I’ve currently got a very restrictive setup on my firewall, and I notice that it blocks a lot of Cloudflare ASN traffic, as well as DigitalOcean etc. I don’t really know what these Cloudflare access requests refer to and can’t find that info so far online, but other than the odd head request being rejected by a watchtower container, I can’t see any other issues with it. Is there something I’m missing, where this firewall restriction could cause a bigger problem?
Alternatively, is there a catchall firewall rule I can implement to allow Cloudflare access?
Sorry one more question if you don’t mind - rather than add all the IPs, does it make sense to add the Cloudflare ASN to the exception list instead, which would then (supposedly?) catch all the IPs?
Yes, you could do that. However, keep mind that Cloudflare’s ASN (I.e the IP blocks it was granted via one of the 5 roots, in case others read this who may not know what an ASN is, & I’m guessing it was APNIC) has contracts in place with other ASNs which allow network traffic from (x) ASN into Cloudflare’s ASN & vice versa. Hetzner has to be one of them (per my firewall logs) & digital ocean definitely is. Hetzner has a poor reputation due to those transversing (& coming from) it into other ASNs (again, per my firewall logs but also via sites such as https://urlhaus.com/ , https://abuse.ch/ , & https://abuseipdb.com . If a locked down security posture is what you’re after, I’d look into using ASN/IP/UA banning. Just be sure if you use IPs to check with https://abuseipdb.com if it’s actually an active malicious actor before banning IPs as anyone can use practically any IP they want through means such as VPNs & TOR, both of which may trigger false alarms due to IP reuse. So, that’s my take on it. Allow Cloudflare’s IPs & use ASN/IP/UA banning when appropriate. I have multiple ASNs banned.
Cloudflare uses IP addresses for a variety of purposes. The list at IP Ranges is for website owners to restrict access to traffic proxied for their domain. Opening up the entire ASN owned by Cloudflare wouldn’t’ by my recommendation as that represents a security risk to direct access without transiting the security settings you have in place by direct IP access.
Thank you. I start from a position of ‘ban everything’ and work back from there normally, which is why I’ve been getting a lot of blocked access attempts from Cloudflare and DigitalOcean as well. I didn’t know that about the ASN vulnerabilities, thanks for taking the time to explain it, it also helps me understand the Digital Ocean access attempts