How do I tell BorderManager 3.8 to let Windows Update sail through

The "destination address type" choice of using a netmask does not perform
the way I expect, and indeed does not work at all.

I have set two rules which are as ridiculously relaxed and open as I can get
without simply disabling the firewall completely:

Rule #1: Let anyone talk to Microsoft's 65,000 servers:
- from interface ANY to interface ANY
- ports: ALL
- protocol: IP
- stateful: No
- from source address ANY
- to network range, mask

Rule #2: Let Microsoft's 65,000 servers talk to anyone:
- from interface ANY to interface ANY
- ports: ALL
- protocol: IP
- stateful: No
- from network range, mask
- to destination address ANY

And yet, when I try to run Windows Update directly through the firewall, the
filter debugger (console command: IPFLT_DEBUG_ON ) tells me "there is no
matching rule" and it discards the packets.

This makes no sense at all. There is no way I can possibly make this
free-for-all bypass any looser than it already is.

This mask is correct, because ARIN says so:

NetRange: -

Though indeed, this "mask" in the packet forwarding filters doesn't need to
even act like a real netmask, since all I'm looking for is opening up 65536
consecutive IP addresses.

(It'd be nice if I could just enter the addresses to block in the simple
format of " to" anyway, and eliminate the mask
calculations. Perhaps I do not want to block an entire domain, but just a
range of 37 addresses in the middle of it..)

Anyone know how to make the filter behave, without me having to manually
create 65536 individual filters for each host in Microsoft's net-range?