Home » Android » firebase – Android FCM – What are the IPs and Ports for firewall?

firebase – Android FCM – What are the IPs and Ports for firewall?

Posted by: admin June 15, 2020 Leave a comment

Questions:

Our server in a confined environment need to push notification out to devices installed with our apps. We tried our push client on an open environment and it worked. However when moved to our server, there are network error due to firewall blockage.

Based on google documents:

If your organization has a firewall that restricts the traffic to or
from the Internet, you need to configure it to allow connectivity with
FCM in order for your Firebase Cloud Messaging client apps to receive
messages. The ports to open are: 5228, 5229, and 5230. FCM typically
only uses 5228, but it sometimes uses 5229 and 5230. FCM doesn’t
provide specific IPs, so you should allow your firewall to accept
outgoing connections to all IP addresses contained in the IP blocks
listed in Google’s ASN of 15169.

However, we are actually pushing using the HTTP protocol with the following URL:

https://fcm.googleapis.com/fcm/send

Does that means the port to open is now 443 instead of 5228?

Also we will need to configure the host as well because the security team does not allow us to connect to the domain. From the paragraph above, all IP addresses is in the ASN 15169, and i had only managed to find a list here

Anyone with experience with this can give a pointer? Thank you.

How to&Answers:

Does that means the port to open is now 443 instead of 5228?

To receive messages

You should open 5228, 5229 and 5230 as per the documentation.

To send messages

FCM doesn’t provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date impacting your users’ experience.
Ideally, you will whitelist ports 5228-5230 with no IP restrictions.

However, if you must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google’s ASN of 15169. This is a large list and you should plan to update your rules monthly.

Answer:

In addition to Darish’s answer, Google does not recommend whitelisting IPs nor URLs:

For outgoing connections, FCM doesn’t provide specific IPs because our
IP range changes too frequently and your firewall rules could get out
of date impacting your users’ experience. Ideally, you will whitelist
ports 5228-5230 with no IP restrictions. However, if you must have an
IP restriction, you should whitelist all of the IP addresses in the
IPv4 and IPv6 blocks listed in Google’s ASN of 15169. This is a large
list and you should plan to update your rules monthly. Problems caused
by firewall IP restrictions are often intermittent and difficult to
diagnose.

You can find information about Google’s IP addresses here (Google help page) or here (ipinfo.io).

You can also try these commands (from first link above, translated from netstat to dig):

dig @8.8.8.8 _spf.google.com TXT
dig @8.8.8.8 _netblocks.google.com TXT
dig @8.8.8.8 _netblocks2.google.com TXT
dig @8.8.8.8 _netblocks3.google.com TXT

The first command gets you the SPF record for Google mail servers (which is all the IPs they own). That leads you to the _netblockN.google.com TXT records which give you all the IP ranges. My queries just now yielded these results:

_netblocks.google.com.  3599    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
_netblocks2.google.com. 3599    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
_netblocks3.google.com. 3599    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

You could parse those TXT records and use the resulting IP ranges for your firewall rules. Google does recommend updating your rules monthly however.