Netgate SG-1000 microFirewall

Author Topic: Allow access to Apple IPs?  (Read 239 times)

0 Members and 1 Guest are viewing this topic.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-0
    • View Profile
Allow access to Apple IPs?
« on: December 12, 2017, 09:04:05 pm »
IOS seems to want to talk alot out...I am cool with Apple. :-*

I am trying to allow a rule to all Apple IPs...I read somewhere I think on the pfSense forum that Apple owns the entire 17.x.x.x range.

How would I capture this in a rule/alias?

17.0.0.0/24?
17.0.0.0/36?

Is this logic sound for a rule?

Thanks in advance...

Offline Grimson

  • Full Member
  • ***
  • Posts: 265
  • Karma: +37/-3
    • View Profile

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: Allow access to Apple IPs?
« Reply #2 on: December 13, 2017, 05:50:22 am »
You want to allow unrestricted access to Apple?  Ever hear of address spoofing?  Why do you need to even allow them access?  Are they going to be logging into your systems to do what?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14842
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Allow access to Apple IPs?
« Reply #3 on: December 13, 2017, 06:47:14 am »
Apple owns the whole 17/8

NetRange:       17.0.0.0 - 17.255.255.255
CIDR:           17.0.0.0/8
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:          ()
NetType:        Direct Assignment
OriginAS:       
Organization:   Apple Inc. (APPLEC-1-Z)

Are you blocking outbound access currently?  Out of the box the lan rule is any any.. Where did you come up with /36 that is not a valid IPv4 mask...   /32 is the smallest mask and would be all 32 bits of the address.. Ie host specific..

But sure you can put your netblocks in an alias and then use that to either block or pass traffic to all networks in the alias.

You do understand if your device is talking to apple, the return traffic would be allowed by the state.  Why would apple create unsolicited traffic to you that you would want to allow?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-0
    • View Profile
Re: Allow access to Apple IPs?
« Reply #4 on: December 13, 2017, 11:48:23 am »
Thanks.../32 being the smallest is clear.

Grimson - thanks for the link....I have better understanding. Good info but need to read it a few more times to get my head around it! Really appreciate the resource!

JKnott - I think the address spoofing concern is making me rethink my rule. I am still cool with Apple but not that cool as to trust all their IPs(My thoughts were a broader whitelist approach with out typing individual IP's), especially with the "spoofing" risk. No I don't plan to have them log into my system, nor want them to log into my system (except for auto updates of my software).

Johnpoz - I am allowing access out on my LAN on port 80 and 443(I tightened the any/any default rule). I get a lot of noise on my log from 17.x.x.x traffic however it appears to be mostly port 123. I found a lot of these 17.x.x.x addresses were in Asia, but changed my "Timeservers" in System -> General to my local pool...following a link you had shared prior(http://www.pool.ntp.org/en/).

Still not sure why I need to allow port 123 or ICMP on my network today to anyone....everything is working fine. Why allow when I don't need to?


Where I was going with this is originally was other ports going to 17.x.x.x IP's:

I found this traffic to 17.x.x.x that I am unclear off.

When I "google" something from my Safari on an iPad, access is allowed to:
17.253.25.205:443(Destination)      TCP:SEC - This was allowed

and denied to:
17.249.72.246:5224(Destination)      TCP:S   -This was blocked

When I "Bing" something:
All 17.x.x.x:443 or 5224(Destination)                    Nothing is allowed? In fact I don't see logs for these ports.

I do see logs for these ports, when "Bing"ing
17.173.254.223:16386(Destination)      UDP -This was blocked
17.173.254.222:16385(Destination)           UDP -This was blocked

My original thought was to create a rule with a "Destination" that allows 17.0.0.0/8(I think that is how I would have written it?) but I am now thinking this is not needed. Why share with Apple? Everything still works...

But why does Apple get traffic with my searches with Google(on port 443) and Bing(on any port) doesn't?

Any thoughts appreciated,
V

(FYI with Duckduckgo I get similar blocks as I do with "Bing" on 17.x.x.x. IPs....)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 436
  • Karma: +40/-0
    • View Profile
Re: Allow access to Apple IPs?
« Reply #5 on: December 13, 2017, 11:51:53 am »
IMO itís pointless trying to do this as Apple will use CDN servers that donít use Apple IP address space.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: Allow access to Apple IPs?
« Reply #6 on: December 13, 2017, 11:56:02 am »
Quote
My original thought was to create a rule with a "Destination" that allows 17.0.0.0/8(I think that is how I would have written it?) but I am now thinking this is not needed. Why share with Apple? Everything still works...

Normal firewall operation allows all outgoing connections, so you'll be able to reach Apple without allowing 17.0.0.0 /8 in.

Offline bingo600

  • Full Member
  • ***
  • Posts: 155
  • Karma: +12/-0
    • View Profile
Re: Allow access to Apple IPs?
« Reply #7 on: December 13, 2017, 12:44:35 pm »
IMO itís pointless trying to do this as Apple will use CDN servers that donít use Apple IP address space.

+1

It's a "moving target"

/Bingo
pfSense 2.4.2-p1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14842
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Allow access to Apple IPs?
« Reply #8 on: December 13, 2017, 12:54:56 pm »
Port 5224 is Plesk license updates (outgoing connections only).. Do you run that on your network?  Also listed as HP vm console port, etc.

udp 123 would be anything setting time.. A lot of apple devices will point to apple for time hard coded.. Many things could have ntp coded... My freaking smart lightbulds like to got to uk.pool.ntp.org etc.. Even when I hand out local ntp server via dhcp.. They don't care they are hard coded - and Im in the US.. So I juts redirect that fqdn to my local ntp server IP via host override.   As to icmp - again many things might ping something out on the net to see if they have internet access..

In your home network seems pointless to not allow outbound for devices you trust to run on your network.  If your curious or paranoid then log it and look into what the traffic is..  I log all my iot devices outbound access.. They normally do dns queries to hard coded 8.8.8.8 for example, they phone home to amazon CDN on https, etc.  If I saw them sending traffic to china might be a bit perplexed and look into that for sure. 

Your 16385-6 is Apple FaceTime, Apple Game Center (RTP/RTCP)

Trying to block ports is going to turn into a wack a mole game.. Oh shit this doesn't work, open that.. Oh shit that doesn't work open this.. Oh why do my iot devices not work on the schedule I set - well shit I was blocking them from setting time, etc. etc.
« Last Edit: December 13, 2017, 12:59:36 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)