Hmm good idea. At least i've got some more things to study .. ok gonna start with a 'man man' :-)) I'll have to find some guy with deeper windows networking understanding to get really clear picture, how this whole communication works, because i need to understand principle of thing. Thanks again guys for all ideas. On 03/05/2016 01:28 PM, David Sommerseth wrote: > On 05/03/16 13:23, David Sommerseth wrote: >> On 05/03/16 11:36, jdow wrote: >>> If squid can find usefully unique patterns in encrypted traffic I suppose that >>> might work. But that's one heck of a big "if". >> >> A quick google search on "transparent https proxy" gave me these: >> >> <http://docs.mitmproxy.org/en/stable/howmitmproxy.html> >> <http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https> >> >> I probably have more "faith" in the mitmproxy approach, as that seems >> generally more designed with https in mind. > > Just another idea came to mind. You only need a transparent proxy to be used > when connecting to IP ranges belonging to Microsoft. So instead of an > iptables REDIRECT for all http/https connection, you add separate rules with > --destination to the different Microsoft subnets. > > > -- > kind regards, > > David Sommerseth > > >>> On 2016-03-05 02:15, Karel Lang AFD wrote: >>>> Hmm ... yes, yes. >>>> Thanks for bringing this up. >>>> I force all http traffic through the squid proxy on our SL 6 gateway, this >>>> could >>>> be also helpful.. >>>> >>>> >>>> >>>> On 03/05/2016 11:00 AM, [log in to unmask] wrote: >>>>> The only way I can think of is to force all internet access through a proxy >>>>> and filter it out in the proxy. >>>>> Then you don't give the machines any internet access just access to the proxy. >>>>> Unfortunately I do not have details for you on how to filter the snoop >>>>> messages because in I haven't looked at them but it should be fairly easy >>>>> using squid and an external Perl regex filter script or other filter >>>>> application, but you will take a latency hit because you will have to inspect >>>>> every transaction. >>>>> >>>>> Original Message >>>>> From: jdow >>>>> Sent: Friday, March 4, 2016 23:35 >>>>> To: [log in to unmask] >>>>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway? >>>>> >>>>> That windows update server is a relay for the "snoop" messages. About the only >>>>> way to totally stop the snoop messages is to totally isolate the network >>>>> containing Windows machines from the network. Any windows machine can serve >>>>> as a >>>>> relay point for any others. >>>>> >>>>> {o.o} >>>>> >>>>> On 2016-03-04 20:16, Karel Lang AFD wrote: >>>>>> Hi guys, >>>>>> >>>>>> firstly, sorry Todd, i don't know how it happened i got attached to your >>>>>> thread. >>>>>> >>>>>> secondly, thank you all for your thoughtful posts. >>>>>> >>>>>> I know it is not easy to block the selected traffic from windows 10 and >>>>>> you are >>>>>> right, it is being backported to windows 7 as well. Horrible and disgusting. >>>>>> >>>>>> I already have windows server in LAN dedicated as a update server (work of my >>>>>> windows colleagues), so the PC don't have to access windows update servers >>>>>> outside LAN - this should simplify things. >>>>>> >>>>>> Also the PCs must have internet access to email, http, https, ftp, sftp - >>>>>> simply >>>>>> the 'usual' stuff. >>>>>> I think, yet, there should be a way. I'll try to consult mikrotik experts >>>>>> (the >>>>>> router brand we use) and guys from our ISP. >>>>>> If i have something, i'll let you know :-) >>>>>> >>>>>> thank you, bb >>>>>> >>>>>> Karel >>>>>> >>>>>> On 03/05/2016 12:40 AM, Steven Haigh wrote: >>>>>>> On 05/03/16 07:24, Karel Lang AFD wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> guys, i think everyone heard already about how windows 10 badly treat >>>>>>>> its users privacy. >>>>>>> >>>>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as >>>>>>> most of the telemetry has also been 'back ported' to Windows 7 also. You >>>>>>> can't stop it. >>>>>>> >>>>>>>> I'm now thinking about a way howto stop a windows 10 sending these data >>>>>>>> mining results to a microsoft telemetry servers and filter it on our SL >>>>>>>> 6 linux gateway. >>>>>>> >>>>>>> Nope. There are no specific servers in use - just general - so whatever >>>>>>> you block will end up killing other services. >>>>>>> >>>>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I >>>>>>>> similarly filter torrent streams on our gateway - i patched standard SL >>>>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working >>>>>>>> extremely well. >>>>>>> >>>>>>> I would be interested to see if you could identify telemetry packets in >>>>>>> the flow - but I'm not predicting much success. If you do get it, make >>>>>>> sure you let the world know though! >>>>>>> >>>>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are >>>>>>>> even 'hardwired' via some .dll library, so it makes it even harder. >>>>>>> >>>>>>> Correct. >>>>>>> >>>>>>>> I'm no windows expert, but i'm and unix administrator concerned about >>>>>>>> privacy of windows desktop/laptop users sitting inside my LAN. >>>>>>>> >>>>>>>> What i'd like to come up is some more general iptables rules, than >>>>>>>> blocking specific IP addresses or names, because, apparently they may >>>>>>>> change in any incoming windows update ... >>>>>>>> >>>>>>>> Anyone gave this thought already? Anyone else's concerned the way i am? >>>>>>> >>>>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on >>>>>>> a few things that I like - so Fedora is a happy medium for me - as I >>>>>>> still have the fedora-updates-testing repo enabled. My work laptop as >>>>>>> well as my personal laptop - and now my home desktop all run Fedora 23 >>>>>>> (KDE Spin if you hate Gnome 3 - like me). >>>>>>> >>>>>> >>>>> >>>> > -- *Karel Lang* *Unix/Linux Administration* [log in to unmask] | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz