OPNsense – create pftable for google networks

  • by

I tried in several way to enable firewall rules to google addresses like smtp, apis, captcha and so on. In OPNsense you can add an host alias inserting the FQDN instead of the IP address. Then you can schedule a reload of the alias every 5 minutes or so. Most of the times it works but I often get issues since google change IP addresses very often, and TTL is short, 5 minutes sometimes. This results in unwanted drops.

Still I don’t want to open to “any”, even if connections are outbound, so I told myself to accept a compromise, enable rules directed to any google host, idea sounded good to me, I googled a bit and found the list of networks used by google. So far so good.
Well, not really, google networks change in the time, the list is not always the same. I don’t know how and why, but I noticed this.

Now I have 2 issues:
– how to dinamically retrieve list of google networks
– are all those addresses really used by google, or do they use it also for customers hosts, like google cloud or so?

For the time being I solved the first issue, here is how, taking advantage of the Sender Policy Framework DNS entries, which google wisely use:

[root@myfw ~]# dig @8.8.8.8 +noall +answer +short +dnssec +tcp _spf.google.com txt
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

For each block we can get the subnets, in the same way:

[root@myfw ~]# dig @8.8.8.8 +noall +answer +short +dnssec +tcp _netblocks.google.com txt
"v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

Then we can easily script it to get a well formatted list of networks:

[root@myfw ~]# dig @8.8.8.8 +noall +answer +short +dnssec +tcp _spf.google.com txt | tr ' ' '\n' | awk -F: '$1=="include" {print $2}' | while read blocks
> do
>   dig @8.8.8.8 +noall +answer +short +dnssec +tcp "$blocks" txt | tr ' ' '\n' | awk -F: '$1=="ip4" {print $2}'
> done
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
172.253.56.0/21
172.253.112.0/20
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22

Cool as fuck! But now we still need to be able to create a pf table to be used by OPNsense firewall rules. It’s easier to do it than to explain it:

[root@myfw ~]# dig @8.8.8.8 +noall +answer +short +dnssec +tcp _spf.google.com txt | tr ' ' '\n' | awk -F: '$1=="include" {print $2}' | while read blocks
> do
>   dig @8.8.8.8 +noall +answer +short +dnssec +tcp "$blocks" txt | tr ' ' '\n' | awk -F: '$1=="ip4" {print $2}'
> done | xargs pfctl -t google_networks -T replace
21 addresses added.

[root@myfw ~]# pfctl -t google_networks -T show
   35.190.247.0/24
   35.191.0.0/16
   64.233.160.0/19
   66.102.0.0/20
   66.249.80.0/20
   72.14.192.0/18
   74.125.0.0/16
   108.177.8.0/21
   108.177.96.0/19
   130.211.0.0/22
   172.217.0.0/19
   172.217.32.0/20
   172.217.128.0/19
   172.217.160.0/20
   172.217.192.0/19
   172.253.56.0/21
   172.253.112.0/20
   173.194.0.0/16
   209.85.128.0/17
   216.58.192.0/19
   216.239.32.0/19

Now we create an alias in this way:

You can now use that alias in your firewall rules.
In order to keep it updated, you can place the script somewhere and schedule it

[root@myfw ~]# cat google-nets
#!/bin/sh
dig @8.8.8.8 +noall +answer +short +dnssec +tcp _spf.google.com txt | tr ' ' '\n' | awk -F: '$1=="include" {print $2}' | while read blocks
do
  dig @8.8.8.8 +noall +answer +short +dnssec +tcp "$blocks" txt | tr ' ' '\n' | awk -F: '$1=="ip4" {print $2}'
done | xargs pfctl -t google_networks -T replace

[root@myfw ~]# cat /usr/local/etc/cron.d/custom-pf-tables.cron
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    who     command
40      4       *       *       *       root    /root/google-nets

Leave a Reply

Your email address will not be published.