I am currently restricting access to the ''net for an office using
rules.
Basically, I only allow the approved sites through, all else is blocked.
This way employees can only get to approved sites.
My quandary..
I''ve got windows defender loaded on the machines and unless I allow
full
access to the ''net, it can''t update.
Here is my rule to allow it out:
ACCEPT loc net:download.windowsupdate.com tcp 80
Here are the entries in the windowsupdate.log showing the failure:
2007-09-16 13:10:57:431 1100 ff0 Agent
*************
2007-09-16 13:10:57:431 1100 ff0 Agent **
START ** Agent: Finding updates [CallerId = Windows Defender]
2007-09-16 13:10:57:431 1100 ff0 Agent
*********
2007-09-16 13:10:57:431 1100 ff0 Agent *
Online = Yes; Ignore download priority = No
2007-09-16 13:10:57:431 1100 ff0 Agent *
Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains
''0a487050-8b0f-4f81-b401-be4ceacd61cd'') or (IsInstalled = 0
and IsHidden = 0
and CategoryIDs contains
''8c3fcc84-7410-4a95-8b89-a166a0190486'')"
2007-09-16 13:10:57:431 1100 ff0 Agent *
ServiceID = {00000000-0000-0000-0000-000000000000}
2007-09-16 13:10:57:431 2060 e74 COMAPI
<<-- SUBMITTED -- COMAPI: Search [ClientId = Windows Defender]
2007-09-16 13:10:58:697 1100 ff0 Misc
Validating signature for
C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77
\wuredir.cab:
2007-09-16 13:10:58:712 1100 ff0 Misc
Microsoft signed: Yes
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: Send failed with hr = 80072efd.
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: SendRequest failed with hr = 80072efd. Proxy List used: <(null)>
Bypass List used : <(null)> Auth Schemes used : <>
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: WinHttp: SendRequestUsingProxy failed for
<http://download.windowsupdate.com/v7/windowsupdate/redir/wuredir.cab>.
error 0x80072efd
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed.
error 0x80072efd
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: WinHttp: SendRequestToServerForFileInformation failed with
0x80072efd
2007-09-16 13:11:00:978 1100 ff0 Misc
WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efd
2007-09-16 13:11:03:259 1100 ff0 Misc
WARNING: Send failed with hr = 80072efd.
Any ideas?
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sun, Sep 16, 2007 at 02:06:04PM -0400, Rob Ogle wrote:> I am currently restricting access to the ''net for an office using rules. > Basically, I only allow the approved sites through, all else is blocked. > This way employees can only get to approved sites. ><SNIP>> > Any ideas? >This comes up periodically. Here are some suggestions: - Don''t treat employees like children (usually not good for morale) - Enact policy (the problem you are trying to solve is not technical in nature) and then deal with violations in an administrative fashion - Switch to anything other than Windows Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rob Ogle wrote:> I’ve got windows defender loaded on the machines and unless I allow full > access to the ‘net, it can’t update.Nonsense. a) Look at your log to see what traffic is getting blocked. b) Use Shorewall FAQ 17 to determine what rule(s) you need to add. Or: Switch to using a more appropriate tool for exercising your big-brother tactics. Most people of similar mind use a proxy like Squid and forbid direct loc->net access for port 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks Tom, I did check the log and saw the ip address, but MS is notorious for using rotating ip's for their sites (at least in my experience). I'm running this on a LEAF UcLibc box. Is a leaf box capable of running squid? I don't care about doing caching, just traffic control. Rob -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, September 16, 2007 7:23 PM To: rogle@css1.cc; Shorewall Users Subject: Re: [Shorewall-users] Rules problem Rob Ogle wrote:> I’ve got windows defender loaded on the machines and unless I allow > full access to the ‘net, it can’t update.Nonsense. a) Look at your log to see what traffic is getting blocked. b) Use Shorewall FAQ 17 to determine what rule(s) you need to add. Or: Switch to using a more appropriate tool for exercising your big-brother tactics. Most people of similar mind use a proxy like Squid and forbid direct loc->net access for port 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Rob Ogle wrote:> Thanks Tom, > I did check the log and saw the ip address, but MS is notorious for using rotating ip''s for their sites (at least in my experience).Which reinforces my belief that you are using the wrong tool to enforce your draconian polices.> > I''m running this on a LEAF UcLibc box. Is a leaf box capable of > running squid? I don''t care about doing caching, just traffic control.I think you mean "...just *access* control". I don''t know -- you should be asking that question on the LEAF list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/