Allowing only required CloudFlare IP addresses instead of while CIDR ranges

paul.cheon · September 3, 2019, 4:57pm

Hi, CloudFlare community

We’d like to configure our Firewall to allow traffics hitting our production servers only coming from CloudFlare

From here, https://www.cloudflare.com/ips/

I need to whitelist very big CIDR ranges. My manager has concern whether we should really allow these big ranges?

Currently, we are using CloudFlare DNS, WAF, SSL services

Can we narrow down the CloudFlare IP address ranges further?

Do we absolutely need to allow the entire CIDR ranges from the list? Or we can allow only 6~10 IP addresses only?

Thanks

sandro · September 3, 2019, 5:01pm

It might be possible to narrow it down (though, support should be your point of contact in this case) but you will also run the risk of having to “constantly” update the list when addresses change and I guess they can change at any time within the mentioned ranges.

sdayman · September 3, 2019, 5:38pm

I believe that Cloudflare owns those blocks. So if you whitelist those, only Cloudflare will get in. Any more restrictive and you risk visitors not being able to reach your sites.

As @sandro said, Support can probably give you a better answer, but I doubt they’ll recommend anything more restrictive than what’s listed.

paul.cheon · September 3, 2019, 5:56pm

Thanks, all
I will contact CloudFlare support then

Judge · September 4, 2019, 5:25am

Another alternative you can look into is

This method is based on verification of the TLS Client Certificate CF presents when making a HTTPS connection with your site, your web server can be set up to deny all requests that don’t present this specific certificate.

system · October 4, 2019, 5:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.