Community discussions

MikroTik App
 
morteza87
just joined
Topic Author
Posts: 5
Joined: Sun Feb 16, 2020 8:07 am

dropping windows update not work when accept "established","related" connections at first

Wed May 12, 2021 9:37 am

Hi everyone
I had a problem with mikrotik firewall.
I want to drop windows update using ip - firewall - filter. the problem is if i accept established and related connection at the top firewall rules, "Drop windows update" rules not work. nut if I put them at the top they work nice!
this is my configuration. anything I missed?

# model = 2011UiAS-2HnD
/ip firewall filter

add action=accept chain=forward comment=established connection-state= established,related
add action=accept chain=input comment=established connection-state= established,related
add action=drop chain=forward comment=invalid connection-state=invalid disabled=yes
add action=drop chain=input comment=invalid connection-state=invalid

add action=drop chain=forward comment="windown update" content= update.microsoft.com
add action=drop chain=forward comment="windown update" content= download.microsoft.com
add action=drop chain=forward comment="windown update" content= ntservicepack.microsoft.com
add action=drop chain=forward comment="windown update" content= stats.microsoft.com
add action=drop chain=forward comment="windown update" content= windowsupdate.microsoft.com
add action=drop chain=forward comment="windown update" content= download.windowsupdate.com
add action=drop chain=forward comment="windown update" content= windowsupdate.com
add action=drop chain=forward comment="windown update" content= wustat.windows.com


and also when "add action=drop chain=forward comment=invalid connection-state=invalid " is active my branch office couldn't connect and ping my LAN !!? (our office : 192.168.40.0/24 & Branch Office : 192.168.41.0/24 )

Thank you all.
 
 
morteza87
just joined
Topic Author
Posts: 5
Joined: Sun Feb 16, 2020 8:07 am

Re: dropping windows update not work when accept "established","related" connections at first

Wed May 12, 2021 2:19 pm

I didn't get the point, shouldn't use content?
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: dropping windows update not work when accept "established","related" connections at first

Wed May 12, 2021 2:48 pm

yes, because router can't see content inside https
 
morteza87
just joined
Topic Author
Posts: 5
Joined: Sun Feb 16, 2020 8:07 am

Re: dropping windows update not work when accept "established","related" connections at first

Wed May 12, 2021 3:00 pm

yes, because router can't see content inside https
ok so what?
If router can't see content inside https how it does blocks windows update when these rules priority are higher than "Accept Established" rule?
how should i set rules to get correct result?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: dropping windows update not work when accept "established","related" connections at first

Wed May 12, 2021 3:19 pm

STOP WRITING HERE

CONTINUE HERE PLEASE:
viewtopic.php?f=2&t=165893&p=815604#p857104

Who is online

Users browsing this forum: No registered users and 82 guests