Hmm ... yes, yes. Thanks for bringing this up. I force all http traffic through the squid proxy on our SL 6 gateway, this could be also helpful.. On 03/05/2016 11:00 AM, [log in to unmask] wrote: > The only way I can think of is to force all internet access through a proxy and filter it out in the proxy. > Then you don't give the machines any internet access just access to the proxy. > Unfortunately I do not have details for you on how to filter the snoop messages because in I haven't looked at them but it should be fairly easy using squid and an external Perl regex filter script or other filter application, but you will take a latency hit because you will have to inspect every transaction. > > Original Message > From: jdow > Sent: Friday, March 4, 2016 23:35 > To: [log in to unmask] > Subject: Re: snooping windows 10 - how to stop it on a linux gateway? > > That windows update server is a relay for the "snoop" messages. About the only > way to totally stop the snoop messages is to totally isolate the network > containing Windows machines from the network. Any windows machine can serve as a > relay point for any others. > > {o.o} > > On 2016-03-04 20:16, Karel Lang AFD wrote: >> Hi guys, >> >> firstly, sorry Todd, i don't know how it happened i got attached to your thread. >> >> secondly, thank you all for your thoughtful posts. >> >> I know it is not easy to block the selected traffic from windows 10 and you are >> right, it is being backported to windows 7 as well. Horrible and disgusting. >> >> I already have windows server in LAN dedicated as a update server (work of my >> windows colleagues), so the PC don't have to access windows update servers >> outside LAN - this should simplify things. >> >> Also the PCs must have internet access to email, http, https, ftp, sftp - simply >> the 'usual' stuff. >> I think, yet, there should be a way. I'll try to consult mikrotik experts (the >> router brand we use) and guys from our ISP. >> If i have something, i'll let you know :-) >> >> thank you, bb >> >> Karel >> >> On 03/05/2016 12:40 AM, Steven Haigh wrote: >>> On 05/03/16 07:24, Karel Lang AFD wrote: >>>> Hi all, >>>> >>>> guys, i think everyone heard already about how windows 10 badly treat >>>> its users privacy. >>> >>> My solution to this was to finally rid Windows 7 off my desktop PC - as >>> most of the telemetry has also been 'back ported' to Windows 7 also. You >>> can't stop it. >>> >>>> I'm now thinking about a way howto stop a windows 10 sending these data >>>> mining results to a microsoft telemetry servers and filter it on our SL >>>> 6 linux gateway. >>> >>> Nope. There are no specific servers in use - just general - so whatever >>> you block will end up killing other services. >>> >>>> I think it could be (maybe?) done via DPI (deep packet inspection). I >>>> similarly filter torrent streams on our gateway - i patched standard SL >>>> 6 kernel with 'xtables' (iptables enhancement) and it is working >>>> extremely well. >>> >>> I would be interested to see if you could identify telemetry packets in >>> the flow - but I'm not predicting much success. If you do get it, make >>> sure you let the world know though! >>> >>>> I read (not sure if true) that some DNS resolutions to M$ servers are >>>> even 'hardwired' via some .dll library, so it makes it even harder. >>> >>> Correct. >>> >>>> I'm no windows expert, but i'm and unix administrator concerned about >>>> privacy of windows desktop/laptop users sitting inside my LAN. >>>> >>>> What i'd like to come up is some more general iptables rules, than >>>> blocking specific IP addresses or names, because, apparently they may >>>> change in any incoming windows update ... >>>> >>>> Anyone gave this thought already? Anyone else's concerned the way i am? >>> >>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on >>> a few things that I like - so Fedora is a happy medium for me - as I >>> still have the fedora-updates-testing repo enabled. My work laptop as >>> well as my personal laptop - and now my home desktop all run Fedora 23 >>> (KDE Spin if you hate Gnome 3 - like me). >>> >> > -- *Karel Lang* *Unix/Linux Administration* [log in to unmask] | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz