of your internal systems to all those ranges rather than a single (controlled) WSUS server to all HTTP/HTTPS (that it, WSUS, initiates across a stateful FW)? Dude, you've got some serious bias getting in the way of good judgement. I pity your user base.
 
Old 12-02-2009, 10:23 AM   #8
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Looks like it's port 80:

Configure the Firewall Between the WSUS Server and the Internet
http://technet.microsoft.com/en-us/l...05(WS.10).aspx

If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall to ensure that WSUS can obtain updates.

To configure your firewall
 
Old 12-02-2009, 10:32 AM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by drokmed View Post
21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.

OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...

21 update servers has nothing to do with windows vs linux. If you are deploying update server for millions of hosts then you certainly want DR and HA. The same thing is achived in linux by having multiple mirrors. If you have ever run gentoo when you set it up you pick the mirrors you want from a list of hundreds of mirrors.


server 2003 or 2008 running as a WSUS not only improves the client network security but also saves exponential amounts of bandwidth.


We all understand that this is a linux forums website but we need to try stay away from posting just to bash windows. The information is useful but it seems like there was alot of extra information put in just to bash windows.


here is the list of sites from microsofts website.

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://download.windowsupdate.com
http://*.download.windowsupdate.com
https://*.download.windowsupdate.com
http://*.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
 
Old 12-02-2009, 10:44 AM   #10
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by Jim Bengtson View Post
Looks like it's port 80:

Configure the Firewall Between the WSUS Server and the Internet
http://technet.microsoft.com/en-us/l...05(WS.10).aspx

If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall to ensure that WSUS can obtain updates.

To configure your firewall
Looks like we found the same info at the same time. LOL
 
Old 12-02-2009, 11:07 AM   #11
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Looks like we found the same info at the same time. LOL
Great minds...

Would it make sense from a security perspective for the OP to close port 80 for this machine except for the times he's going for an update? Port 80 seems to be the superhighway for all kinds of attacks, and Windows 2000 isn't even patched anymore, so it makes sense to only open that door when you need to.
 
Old 12-02-2009, 03:23 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Normally I shut the cemetery gates on zombie threads, but you guys seem to be having a good time here and I don't wanna get in the way. I will, however, move this to General (given that the topic isn't really GNU/Linux security).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Laptop Firewall Considerations - MAC Addresses Meson Linux - Security 17 10-28-2007 11:04 AM
Lan subnet and mac addresses firewall Ungluun Linux - Networking 1 12-20-2006 10:18 AM
LXer: Xensource CEO Addresses Microsoft, Red Hat-Novell Dispute LXer Syndicated Linux News 0 08-19-2006 08:54 PM
Suse 9.0 Pro Firewall not allowing multiple IP addresses youcanlaugh Linux - Networking 1 06-29-2004 05:11 PM
2 INet IP addresses Handled by 1 Firewall scardog Linux - Networking 3 02-15-2004 11:31 AM


All times are GMT -5. The time now is 03:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration