Project

General

Profile

Actions

Feature #1901

closed

Maintain IP range tables for popular Internet sites

Added by Dim Hatz almost 10 years ago. Updated about 8 years ago.

Status:
Needs Patch
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/25/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Current version of pfsense includes the filterdns daemon which periodically resolves any fqdn in aliases into IP. But this won't work for Websites that return a different set of IPs on each DNS request, so the current solution seems to be doing URL filtering via a proxy like Squid+squidhuard. However this is of little help when a company has moved their email to Google and needs to access its servers via IMAP and wants to whitelist all Google's IPs. This scenario will come up more often, as companies migrate into SaaS and the cloud.

A solution would be for pfsense to automatically keep track of certain sites' IP ranges (e.g. GoogleApps). This info can be obtained via whois or DNS.

E.g. Google's ASN is 15169 https://www.dan.me.uk/bgplookup?asn=15169 or via DNS lookup of the SPF record, as Google suggests in "Google IP address ranges" page http://www.google.com/support/a/bin/answer.py?answer=60764

$ host -t txt _spf.google.com
_spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Actions

Also available in: Atom PDF