GooglePlay and AppStore. IPs and ports ranges.
-
I have a network with no access to Internet for my users with a pfsense FW, but now, I need to open all IPs and ports that are necessary for install apps from Google Play or AppStore. Does somebody know this IPs and ports?
-
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> play.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59806
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 4, ADDITIONAL: 4;; QUESTION SECTION:
;play.google.com. IN A;; ANSWER SECTION:
play.google.com. 300 IN CNAME www3.l.google.com.
www3.l.google.com. 300 IN A 74.125.225.72
www3.l.google.com. 300 IN A 74.125.225.73
www3.l.google.com. 300 IN A 74.125.225.78
www3.l.google.com. 300 IN A 74.125.225.64
www3.l.google.com. 300 IN A 74.125.225.65
www3.l.google.com. 300 IN A 74.125.225.66
www3.l.google.com. 300 IN A 74.125.225.67
www3.l.google.com. 300 IN A 74.125.225.68
www3.l.google.com. 300 IN A 74.125.225.69
www3.l.google.com. 300 IN A 74.125.225.70
www3.l.google.com. 300 IN A 74.125.225.71For ports I would guess TCP 443 (HTTPS). You could make a rule to allow IP any and set it to log, then browse and install an app and go to Status->System Logs, Firewall tab. Select the "Pass" checkbox, type LAN in interface, and click filter to verify.
-
also port 5228 tcp/udp
https://support.google.com/googleplay/answer/2651367?hl
-
Thanks verigoth, but Google IPs are changing or are not the same in all zones. This is the result of "dig play.google.com" now in Spain
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> play.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45611
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;play.google.com. IN A;; ANSWER SECTION:
play.google.com. 92 IN CNAME www3.l.google.com.
www3.l.google.com. 102 IN A 173.194.45.7
www3.l.google.com. 102 IN A 173.194.45.1
www3.l.google.com. 102 IN A 173.194.45.9
www3.l.google.com. 102 IN A 173.194.45.14
www3.l.google.com. 102 IN A 173.194.45.5
www3.l.google.com. 102 IN A 173.194.45.8
www3.l.google.com. 102 IN A 173.194.45.0
www3.l.google.com. 102 IN A 173.194.45.3
www3.l.google.com. 102 IN A 173.194.45.2
www3.l.google.com. 102 IN A 173.194.45.6
www3.l.google.com. 102 IN A 173.194.45.4;; Query time: 276 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Apr 23 21:16:53 CEST 2014
;; MSG SIZE rcvd: 241Finally, I will permit all google IPs (obtained with this method http://snurps.blogspot.com.es/2013/10/how-many-ip-addresses-does-google-have.html) but I don't like to permit youtube, www.google.com,… and now, with this solution, I can't.
And AppStore? any ideas?
-
A little research says Apple uses itunes.apple.com. You can make an alias with play.google.com and itunes.apple.com as hosts and use the alias as a destination in your firewall rule.
-
Yes, this two subdomains are used, but not only. I have tested, and there are more IPs logged on my FW that I need to add to my "pass" rule if I want to permit Google Play and AppStore.