Limited amount of firewall rules origin server

Website, Application, Performance Security
1

Dear all,

I want to protect some of our services using cloudflare.
The origin servers have only an option to configure 10 static firewall rules.

Allowing all the public IP addresses of Cloudflare to access our origin servers will not be an option. Is it possible to know a limited list of those IP addresses if we only want to use the European addresses of Cloudflare?

Thanks,
Jim

2

Hi Jim,

Unfortunately that isn’t possible - we don’t publish that information and it is liable to change at any time as we provision new servers & new locations.

If this restriction is really immovable - you could close your firewall to incoming connections entirely and then use Cloudflare Tunnels:

This will make persistent, outbound connections to the Cloudflare edge and mean you won’t have to allow inbound connections from anyone.

2 Likes
3

You could try something like this:

2 Likes
4

Hey guys,

thanks for the answers!

We will try the proposed solutions above.

Enjoy the holidays

1 Like
5

Sounds like Hetzner Robot Firewall to me, which is stateless for dedicated servers, while stateful for Cloud servers.

If this is the case with your too … or anyone else might wonder and/or ask in the future, may I add a note for it below:

I would suggest choosing ports needed for your origin host/server - you can enter up to 3 with comma delimiter per one rule or a port range if using FTP.

  • do not forget to allow ICMP and TCP range 32768-65535 with ack, therefore if issues, a caveat is to allow TCP on all ports (not writing any in the input field)
  • in terms of an FTP, set up your pure-ftpd (or some other) to use passive port range from like 40110-40210 and allow this range too with one rule

Therefore, use IPTABLES at the origin host/server to allow Cloudflare IP addresses (just to make sure, do not forget to save).

Nevertheless, if not familiar with iptables, despite “allowing all ports on the Hetzner”, I would suggest installing and using UFW to close all default incoming / allow default outgoing + allow the needed ports (for TCP or UDP, or even use UFW to allow the IP ranges for Cloudflare).

As long as their firewall does not remember connections, so if using etckeeper to save/commit/push changes in the /etc/ to your Gitlab/Github, it would fail.

In that case, I would suggest adding 2 rules including IP address (CIDR notation) like 1.2.3.4/32 one for “source IP” and one for “destination IP”, protocol * and “accept”.

In total, even I am using ports supported & compatible with Cloudflare proxy :orange: for control panel dashboards, etc., I am using 9 rules active + 1 more spare rule and 2 rules where I could add two more additional ports (defined by the delimiter comma - up to 3 ports per rule).

  • if I would want to use even an e-mail service, I would add the needed ports for it too, and possibly remove the rule with allow tcp on all ports as I am not sure if “apt-update / apt-upgrade” would work or fail then because of being removed …

Not the best scenario, sounds complicated/complex to manage and even non-sense a bit, but works fine at least for me while using it even in combination with Imunify360 installed on the server and all websites are behind Cloudflare.

  • a caveat here is also that the same server is used for multiple services … so it cannot be secured and locked completely only by using one method that way …
6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.