Hi guys, firstly, sorry Todd, i don't know how it happened i got attached to your thread. secondly, thank you all for your thoughtful posts. I know it is not easy to block the selected traffic from windows 10 and you are right, it is being backported to windows 7 as well. Horrible and disgusting. I already have windows server in LAN dedicated as a update server (work of my windows colleagues), so the PC don't have to access windows update servers outside LAN - this should simplify things. Also the PCs must have internet access to email, http, https, ftp, sftp - simply the 'usual' stuff. I think, yet, there should be a way. I'll try to consult mikrotik experts (the router brand we use) and guys from our ISP. If i have something, i'll let you know :-) thank you, bb Karel On 03/05/2016 12:40 AM, Steven Haigh wrote: > On 05/03/16 07:24, Karel Lang AFD wrote: >> Hi all, >> >> guys, i think everyone heard already about how windows 10 badly treat >> its users privacy. > > My solution to this was to finally rid Windows 7 off my desktop PC - as > most of the telemetry has also been 'back ported' to Windows 7 also. You > can't stop it. > >> I'm now thinking about a way howto stop a windows 10 sending these data >> mining results to a microsoft telemetry servers and filter it on our SL >> 6 linux gateway. > > Nope. There are no specific servers in use - just general - so whatever > you block will end up killing other services. > >> I think it could be (maybe?) done via DPI (deep packet inspection). I >> similarly filter torrent streams on our gateway - i patched standard SL >> 6 kernel with 'xtables' (iptables enhancement) and it is working >> extremely well. > > I would be interested to see if you could identify telemetry packets in > the flow - but I'm not predicting much success. If you do get it, make > sure you let the world know though! > >> I read (not sure if true) that some DNS resolutions to M$ servers are >> even 'hardwired' via some .dll library, so it makes it even harder. > > Correct. > >> I'm no windows expert, but i'm and unix administrator concerned about >> privacy of windows desktop/laptop users sitting inside my LAN. >> >> What i'd like to come up is some more general iptables rules, than >> blocking specific IP addresses or names, because, apparently they may >> change in any incoming windows update ... >> >> Anyone gave this thought already? Anyone else's concerned the way i am? > > Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on > a few things that I like - so Fedora is a happy medium for me - as I > still have the fedora-updates-testing repo enabled. My work laptop as > well as my personal laptop - and now my home desktop all run Fedora 23 > (KDE Spin if you hate Gnome 3 - like me). >