Cloudflare IP Addresses not on /ips/


Sorry if this is a dupe thread.

I have a script that automatically adds published Cloudflare IP addresses from Here to a ufw ALLOW rule.
This works well and doesn’t appear to be causing any issues with traffic to my website, but checking the ufw logs, I can see some Cloudflare IP addresses being blocked, as they’re not on the published IP range list. For example, and get blocked by UFW, but don’t appear to be on the published IP address list.

Am I being really thick here? Is there something I’m missing? Should I be allowing these IP address ranges?

Any pointers would be appreciated!


These addresses are in the list

Thanks for that, is there something wrong with my script to add the IP addresses?


ranges="$(curl -s "
ranges+=$(curl -s
sudo -v

for ip in $ranges; do
  printf "Adding %s to whitelist...\n" "$ip"
  sudo ufw allow proto tcp from "$ip" to any port 443 > /dev/null
sudo ufw status numbered


You seem to add the addresses as actual addresses when you should use them as ranges instead.

ufw seems to have added them properly though.

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW
443/tcp                    ALLOW       2400:cb00::/32
443/tcp                    ALLOW       2606:4700::/32
443/tcp                    ALLOW       2803:f800::/32
443/tcp                    ALLOW       2405:b500::/32
443/tcp                    ALLOW       2405:8100::/32
443/tcp                    ALLOW       2a06:98c0::/29
443/tcp                    ALLOW       2c0f:f248::/32

And for example is covered here

You might need to check your network configuration as to why it is blocked, but the addresses are correct and the script seems to work too.

Thanks for that, where do you suggest I start checking?
Is there anything that stands out in the ufw log?

Feb  4 21:27:46 hostname kernel: [ 3433.831104] [UFW BLOCK] IN=eth0 OUT= MAC=Redacted SRC= DST=Redacted LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=33096 DPT=443 WINDOW=0 RES=0x00 RST URGP=0

Maybe your order is wrong, but server administration is beyond the scope of the forum I am afraid. StackExchange might help here.

1 Like

What do you mean by order?

Order of IP addresses in your configuration. You essentially need to find out what exactly blocks it, but that’s really off-topic for here as that is a server issue and not Cloudflare related :slight_smile:

1 Like

Alright, thanks for the help. What actually happens when these IP addresses are blocked? As far as I know, my users don’t get affected by it, does the traffic get rerouted?

Visitors coming via datacentres using that IP address will get an error message. One of the famous 500s.

That’s because the Cloudflare proxies won’t be able to connect.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.