-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message was incorrectly discarded by Mailman -- I''m still looking for the cause. - -Tom |On Mon, 08 Nov 2004 14:17:17 -0800 |> "Muiz Motani" <muiz@i-dist.com> wrote: |> | |>> > Has anybody found an elegant way to solve this problem? I am sure that I |>> > am not the only one who has run into this. | |> |> I would imagine that the addresses used for Windows update would be |> resolved by DNS, so a dig/nslookup/host/dnsip query should reveal a list |> of addresses. You may need some trial and error but, together with logging |> on the firewall, it shouldn''t bee too hard. |> In fact I have already done that. However, one can never be guaranteed that a) I wil always have all the possible IP addresses that Windows Update uses and b) that the IP addresses will never change. Remember that windows update is always triggered by a call to windowsupdate.microsoft.com, which presumably will always be true. However, the IP address for windowsupdate.microsoft.com may change at a certain point and the addresses of the subsidiary servers to which calls are triggered by scripts/cgi/java etc. may (in fact very likely will, depending on changing load balancing requirements and conditions over time) also change. |>> > I am not subscribed to the list, so I would appreciate being copied on |>> > your responses to the list. | |> |> Tough. You ask here, you hear here. Thank you for your suggestion on netiquette, but I quote from the mailing list home page at http://lists.shorewall.net: " To post to the list, post to shorewall-users@lists.shorewall.net. IMPORTANT: If you are not subscribed to the list, please say so -- otherwise, you will not be included in any replies." Now, does anybody else have any other suggestions for solving this problem without recourse to stomping on netiquette? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkAKhO/MAbZfjDLIRAm1fAJ49+3vDUDP5YO3QFNPhkluO9xoSvwCgrcA5 v5LQO7ga1lnT2ULqLdEUvBI=gFLX -----END PGP SIGNATURE-----
Tom Eastep
2004-Nov-08 23:43 UTC
Re: Forward of discarded message Re: Windows Update and DMZ
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | This message was incorrectly discarded by Mailman -- I''m still looking | for the cause. Ok -- I found it. I must have selected the wrong radio button when I approved the OP''s first post. | | In fact I have already done that. However, one can never be guaranteed that | a) I wil always have all the possible IP addresses that Windows Update | uses | and b) that the IP addresses will never change. Remember that windows | update is always triggered by a call to windowsupdate.microsoft.com, which | presumably will always be true. However, the IP address for | windowsupdate.microsoft.com may change at a certain point and the | addresses of the subsidiary servers to which calls are triggered by | scripts/cgi/java etc. may (in fact very likely will, depending on | changing load | balancing requirements and conditions over time) also change. | So in other words, you want to filter by address but you can''t install any software that is capable of filtering by address. It seems to me that your only recourse is to do what you are doing but restart Shorewall periodically to refresh the Name->IP mapping. | | |>> > I am not subscribed to the list, so I would appreciate being | copied on | |>> > your responses to the list. | | | |> | |> Tough. You ask here, you hear here. | | | Thank you for your suggestion on netiquette, but I quote from the | mailing list | home page at http://lists.shorewall.net: | | " To post to the list, post to shorewall-users@lists.shorewall.net. | IMPORTANT: If you are not subscribed to the list, please say so -- | otherwise, | you will not be included in any replies." | Yes -- that is the policy of this list and all subscribers are encouraged to follow it. I note that while Keith appeared to get up on the wrong side of the rug this morning, he did in fact copy the OP on his reply. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkASsO/MAbZfjDLIRAoxeAKDIK01QpPPt8MjPKD8eX5FbnMgZkQCaAl4u ob7NtsWg6p1fC0vBT1pW+Dg=Q9As -----END PGP SIGNATURE-----