Cloudflare IPv4 Ranges - How to add them with a hard firewall rule limit

Hi
Apologies for the confusing title, I’ll explain my question better below.
I host on a provider that has a firewall control panel on their network so you can control the traffic coming to your network before it actually reaches your hardware.

Unfortunately, they only support a maximum of 10 firewall rules. I’ve contacted them, and there’s no way to increase this limit. Cloudflare has more than 10 IPv4 ranges, and I know only allowing some of the ranges is going to cut off a huge amount of my users, is there any way I can “fit” all of the Cloudflare IP addresses into 10 rules?

Thanks

Not really, best you could do is collapse some ranges into a larger range but that would also allow access to non-Cloudflare blocks. The following would be an example for that

103.16.0.0/12
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.0.0.0/7
188.114.96.0/20
190.93.240.0/20
196.0.0.0/6

But that would completely leave out IPv6 as well.

I assume your provider won’t allow you to filter by ASN. If that was the case you could simply whitelist 13335 instead.

Thanks for that!
They don’t support v6 filtering, nor ASN unfortunately.

In that case you could try that list, but again, that will accept more than just Cloudflare.

1 Like

Use Argo Tunnels or a worker with a secret header instead.

1 Like

Don’t I have to pay for that?

Not sure, but IIRC Argo Tunnels can be added to the Free plan. Workers are also free as long as you stay within the free limits.

The tunnel would definitely be the cleaner solution, but it would require a software installation on the server and that you close off the entire machine. Would you have that access?

Argo tunnels certainly seem like they would solve my issues, I have root access and my server is dedicated so installation technically wouldn’t be an issue. Not sure I’ll be able to download cloudflared as the DDOS attack im currently under is a bit too much for my NIC.

Regardless, I’ll read the Argo docs and see if It would work for me, If I have to pay per GB or similar, it’s not going to be very cost effective, as I push ~2TB of traffic per month, with more now that I’m being DDOS’d hourly.

Cheers

Edit: Yep, looks like it’s priced per GB
image

In that case the tunnel might be the cleaner alternative as you wouldn’t need to combine IP ranges but could simply reverse the connection strategy and have your machine connect to Cloudflare instead.

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps should have all the details on that.

I would agree, however I can’t really justify the $200+ it would cost me to run. Maybe some other VPN solution could help me here.

You could always use a Worker too and add a secret in the request header. Though that will also be paid if you exceed the free limit.

Or otherwise you could have the combined addresses from earlier on your provider’s firewall and then narrow that down to the actual addresses on your system’s firewall.

I think even with workers I’d be paying quite a bit :stuck_out_tongue:

The current setup is the hosting providers firewall + iptables on my origin, so far It’s not improved my situation at all, but part of me thinks my hosting providers network is also having difficulties due to the volume of traffic.

That might very well be if you have already blocked it on your system’s firewall as well on the provider’s firewall. Though the machine itself should work fine now and not receive non-Cloudflare requests anymore. If it still does, there’s something wrong with the configuration.

I don’t think there’s anything wrong with my configuration, I know my origin iptables setup works fine. It’s hard to really tell, as with the hosting providers firewall disabled, visitors see 525 errors, and with the firewall enabled, they also only see 525 errors. (And yeah, all my TLS certs are valid, my setup has worked fine this month aside from when my origin IP was discovered)

525 would indicate issues with the SSL connection but that you seem to know already. Maybe unblock your own IP address in the firewall and use the hosts file to connect directly to verify the SSL setup.

I understand your server is currently experiencing a denial of service, right?

Yeah, been under DDOS for over 24 hours now at ~1GB per second

What kind of? Do the connections actually reach your server or are they blocked on a network level?

They flood my NIC, so legitimate requests timeout or fail altogether.

That would indicate your provider’s firewall actually does not filter them. At this point you probably best talk to your host.

When my hosts firewall is enabled, my NIC statistics return to “normal”, but traffic still fails and users can’t connect, that’s why I thought it might have been issues within the datacenters network causing issues.

Some users can connect, but not many, and they see frequent connection errors with 522 and 525 primarily. To me this shows that the host firewall does sort of work, but congestion on their network is still preventing legitimate requests from coming in. Hope that makes sense


This is without the firewall enabled on my hosting provider.