Hi
I would like to prevent my network from connecting to cloudflare’s CDN (MITM proxy). Are there any blocklists that can be used where all IP addresses of cloudflare are listed?
Couldn’t the location block function be extended with reverse proxies? (Question to the developers)
Or does anyone know another simple solution to protect against cloudflare man-in-the-middle-attack ?
Edit: Thx for correct the typo.
What about using Banish ( here where to download it: Index of /~helix/banish ) and the ASN number of cloudflare? A bit too draconian?
@mumpitz
You can’t imagine how many legitimate websites use cloudflare’s CDN service.
If you block all of this provider’s ASNs, you will end up being unhappy, as many everyday websites and/or content will no longer work.
Also, many important websites as update sites will no longer work.
In the end, you end up as an enemy of, your family and your company colleagues… You are then the person who breaks everything, from the point of view of others.
Also, the later search for reasons and malfunctions, will be a very tedious work for you.
For example, finding a single IP from the huge block and then allowing it, is a considerable effort.
If you are looking for an emergency pharmacy or doctor at 02:00 in the morning and certain websites do not work, you will understand that what you are planning is not the right way is.
As you can see and understand, I speak partly from experience.
Do you really want that?
Have you thought this through?
If your answer to the two questions above is yes, then search for the ASNs and block these IP group ranges.
I suggest to use an separate testing environment for a while, to check results and problems you are running into.
Sometimes an whitelist is better than an blocklist.
Anyway:
You can enter ASN founding under Example “Route option” and redirect them to an unused IP at the DMZ as an Gateway IP.
Or create a firewall rule to DROP them.
BR
Trash
Yes, unfortunately that is the problem we have with these big cloud providers.
See this blog post from 2021 and I don’t think it has got better in the meantime.
Hi
Thank you for your advice, but I am well aware of what this means. Cloudfare has almost 20% under its taper. Wait a minute, I’m going to put on my alu hat. When I read how the NSA could perfect their PRISM program and the answer is that what cloudflare does would be perfect to control the internet and I don’t even need computing power to break SLL certificates because I issue them myself,
As a non-US citizen, the question of how to deal with this monster is quickly answered.
But mainly I am concerned that I am blocked by most (Ipfire.org is fortunately not one of them) anyway by the reverse proxy, because Tor exit nodes are blocked in the default settings of each product of cloudflare. You have to change this as a customer.
Since this number is very limited, I prefer to block the CDN from cloudflare and create a whitelist.
I found the ASN number AS13335 from cloudflare, but I don’t understand where I can use that to create a list and where I can use that list.
To make it short, I need a tutorial for stupids. Terminal is not a problem as long as I can copy the commands.
Thanks a lot!
Install banish (see the readme for the instructions) and you can enter the ASN numbers directly and have them available in the firewall menu. Otherwise you need to convert the ASN in IP ranges and enter them in IPset, then you can access those sets in the firewall menu.
@mumpitz
You find the ASN info at claudflare IP Ranges there the IP range too as an list.
An simple (test) you can do, by adding those IP ranges groups to static routes, and give an unused IP of your network as an false gateway.
BR
Trash
banish is not a offical ipfire addon, i found on github but outdated since 5 years.
And this includes my question, how to convert ASN to IP ranges?
thank you,
I just have to see how I can update this list once cloudflare is no longer available, but ok.
This gateway can be set to an intern IP that is in no IP Range of green,blue and VPN?
Because i did not have a extra network for DMZ.
Is this correct →
sorry did not saw this first post from you.
I will have a look at his package
@mumpitz
Test for a while how your needed sites works.
If you then are sure devout that it is the right way, you can follow the same procedure as it is done for shodan IPs.
Make a group at firewall where you add all those IP subs.
Take this link as example and follow the howto:
BR
Trash
This static routes alone did changed nothing all cloudflare was reachable.
So what I did in pictures 
static routs to unused intern IP
but that did not work either, all cloudflare was reachable. I don’t understand why cloudflare should not reach me, I want them not to log my IP, so the rule is reversed.
So what did I wrong? Any advise ?
Why not just add a new ip-block-list-source for https://www.cloudflare.com/ips-v4 ?!
Add additional sources to IPFire blocklist feature - Security - IPFire Community
@mumpitz
Sometimes you need to terminate already established and running connections, because a new rule will act just for next “newer” communication requests.
Same as already known resolved domains IPs by an client computer/browser.
You use an VPN connection, so it could be that the communication were flow over there, or the resolve were done.
Anyway
You do an 1x incoming and an 1x outgoing rule for eth “Firewall All” to be drop… same as for ex. Shodan or GeoIP incoming/outgoing.
Source is the group you made
Destination is Firewall All
Source is Firewall All
Destination is the group you made
Edit
Furthermore put the rules at the top ex. position Nr.1 of firewall rules, to be handeld at first.
Delete the route “Routing Table Entries” with the fake gateway IP, as you do not need them further, after you done your tests and added those two rules to firewall.
BR
Trash
Hi all,
am wondering if this all ? If i check the ASN via libloc
location search-as "Cloudflare"
i get the following results
AS13335 - CLOUDFLARENET
AS14789 - CLOUDFLARENET-AUS
AS132892 - Cloudflare, Inc.
AS133877 - Cloudflare Hong Kong, LLC
AS139242 - Cloudflare Sydney, LLC
AS202623 - Cloudflare Inc
AS203898 - Cloudflare Inc
AS209242 - Cloudflare London, LLC
AS394536 - CLOUDFLARENET-SFO
AS395747 - CLOUDFLARENET-SFO05
converting this into CIDR´s also via libloc and count the lines i get an result of 2200 CIDR´s
for i in $(location search-as "Cloudflare" | awk -F'[^0-9]*' '$0=$2'); do
location list-networks-by-as --family=ipv4 "${i}"
done | wc -l
IMHO, the best way to handle this amount might be IPSet.
Best,
Erik
Nice to see, that here directly so many are interested and my idea encourages to make a forgotten addon fit again… but back to my project…
Yes I know this, I had restart the network.
I even use several VPNs and proxies at the same time but I’ll get to that when I understand exactly how it works.
Man you make my day, I think I had learnd more about this firewall as in the last 10 years now.
But can you explain me why the static routes were set before? So that nothing can happen if I set wrong rules?
Or what is the purpose of that?
in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear. Is there a way to block the blue network for the internet despite the standard rules? Or do I have to set Forward to blocked and define all rules myself?
Back to the cloudflare problem.
For VPN the iptables don’t apply, but do they also not apply if the DNS server of ipfire is used instead of sending the DNS query through the VPN?
If I use the squid proxy from Ipfire the rules work, right?
What about the ipfire tor proxy and would a tor relay also be affected by the firewall rules?
Now, how can I whitelist a host for example ipfire.org that will exclude this iptables rules?
Can you tell me how to start such a query and then generate a list with the IP ranges? I can Add this Ranges in the firewall group to block then too.
Thank you very much for the help so far.
Hi @mumpitz
have used firewall.local with specific IPSet sets since the regular Firewall WUI does not convert CIDRs into bitmap or hash format. Therefor i used this script →
#!/bin/bash -
#
# Modfied version from an IPFire project --> https://forum.ipfire.org/viewtopic.php?f=6&t=18542
# Thanks to Shellshock for his ideas.
#
# This script uses ASNs to block companies.
# User needs to edit the company name only to block it via IPFire firewall.local.
# IPset will be used to create also vast lists of CIDRs.
# Script uses only CIDRs no IPs.
# Uninstaller is included.
# Menu point to display all blocked sets are integrated.
#
# Modified by: ummeegge ; $date: 02.06.2017
# Modified by: ummeegge ; $date: 12.02.2023 added libloc to invetigate ASNs and CIDRs
################################################################################################
#
# Files for data
RAWAD="/tmp/address_pool"
SORTAD="/tmp/address_sorted"
COMPANIES="/tmp/company_names"
ASN_LIBLOC="/tmp/asn_libloc"
# IPSet vars
SETCIDR="companies"
IPSETDIR="/etc/ipset"
CONF="${IPSETDIR}/ipset.conf"
COMPANYDIR="${IPSETDIR}/companyset_info"
COMPANYNAME="${COMPANYDIR}/company_names"
FWL="/etc/sysconfig/firewall.local"
RC="/etc/sysconfig/rc.local"
# Formattings and menu stuff
COLUMNS="$(tput cols)"
R=$(tput setaf 1)
B=$(tput setaf 6)
b=$(tput bold)
N=$(tput sgr0)
seperator(){ printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -; }
WELCOME="- Welcome to company block and unblocker -"
## FW functions
# firewall.local add rules
fwadd_funct() {
sed -i '/# Used for private firewall rules/ a\IPSETCOMPANY="\/sbin\/iptables"' ${FWL}
sed -i "/start)/ a\ \
# --> Automatic generated IPSET COMPANY FW entries in start section BEGIN\n \
\${IPSETCOMPANY} -I CUSTOMFORWARD -m set --match-set ${SETCIDR} dst -j REJECT\n \
\${IPSETCOMPANY} -I CUSTOMINPUT -m set --match-set ${SETCIDR} dst -j REJECT\n \
\${IPSETCOMPANY} -I CUSTOMOUTPUT -m set --match-set ${SETCIDR} dst -j REJECT\n \
# --> Automatic generated IPSET COMPANY FW entries in start section END" ${FWL};
# Add stop rules
sed -i "/stop)/ a\ \
# --> Automatic generated IPSET COMPANY FW entries in stop section BEGIN\n \
\${IPSETCOMPANY} -F CUSTOMFORWARD\n \
\${IPSETCOMPANY} -F CUSTOMINPUT\n \
\${IPSETCOMPANY} -F CUSTOMOUTPUT\n \
# --> Automatic generated IPSET COMPANY FW entries in stop section END" ${FWL}
}
# firewall.local delete rules
fwdel_funct() {
sed -i -e "/\${IPSETCOMPANY}.*/d" -e "/IPSETCOMPANY.*/d" -e "/# --> Automatic generated IPSET COMPANY FW.*/d" ${FWL}
}
# Add info if companies are blocked
## Menu
while true; do
CURRENTCOMPS=$(if [ -e "${COMPANYNAME}" ]; then tr '\n' ' ' < ${COMPANYNAME}; else echo "No companies are blocked"; fi)
clear
echo ${N}
clear
seperator
printf "%*s\n" $(((${#WELCOME}+COLUMNS)/2)) "${WELCOME}"
seperator
echo
echo -e " To block companies use ${B}${b}'a'${N} and [ENTER] "
echo -e " To unblock all companies use ${B}${b}'d'${N} and [ENTER] "
echo -e " To list all added networks use ${B}${b}'l'${N} and [ENTER] "
echo
seperator
echo -e " Currently blocked companies = ${B}${b}${CURRENTCOMPS}${N} "
seperator
echo -e " To quit this use ${B}${b}'q'${N} and [ENTER] "
seperator
echo
read what
# Main part
case $what in
a*|A*)
clear
# Will update libloc database for better results
echo "Will update libloc database to get actual results... "
location update
# Go to working directory
cd /tmp || exit 1
# Clean up existing files if presant
if [[ -f "${RAWAD}" || -f "${COMPANIES}" || -f "${SORTAD}" || -f ${ASN_LIBLOC} ]]; then
rm -f ${RAWAD} ${COMPANIES} ${SORTAD} ${ASN_LIBLOC}> /dev/null 2>&1
fi
# Ask for companies
printf "%b" "${B}${b}Please enter company names which you want to block seperated by blank space. Example: ${R}${b}google facebook twitter${N}\n"
echo "To quit use [CTRL]-c"
echo
read what
echo "${what}" | tr ' ' '\n' >> ${COMPANIES}
# Get ASNs and CIDRs
clear
echo -e "${B}${b}Checkout ASNs and CIDRs from companies (be patient)... ${N}"
# Get ASNs from libloc
while read line; do
location search-as "${line}" | awk -F '[^0-9]*' '$0=$2'
done < ${COMPANIES} > ${ASN_LIBLOC}
# Get CIDRs from libloc
while read line; do
location list-networks-by-as --family=ipv4 "${line}"
done < ${ASN_LIBLOC} > ${RAWAD}
# If no there are no results, the script quits
if [ ! -s "${RAWAD}" ]; then
echo -e "${R}${b}There are no results available, need to quit... ${N}"
exit 1
fi
# Add directory for specific infos if not already there
if [ ! -e "${COMPANYDIR}" ]; then
mkdir ${COMPANYDIR}
fi
# Copy company names to dir
cat ${COMPANIES} > ${COMPANYNAME}
echo
## Clean up CIDRs
# Delete leading zeros, double dot and reduce three zero octett to one
sed -i -e 's/^0*//' -e 's/://' -e 's/000/0/' ${RAWAD}
# Sort address list and make it uniq
sort -u ${RAWAD} > ${SORTAD}
echo -e "All CIDRs has been investigated, will add them now to IPSet to firewall them... "
## IPSet section
# Create appropriate sets with counter if not already done
if [ -z "$(ipset -n list | grep ${SETCIDR})" ]; then
ipset create ${SETCIDR} hash:net counters
fi
# Flushing existing set and prepare for potential updates
ipset flush ${SETCIDR}
# Introducing content to IPSet
for l in $(cat ${SORTAD}); do ipset --add ${SETCIDR} "${l}"; done
# Save new set
ipset save > ${CONF}
# Prepare firewall and load new addresses
${FWL} stop
fwdel_funct
fwadd_funct
${FWL} start
# Add IPset entry to reactivate configuration after reboot
if [ -z "$(grep 'ipset' ${RC})" ]; then
echo "ipset restore < ${CONF} && ${FWL} reload;" >> ${RC}
fi
echo
echo "All has been done."
# Clean up
rm -rf ${COMPANIES} ${RAWAD} ${SORTAD} ${ASN_LIBLOC}
sleep 3
;;
d*|D*)
clear
# Flushing existing set and delete it
echo
echo -e "Will flush now the IPSet sets and delete them accordingly... "
ipset flush ${SETCIDR}
echo
echo -e "Will delete now the FW rules from ${FWL} and restart it... "
${FWL} stop
fwdel_funct
${FWL} start
ipset destroy ${SETCIDR}
ipset save > ${CONF}
# Delete company directory
rm -rf ${COMPANYDIR}
echo
echo -e "Thats it."
echo
sleep 5
;;
l*|L*)
clear
echo -e "To quit hit ${b}${R}'q'${N}"
sleep 5
ipset list ${SETCIDR} | less
echo
;;
q*|Q*)
exit 0
;;
*)
echo
echo -e "${R}Sorry this option does not exist... ${N}"
sleep 3
echo
;;
esac
done
# EOF
in the time where the script was developed (thanks again to shellshock) we used u.a. whois to investigate the CIDRs at some time it doesn´t worked that way for some companies. Have now integrated libloc which is not only part in IPFire but also developed by it. A fast test with Cloudflare did it good at the first glance
but deeper checks are absolute needed.
Needless to say that Tor or VPN (like in Opera, etc.) circumvent this, also testing systems are always the best way.
A cheap interface for user interaction can be found 
→
Best,
Erik
But it would be important to me, I could not write the CIDRs also in the host file and block via DNS, so that at least the VPN connections when using the dns server of IPfire will be cloudflare free?
I use several VPNs at the same time to make tracking via IP more difficult.
With my real IP I visit only certain sites there cloudflare plays no role.
In case your client is the VPN endpoint, i think you defeat your own Cloudflare censorship since the FW can not see/block the added CIDRs. If IPFires VPN is the endpoint it might work since the script uses CUSTOMFORWARD{INPUT}{OUTPUT} chain.
Leaving the VPN connections aside, what about the squid proxy and the Tor proxy?
