I want to protect some of our services using cloudflare.
The origin servers have only an option to configure 10 static firewall rules.
Allowing all the public IP addresses of Cloudflare to access our origin servers will not be an option. Is it possible to know a limited list of those IP addresses if we only want to use the European addresses of Cloudflare?
Sounds like Hetzner Robot Firewall to me, which is stateless for dedicated servers, while stateful for Cloud servers.
If this is the case with your too … or anyone else might wonder and/or ask in the future, may I add a note for it below:
I would suggest choosing ports needed for your origin host/server - you can enter up to 3 with comma delimiter per one rule or a port range if using FTP.
do not forget to allow ICMP and TCP range 32768-65535 with ack, therefore if issues, a caveat is to allow TCP on all ports (not writing any in the input field)
in terms of an FTP, set up your pure-ftpd (or some other) to use passive port range from like 40110-40210 and allow this range too with one rule
Therefore, use IPTABLES at the origin host/server to allow Cloudflare IP addresses (just to make sure, do not forget to save).
Nevertheless, if not familiar with iptables, despite “allowing all ports on the Hetzner”, I would suggest installing and using UFW to close all default incoming / allow default outgoing + allow the needed ports (for TCP or UDP, or even use UFW to allow the IP ranges for Cloudflare).
As long as their firewall does not remember connections, so if using etckeeper to save/commit/push changes in the /etc/ to your Gitlab/Github, it would fail.
In that case, I would suggest adding 2 rules including IP address (CIDR notation) like 184.108.40.206/32 one for “source IP” and one for “destination IP”, protocol * and “accept”.
In total, even I am using ports supported & compatible with Cloudflare proxy for control panel dashboards, etc., I am using 9 rules active + 1 more spare rule and 2 rules where I could add two more additional ports (defined by the delimiter comma - up to 3 ports per rule).
if I would want to use even an e-mail service, I would add the needed ports for it too, and possibly remove the rule with allow tcp on all ports as I am not sure if “apt-update / apt-upgrade” would work or fail then because of being removed …
Not the best scenario, sounds complicated/complex to manage and even non-sense a bit, but works fine at least for me while using it even in combination with Imunify360 installed on the server and all websites are behind Cloudflare.
a caveat here is also that the same server is used for multiple services … so it cannot be secured and locked completely only by using one method that way …