Shorewall users - Nov 2004 - Windows Update and DMZ

I am running a LEAF Bering firewall with a DMZ at one of my client''s
sites.
The client has a Windows IIS  server set up in the DMZ. The DMZ rules block 
all outgoing connections on all ports. 

The client wants to be able to run Windows Update on the server, which uses 
ports 80 and 443. However, opening all port 80 and 443 connections from the 
server to the net zone is not an option, since we want to protect the server 
from malicious "call home" trojans and viruses. What we would like to
do is
to open port 80 and 443 connections to specific Microsoft Windows Update 
web sites. However, I understand that Windows Update uses a round-robin 
load balancing technique for it''s Windows Update servers, so there are 
multiple IP addresses/host names which could be called during different 
Windows Update cycles. 

I realize that I could use squid and it''s whitelists to deal with this,
but
installing squid is not an option. Also, temporarily opening ports 80 and 443 
to the full net zone while Windows Update runs is not an option.

Has anybody found an elegant way to solve this problem? I am sure that I am 
not the only one who has run into this.

I am not subscribed to the list, so I would appreciate being copied on your 
responses to the list.

On Mon, 08 Nov 2004 14:17:17 -0800
"Muiz Motani" <muiz@i-dist.com> wrote:
> Has anybody found an elegant way to solve this problem? I am sure that I
> am not the only one who has run into this.
I would imagine that the addresses used for Windows update would be
resolved by DNS, so a dig/nslookup/host/dnsip query should  reveal a list
of addresses. You may need some trial and error but, together with logging
on the firewall, it shouldn''t bee too hard.
 
> I am not subscribed to the list, so I would appreciate being copied on
> your responses to the list.
Tough. You ask here, you hear here.

Muiz Motani wrote:
> 
> The client wants to be able to run Windows Update on the server, which uses
> ports 80 and 443. However, opening all port 80 and 443 connections from the
> server to the net zone is not an option, since we want to protect the
server
> from malicious "call home" trojans and viruses. What we would
like to do is
The really simple solution is to eliminate the possibility of call home
trojans and viruses infecting the web server - Apache on Linux.