@mumpitz
You find the ASN info at claudflare IP Ranges there the IP range too as an list.
An simple (test) you can do, by adding those IP ranges groups to static routes, and give an unused IP of your network as an false gateway.
BR
Trash
banish is not a offical ipfire addon, i found on github but outdated since 5 years.
And this includes my question, how to convert ASN to IP ranges?
thank you,
I just have to see how I can update this list once cloudflare is no longer available, but ok.
This gateway can be set to an intern IP that is in no IP Range of green,blue and VPN?
Because i did not have a extra network for DMZ.
Is this correct →
and how can I create now a whitelist? For ipfire.org as an example.
sorry did not saw this first post from you.
I will have a look at his package
@mumpitz
Test for a while how your needed sites works.
If you then are sure devout that it is the right way, you can follow the same procedure as it is done for shodan IPs.
Make a group at firewall where you add all those IP subs.
Take this link as example and follow the howto:
BR
Trash
This static routes alone did changed nothing all cloudflare was reachable.
So what I did in pictures 
static routs to unused intern IP
Add the networks to firewall groups
Make a group with this networks
Make firewall rule with this group like in the wiki
but that did not work either, all cloudflare was reachable. I don’t understand why cloudflare should not reach me, I want them not to log my IP, so the rule is reversed.
But it doesn’t work either…I can calmly continue to access cloudflare.com.
So what did I wrong? Any advise ?
Why not just add a new ip-block-list-source for https://www.cloudflare.com/ips-v4 ?!
Add additional sources to IPFire blocklist feature - Security - IPFire Community
@mumpitz
Sometimes you need to terminate already established and running connections, because a new rule will act just for next “newer” communication requests.
Same as already known resolved domains IPs by an client computer/browser.
You use an VPN connection, so it could be that the communication were flow over there, or the resolve were done.
Anyway
You do an 1x incoming and an 1x outgoing rule for eth “Firewall All” to be drop… same as for ex. Shodan or GeoIP incoming/outgoing.
Source is the group you made
Destination is Firewall All
Source is Firewall All
Destination is the group you made
Edit
Furthermore put the rules at the top ex. position Nr.1 of firewall rules, to be handeld at first.
Delete the route “Routing Table Entries” with the fake gateway IP, as you do not need them further, after you done your tests and added those two rules to firewall.
BR
Trash
1 Like
Hi all,
am wondering if this all ? If i check the ASN via libloc
location search-as "Cloudflare"
i get the following results
AS13335 - CLOUDFLARENET
AS14789 - CLOUDFLARENET-AUS
AS132892 - Cloudflare, Inc.
AS133877 - Cloudflare Hong Kong, LLC
AS139242 - Cloudflare Sydney, LLC
AS202623 - Cloudflare Inc
AS203898 - Cloudflare Inc
AS209242 - Cloudflare London, LLC
AS394536 - CLOUDFLARENET-SFO
AS395747 - CLOUDFLARENET-SFO05
converting this into CIDR´s also via libloc and count the lines i get an result of 2200 CIDR´s
for i in $(location search-as "Cloudflare" | awk -F'[^0-9]*' '$0=$2'); do
location list-networks-by-as --family=ipv4 "${i}"
done | wc -l
IMHO, the best way to handle this amount might be IPSet.
Best,
Erik
1 Like
Nice to see, that here directly so many are interested and my idea encourages to make a forgotten addon fit again… but back to my project…
Yes I know this, I had restart the network.
I even use several VPNs and proxies at the same time but I’ll get to that when I understand exactly how it works.
Man you make my day, I think I had learnd more about this firewall as in the last 10 years now.
But can you explain me why the static routes were set before? So that nothing can happen if I set wrong rules?
Or what is the purpose of that?
in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear. Is there a way to block the blue network for the internet despite the standard rules? Or do I have to set Forward to blocked and define all rules myself?
Back to the cloudflare problem.
For VPN the iptables don’t apply, but do they also not apply if the DNS server of ipfire is used instead of sending the DNS query through the VPN?
If I use the squid proxy from Ipfire the rules work, right?
What about the ipfire tor proxy and would a tor relay also be affected by the firewall rules?
Now, how can I whitelist a host for example ipfire.org that will exclude this iptables rules?
Can you tell me how to start such a query and then generate a list with the IP ranges? I can Add this Ranges in the firewall group to block then too.
Thank you very much for the help so far.
1 Like
Hi @mumpitz
have used firewall.local with specific IPSet sets since the regular Firewall WUI does not convert CIDRs into bitmap or hash format. Therefor i used this script →
!!!Deleted the script since it collides with new rules.pl IPSet set integration!!!
in the time where the script was developed (thanks again to shellshock) we used u.a. whois to investigate the CIDRs at some time it doesn´t worked that way for some companies. Have now integrated libloc which is not only part in IPFire but also developed by it. A fast test with Cloudflare did it good at the first glance
(last line)
but deeper checks are absolute needed.
Needless to say that Tor or VPN (like in Opera, etc.) circumvent this, also testing systems are always the best way.
A cheap interface for user interaction can be found 
→
which was ruff enough for me but surely, Banish might be the way
Best,
Erik
4 Likes
But it would be important to me, I could not write the CIDRs also in the host file and block via DNS, so that at least the VPN connections when using the dns server of IPfire will be cloudflare free?
I use several VPNs at the same time to make tracking via IP more difficult.
With my real IP I visit only certain sites there cloudflare plays no role.
In case your client is the VPN endpoint, i think you defeat your own Cloudflare censorship since the FW can not see/block the added CIDRs. If IPFires VPN is the endpoint it might work since the script uses CUSTOMFORWARD{INPUT}{OUTPUT} chain.
Leaving the VPN connections aside, what about the squid proxy and the Tor proxy?
The proxy should be in general no problem since INPUT and OUTPUT is firewalled. Also, VPNs with IPFire as endpoint should be manageable since the whole VPN firewalling works via FORWARD chain and the script as above already mentioned uses also CUSTOMFORWARD. Is it with Tor on IPFire the same ? Probably, but Tor does also have own Chains in the firewall script. The best way might be to check it out with and without.
May things can be made better ? Let´s see.
Best,
Erik
1 Like
For TEST.
Should work too, why not at your IPFire side, I don’t know.
I use this way with “fake gateway” for tests and finding an specific IP of a bunch of others.
Also you can add computer with Wireshark at DMZ where fake gateway IP is for loging hits and ports.
in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear.
Please goto Firewall Options there Firewall settings, set “Show colors, remarks, emty, all” to ON.
Or do I have to set Forward to blocked and define all rules myself?
Yes, you need to do so.
BR
Trash
There are all on ;D
Here now my rules —>
My green hosts have block for internet, but they don’t call anywhere either, just serves conscience.
And the block for the blue network for the internet does not work because the default policy in the firewall is Forward allow, these generate a lot of traffic in the log with FORWARDFW entries.
So far so good. But a question is still in the room, if the cloudflare block rule, with me very likely only for the squid proxy applies.
Could I use DNS querys to Ipfire to also enable a cloudflare block for the VPN clients on the PC? Instead of using the DNS server from the VPN tunnel, I could bypass it and send the DNS request to the IPfire.
Would the firewall rules then take effect or would I have to create a separate DNS block list like hosts?
Hi Erik
i used this script now to make a test, i typed “a” and “cloudflare” but it does not work because this i my output from iptables after using the script
any advise to do it right?
As Ummeegge wrote, you need to test that by yourself.
In general
The local IPFire incoming and outgoing are set to drop for the specific IP CIDRs you edited.
The VPN tunnel by IPFire will not connect to any of them.
The Tor tunnel by IPFire will not connect to any of them.
But who communicate through the tunnel, is not affected by this firewall rule, unless at the other side of tunnel there is also an firewall what do manage the outgoing there.
Since the local clients requests services at local IPFire, they are for this task restricted to proxy and local DNS too. DHCP DNS1 DNS2 NTP1 NTP2 … proxy.pac … wpad.dat … wpad.localdomain … none transparent proxy … etc.
But, there are applications, who are able to resolve DoH at them communication or have own VPN tunnel or contact an external proxy service where client information leak can be forwarded, as ex. smart phones… Those will further could be able to request from the outside at the other side of tunnel. And because of the magic of TLS, you will not be able to control all the communication and information.
If anyone know a way to block such communication, they will surely suggest that to you soon.
In other words, you need an restrict and an control at the clients themselves too.
For your last question to Ummeegge
I think you need to disabled the two firewall outgoing/incoming rules, before testing the script of Ummeegge.
BR
Trash
I do not secure a network or am a perverse IT snooper therefore also the question if that works with DNS locks also, then I would use the list of IPs for DNS BLocker and install on the clients, too, no problem. So whether the possible exists of a bypass does not matter as long as I can change it myself in an easy way like DNS blacklist, I want to ban cloudflare from my internet, but still continue to use my VPNs/Proxys/Tor.
So far there are only small things I notice when using the squid proxy, where cloudflare is no longer part of the accessible internet. So my idea works.
ok I wanna try, but I thought the list would be much longer so now the additional ASNs would be in the iptables…