we are enforcing a strict firewall policy at my firm and are whitelisting adresses on the internet.

My issue is this : I need to get a list of IPs (or at least a subnet) for standard debian update packages (cdn.debian.net and security.debian.org) since my firewall won't enable DNS based rules.

Since debian.net and debian.org are high traffic websites, their IPs change from one request to another and I can't find a way to narrow the range.

When this is settled, I will need to determine which ports are used for apt-get, I would assume that http on port 80 is used, if wrong, please tell me and if able, point a resource about it.

Thanks in advance.

/etc/apt/sources.list:

deb http://cdn.debian.net/debian/ wheezy main                                                
deb-src http://cdn.debian.net/debian/ wheezy main                                            
deb http://security.debian.org/ wheezy/updates main                                          
deb-src http://security.debian.org/ wheezy/updates main                                      
deb http://cdn.debian.net/debian/ wheezy-updates main                                        
deb-src http://cdn.debian.net/debian/ wheezy-updates main  

I then opened my ruby console :

require 'socket'
100.times do
    p IPSocket::getaddress('debian.net')
end

getting 3 different results :

200.17.202.197
128.31.0.62
140.211.15.34

Same for debian.org, getting three results also.

140.211.15.34
5.153.231.4
200.17.202.197

Making me create at least 4 Output Rules on my firewall if I want my apt-get to be happy. This brings the question of IP range I need to open, could it be that my test did not spot a used IP? Is there any way to get sure of it? Do these IP change at any given time?