Sunday, February 5, 2023

Cloudflare IPs list

 For proper protection with cloudflare CDN you should provide rules to allow only the cloudflare address to reach your server. Do not use ANY or ALL as a source address.



1st cloud flare  ORIGIN AS13335 and we have a list of address that belong to CloudFlare CDN



kfelix@kfelixs-MacBook-Air ~ % whois -h whois.radb.net AS13335 

aut-num:        AS13335

as-name:        CLOUDFLARENET-AS

descr:          Cloudflare, Inc.

descr:          101 Townsend Street, San Francisco, CA 94107, US

status:         OTHER

( output snipped ) 



Next, we can grab all ipv4/v6 address from one of two ways



1: via curl


reisfelix@consultnt ~ % curl -o cdn-v4.file https://www.cloudflare.com/ips-v4                    

173.245.48.0/20

103.21.244.0/22

103.22.200.0/22

103.31.4.0/22

141.101.64.0/18

108.162.192.0/18

190.93.240.0/20

188.114.96.0/20

197.234.240.0/22

198.41.128.0/17

162.158.0.0/15

104.16.0.0/13

104.24.0.0/14

172.64.0.0/13

131.0.72.0/22


( for ipv6 if you have ipv6 hosted web servers use the below string ) 


reisfelix@consultnt ~ % curl -o cdn-v6.file https://www.cloudflare.com/ips-v6 


or by query against the cloudflare CDN AS


ipv4

whois -h whois.radb.net '!gAS13335'

ipv6

whois -h whois.radb.net '!6AS13335'



Next you will use these addresses in your rule to filter and allow only cloudflare addresses to hit your public webserver.



e.g # fortigate 


config firewall policy

    edit 10

        set name "CDN PROTECTION CLOUDFLARE"

        set uuid 333cdb5a-c602-51ea-95d4-b967c36245b5

        set srcintf "wan"

        set dstintf "DMZ"

        set srcaddr "CLOUDFLARE_ADDRESS_GROUP"

        set dstaddr "NET-WEB"

        set action accept

        set schedule "always"

        set service "HTTP" "HTTPS" "HTTP8080"

    next

end


In this example above the "CLOUDFLARE_ADDRESS_GROUP" contains our ipv4/ipv6 addresess


For adding multiple addresses at one time we can bulk create addresses or even loop them thru a API call



e.g # using a bash script to make an address




#!/bin/bash

#

#


 for p in `cat cdn-v4.file `;

# cdn.file contains your ipv4 address


do


 echo " config firewall address"

 echo " edit $p "

 echo " set subnet $p "

 echo " set comment CDN_CLOUDFLARE"

 echo " end"


# let's create our group


 echo " config firewall addrgrp "

 echo " edit CLOUDFLARE_ADDRESS_GROUP"

 echo " append member $p "

 echo " end"


done 




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)