Hmm good idea.
At least i've got some more things to study .. ok gonna start with a 
'man man' :-))

I'll have to find some guy with deeper windows networking understanding 
to get really clear picture, how this whole communication works, because 
i need to understand principle of thing.

Thanks again guys for all ideas.

On 03/05/2016 01:28 PM, David Sommerseth wrote:
> On 05/03/16 13:23, David Sommerseth wrote:
>> On 05/03/16 11:36, jdow wrote:
>>> If squid can find usefully unique patterns in encrypted traffic I suppose that
>>> might work. But that's one heck of a big "if".
>>
>> A quick google search on "transparent https proxy" gave me these:
>>
>> <http://docs.mitmproxy.org/en/stable/howmitmproxy.html>
>> <http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https>
>>
>> I probably have more "faith" in the mitmproxy approach, as that seems
>> generally more designed with https in mind.
>
> Just another idea came to mind.  You only need a transparent proxy to be used
> when connecting to IP ranges belonging to Microsoft.  So instead of an
> iptables REDIRECT for all http/https connection, you add separate rules with
> --destination to the different Microsoft subnets.
>
>
> --
> kind regards,
>
> David Sommerseth
>
>
>>> On 2016-03-05 02:15, Karel Lang AFD wrote:
>>>> Hmm ... yes, yes.
>>>> Thanks for bringing this up.
>>>> I force all http traffic through the squid proxy on our SL 6 gateway, this
>>>> could
>>>> be also helpful..
>>>>
>>>>
>>>>
>>>> On 03/05/2016 11:00 AM, [log in to unmask] wrote:
>>>>> The only way I can think of is to force all internet access through a proxy
>>>>> and filter it out in the proxy.
>>>>> Then you don't give the machines any internet access just access to the proxy.
>>>>> Unfortunately I do not have details for you on how to filter the snoop
>>>>> messages because in I haven't looked at them but it should be fairly easy
>>>>> using squid and an external Perl regex filter script or other filter
>>>>> application, but you will take a latency hit because you will have to inspect
>>>>> every transaction.
>>>>>
>>>>>     Original Message
>>>>> From: jdow
>>>>> Sent: Friday, March 4, 2016 23:35
>>>>> To: [log in to unmask]
>>>>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
>>>>>
>>>>> That windows update server is a relay for the "snoop" messages. About the only
>>>>> way to totally stop the snoop messages is to totally isolate the network
>>>>> containing Windows machines from the network. Any windows machine can serve
>>>>> as a
>>>>> relay point for any others.
>>>>>
>>>>> {o.o}
>>>>>
>>>>> On 2016-03-04 20:16, Karel Lang AFD wrote:
>>>>>> Hi guys,
>>>>>>
>>>>>> firstly, sorry Todd, i don't know how it happened i got attached to your
>>>>>> thread.
>>>>>>
>>>>>> secondly, thank you all for your thoughtful posts.
>>>>>>
>>>>>> I know it is not easy to block the selected traffic from windows 10 and
>>>>>> you are
>>>>>> right, it is being backported to windows 7 as well. Horrible and disgusting.
>>>>>>
>>>>>> I already have windows server in LAN dedicated as a update server (work of my
>>>>>> windows colleagues), so the PC don't have to access windows update servers
>>>>>> outside LAN - this should simplify things.
>>>>>>
>>>>>> Also the PCs must have internet access to email, http, https, ftp, sftp -
>>>>>> simply
>>>>>> the 'usual' stuff.
>>>>>> I think, yet, there should be a way. I'll try to consult mikrotik experts
>>>>>> (the
>>>>>> router brand we use) and guys from our ISP.
>>>>>> If i have something, i'll let you know :-)
>>>>>>
>>>>>> thank you, bb
>>>>>>
>>>>>> Karel
>>>>>>
>>>>>> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>>>>>>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> guys, i think everyone heard already about how windows 10 badly treat
>>>>>>>> its users privacy.
>>>>>>>
>>>>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>>>>>>> most of the telemetry has also been 'back ported' to Windows 7 also. You
>>>>>>> can't stop it.
>>>>>>>
>>>>>>>> I'm now thinking about a way howto stop a windows 10 sending these data
>>>>>>>> mining results to a microsoft telemetry servers and filter it on our SL
>>>>>>>> 6 linux gateway.
>>>>>>>
>>>>>>> Nope. There are no specific servers in use - just general - so whatever
>>>>>>> you block will end up killing other services.
>>>>>>>
>>>>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>>>>>>> similarly filter torrent streams on our gateway - i patched standard SL
>>>>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>>>>>>> extremely well.
>>>>>>>
>>>>>>> I would be interested to see if you could identify telemetry packets in
>>>>>>> the flow - but I'm not predicting much success. If you do get it, make
>>>>>>> sure you let the world know though!
>>>>>>>
>>>>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>>>>>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>>>>>>
>>>>>>> Correct.
>>>>>>>
>>>>>>>> I'm no windows expert, but i'm and unix administrator concerned about
>>>>>>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>>>>>>
>>>>>>>> What i'd like to come up is some more general iptables rules, than
>>>>>>>> blocking specific IP addresses or names, because, apparently they may
>>>>>>>> change in any incoming windows update ...
>>>>>>>>
>>>>>>>> Anyone gave this thought already? Anyone else's concerned the way i am?
>>>>>>>
>>>>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
>>>>>>> a few things that I like - so Fedora is a happy medium for me - as I
>>>>>>> still have the fedora-updates-testing repo enabled. My work laptop as
>>>>>>> well as my personal laptop - and now my home desktop all run Fedora 23
>>>>>>> (KDE Spin if you hate Gnome 3 - like me).
>>>>>>>
>>>>>>
>>>>>
>>>>
>

-- 
*Karel Lang*
*Unix/Linux Administration*
[log in to unmask] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz