Hi,
we can use the spf entry of dns. Used by mail servers to knoiw how is allowed from a domain to send mail for that particular domain. Usually, companies put their full range of ip. Ok you may find one exception, in that case forget this tips :-)
The request in general is:
dig txt logmein.com
; <<>> DiG 9.7.3 <<>> txt logmein.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52340
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;logmein.com. IN TXT
;; ANSWER SECTION:
logmein.com. 3600 IN TXT "v=spf1 " "mx:3amlabs.com ip4:82.150.61.82 ip4:63.251.133.64/27 ip4:77.242.192.1 ip4:69.25.20.1 ip4:74.201.74.1 ip4:173.48.77.106 ip4:195.56.119.18 ip4:67.20.183.208/28 " "ip4:216.52.233.0/24 ip4:64.94.18.0/24 ip4:64.94.46.1 ip4:74.112.65.204 ip4:74.112.65.210 ip4:72.22.169.96/27 ip4:207.106.191.64/26 ip4:67.208.179.240/28 include:salesforce.com -all"
;; Query time: 116 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:04:16 2013
;; MSG SIZE rcvd: 389
For google in particular, it is:
dig TXT _netblocks.google.com
; <<>> DiG 9.7.3 <<>> TXT _netblocks.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65120
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_netblocks.google.com. IN TXT
;; ANSWER SECTION:
_netblocks.google.com. 3583 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
;; Query time: 20 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 15:59:19 2013
;; MSG SIZE rcvd: 254
Found using:
dig txt google.com
; <<>> DiG 9.7.3 <<>> txt google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21752
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN TXT
;; ANSWER SECTION:
google.com. 2465 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
;; Query time: 1 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:08:26 2013
;; MSG SIZE rcvd: 116
Then:
dig txt _spf.google.com
; <<>> DiG 9.7.3 <<>> txt _spf.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42788
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_spf.google.com. IN TXT
;; ANSWER SECTION:
_spf.google.com. 183 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all"
;; Query time: 0 msec
;; SERVER: 172.16.165.248#53(172.16.165.248)
;; WHEN: Tue Feb 26 16:08:58 2013
;; MSG SIZE rcvd: 149
So, you'll found the _netblocks.google.com
And then you can use all the netblock in a group, and then used that groupe in a firewall policy to allow/disallow/dowhatuwant with the packet from/to those network.
That's all folks!