Friday, May 3, 2024
 Popular · Latest · Hot · Upcoming
8
rated 0 times [  8] [ 0]  / answers: 1 / hits: 45077  / 2 Years ago, sat, may 7, 2022, 12:23:30

I am currently using the following rule:



ufw allow out from my_local_ip to any port 587



This is a little too lax for my liking. I would like to tighten it up and restrict it to only gmail's smtp server ip addresses, but they are always changing. I used to just wait until an outgoing email didn't make it to its destination, then check syslog for the ip address that was blocked, then add that to the ufw configure script. However, now I have a need for much more reliability.



Is there any way to use smtp.gmail.com in ufw? I don't think so, but thought I would ask. Any other ideas? Thanks.



Update



Taking izx's suggestion, I obtained the following (abbreviated) info from whois:



$ whois 74.125.53.108



...



NetRange: 74.125.0.0 - 74.125.255.255



CIDR: 74.125.0.0/16



...



Using this info I created the following command in my ufw configuration script (I realize there are other ranges to open, this is just an example):



ufw allow out from 192.168.2.5 to 74.125.0/24.0/24 port 587 


but ufw does not like that. So I changed it to:



ufw allow out from 192.168.2.5 to 74.125.0.0/24 port 587


this ufw accepted but obviously this will only block any address in this range with 0 as the third octet. So how do I get from 0-255 for the third octet as well?


More From » dns

 Answers
3

You'd need a script that periodically resolves the domain and updates firewall rules with the latest IP. Instead, try this method:



Domains like these often have multiple IPs associated with them. Use host domain.tld to get a list:




$ host smtp.gmail.com
smtp.gmail.com is an alias for gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com has address 74.125.127.108
gmail-smtp-msa.l.google.com has address 74.125.127.109


But these two also probably keep changing, based on your question. So it's best to whitelist the entire netblock -- use whois with the IP:




$ whois 74.125.127.108

NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-03-13
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1
...


The NetRange/CIDR tell you what to whitelist -- 74.125.0.0/16. Google could assign any IP in this range to smtp.gmail.com


[#37891] Sunday, May 8, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
amacal

Total Points: 457
Total Questions: 102
Total Answers: 116

Location: Thailand
Member since Thu, Apr 22, 2021
3 Years ago
;