Why not just add a new ip-block-list-source for https://www.cloudflare.com/ips-v4 ?!
Add additional sources to IPFire blocklist feature - Security - IPFire Community
@mumpitz
Sometimes you need to terminate already established and running connections, because a new rule will act just for next “newer” communication requests.
Same as already known resolved domains IPs by an client computer/browser.
You use an VPN connection, so it could be that the communication were flow over there, or the resolve were done.
Anyway
You do an 1x incoming and an 1x outgoing rule for eth “Firewall All” to be drop… same as for ex. Shodan or GeoIP incoming/outgoing.
Source is the group you made
Destination is Firewall All
Source is Firewall All
Destination is the group you made
Edit
Furthermore put the rules at the top ex. position Nr.1 of firewall rules, to be handeld at first.
Delete the route “Routing Table Entries” with the fake gateway IP, as you do not need them further, after you done your tests and added those two rules to firewall.
BR
Trash
1 Like
Hi all,
am wondering if this all ? If i check the ASN via libloc
location search-as "Cloudflare"
i get the following results
AS13335 - CLOUDFLARENET
AS14789 - CLOUDFLARENET-AUS
AS132892 - Cloudflare, Inc.
AS133877 - Cloudflare Hong Kong, LLC
AS139242 - Cloudflare Sydney, LLC
AS202623 - Cloudflare Inc
AS203898 - Cloudflare Inc
AS209242 - Cloudflare London, LLC
AS394536 - CLOUDFLARENET-SFO
AS395747 - CLOUDFLARENET-SFO05
converting this into CIDR´s also via libloc and count the lines i get an result of 2200 CIDR´s
for i in $(location search-as "Cloudflare" | awk -F'[^0-9]*' '$0=$2'); do
location list-networks-by-as --family=ipv4 "${i}"
done | wc -l
IMHO, the best way to handle this amount might be IPSet.
Best,
Erik
1 Like
Nice to see, that here directly so many are interested and my idea encourages to make a forgotten addon fit again… but back to my project…
Yes I know this, I had restart the network.
I even use several VPNs and proxies at the same time but I’ll get to that when I understand exactly how it works.
Man you make my day, I think I had learnd more about this firewall as in the last 10 years now.
But can you explain me why the static routes were set before? So that nothing can happen if I set wrong rules?
Or what is the purpose of that?
in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear. Is there a way to block the blue network for the internet despite the standard rules? Or do I have to set Forward to blocked and define all rules myself?
Back to the cloudflare problem.
For VPN the iptables don’t apply, but do they also not apply if the DNS server of ipfire is used instead of sending the DNS query through the VPN?
If I use the squid proxy from Ipfire the rules work, right?
What about the ipfire tor proxy and would a tor relay also be affected by the firewall rules?
Now, how can I whitelist a host for example ipfire.org that will exclude this iptables rules?
Can you tell me how to start such a query and then generate a list with the IP ranges? I can Add this Ranges in the firewall group to block then too.
Thank you very much for the help so far.
1 Like
Hi @mumpitz
have used firewall.local with specific IPSet sets since the regular Firewall WUI does not convert CIDRs into bitmap or hash format. Therefor i used this script →
!!!Deleted the script since it collides with new rules.pl IPSet set integration!!!
in the time where the script was developed (thanks again to shellshock) we used u.a. whois to investigate the CIDRs at some time it doesn´t worked that way for some companies. Have now integrated libloc which is not only part in IPFire but also developed by it. A fast test with Cloudflare did it good at the first glance
(last line)
but deeper checks are absolute needed.
Needless to say that Tor or VPN (like in Opera, etc.) circumvent this, also testing systems are always the best way.
A cheap interface for user interaction can be found 
→
which was ruff enough for me but surely, Banish might be the way
Best,
Erik
4 Likes
But it would be important to me, I could not write the CIDRs also in the host file and block via DNS, so that at least the VPN connections when using the dns server of IPfire will be cloudflare free?
I use several VPNs at the same time to make tracking via IP more difficult.
With my real IP I visit only certain sites there cloudflare plays no role.
In case your client is the VPN endpoint, i think you defeat your own Cloudflare censorship since the FW can not see/block the added CIDRs. If IPFires VPN is the endpoint it might work since the script uses CUSTOMFORWARD{INPUT}{OUTPUT} chain.
Leaving the VPN connections aside, what about the squid proxy and the Tor proxy?
The proxy should be in general no problem since INPUT and OUTPUT is firewalled. Also, VPNs with IPFire as endpoint should be manageable since the whole VPN firewalling works via FORWARD chain and the script as above already mentioned uses also CUSTOMFORWARD. Is it with Tor on IPFire the same ? Probably, but Tor does also have own Chains in the firewall script. The best way might be to check it out with and without.
May things can be made better ? Let´s see.
Best,
Erik
1 Like
For TEST.
Should work too, why not at your IPFire side, I don’t know.
I use this way with “fake gateway” for tests and finding an specific IP of a bunch of others.
Also you can add computer with Wireshark at DMZ where fake gateway IP is for loging hits and ports.
in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear.
Please goto Firewall Options there Firewall settings, set “Show colors, remarks, emty, all” to ON.
Or do I have to set Forward to blocked and define all rules myself?
Yes, you need to do so.
BR
Trash
There are all on ;D
Here now my rules —>
My green hosts have block for internet, but they don’t call anywhere either, just serves conscience.
And the block for the blue network for the internet does not work because the default policy in the firewall is Forward allow, these generate a lot of traffic in the log with FORWARDFW entries.
So far so good. But a question is still in the room, if the cloudflare block rule, with me very likely only for the squid proxy applies.
Could I use DNS querys to Ipfire to also enable a cloudflare block for the VPN clients on the PC? Instead of using the DNS server from the VPN tunnel, I could bypass it and send the DNS request to the IPfire.
Would the firewall rules then take effect or would I have to create a separate DNS block list like hosts?
Hi Erik
i used this script now to make a test, i typed “a” and “cloudflare” but it does not work because this i my output from iptables after using the script
any advise to do it right?
As Ummeegge wrote, you need to test that by yourself.
In general
The local IPFire incoming and outgoing are set to drop for the specific IP CIDRs you edited.
The VPN tunnel by IPFire will not connect to any of them.
The Tor tunnel by IPFire will not connect to any of them.
But who communicate through the tunnel, is not affected by this firewall rule, unless at the other side of tunnel there is also an firewall what do manage the outgoing there.
Since the local clients requests services at local IPFire, they are for this task restricted to proxy and local DNS too. DHCP DNS1 DNS2 NTP1 NTP2 … proxy.pac … wpad.dat … wpad.localdomain … none transparent proxy … etc.
But, there are applications, who are able to resolve DoH at them communication or have own VPN tunnel or contact an external proxy service where client information leak can be forwarded, as ex. smart phones… Those will further could be able to request from the outside at the other side of tunnel. And because of the magic of TLS, you will not be able to control all the communication and information.
If anyone know a way to block such communication, they will surely suggest that to you soon.
In other words, you need an restrict and an control at the clients themselves too.
For your last question to Ummeegge
I think you need to disabled the two firewall outgoing/incoming rules, before testing the script of Ummeegge.
BR
Trash
I do not secure a network or am a perverse IT snooper therefore also the question if that works with DNS locks also, then I would use the list of IPs for DNS BLocker and install on the clients, too, no problem. So whether the possible exists of a bypass does not matter as long as I can change it myself in an easy way like DNS blacklist, I want to ban cloudflare from my internet, but still continue to use my VPNs/Proxys/Tor.
So far there are only small things I notice when using the squid proxy, where cloudflare is no longer part of the accessible internet. So my idea works.
ok I wanna try, but I thought the list would be much longer so now the additional ASNs would be in the iptables…
Is this available as a plugin?
Hi all,
it depends on what you are doing, what environment are in usage. It is impossible to give some advise if your usage is unclear. As already above mentioned try it with and without VPN, TOR, etc. . Encapsulated packages can not be seen by the FW.
There is no ASN in IPTables. If you use the script you can just type ‘L’ [ENTER] and you get a list of all used/investigated Classless Inter-Domain Routing addresses which can also be find under /etc/ipset/ipset.conf (grep for companies if more is in there).
You can use any of those listed networks, open your terminal and try to ping IPs from them and beneath ‘ping: sendmsg: Operation not permitted’, take a look into CUSTOMOUTPUT. The same is true for CUSTOMINPUT and CUSTOMFORWARD.
Hello @hvacguy , the script is not plugged in somewhere but it uses location (libloc) to investigate company CIDRs via ASNs for IPTables to create, delete and list blocked and via IPSet hashed networks and REJECT them via firewall rules for three different chains (CUSTOM{INPUT,OUTPUT,FORWARD}).
Best,
Erik
I tested the tor proxy, it definitely connects to cloudflare, it has his own rules…and I would believe that no tor node is hosted nor protected from cloudflare and the tor proxy from ipfire has only one idea, to go to the next guard node…but maybe I have more ideas what is good to block so it is good to know.
Ipfire is VPN Server for mobile, so cloudlare is not the problem
misunderstanding, as you can read above, I only have found one ASN Number for cloudflare and my Hosts a defined of the 13. IP Ranges (CIDRs?) in one cloudflare group which I use in the out and incoming firewall rules to block them.
Then you told us, that there are more then one ASN Number and the ten ASNs you found, give 2200 CIDRs.
So this is pretty too much to type as hosts in the Firewall groups options.
Now I tried your script to block the other 9 ASNs with option “a” and type “cloudflare”. after short time, script seems ready. I Think this script makes from ASN CIDRs and wrote them in a file which is used bei iptables but the file seems to be empty.
After disabling the cloudflare block rules and running the script again, I get some others IP Ranges (little terminal window) which I typed in the firewall rules, the Groups grows from 13 entry’s to 23. have a look in the file
lol now I see the page goes a little bit further
Ok this List is quite long. Can I use this list for a DNS Blocklist in android or the very best solution for browsing an uBlock list? Then the VPN and Proxys are effected quite easy…
I would need a way to write the IP ranges completely as single IP addresses into a list, and then convert them into the host. This will be a few million queries and millions of commands. But would this be possible? How long would the individual operations take approximately?
If it is not directly impossible to query the matching host from known IP addresses, I would not care about the time for now.
The output in the file has to look like
0.0.0.0 host.com
0.0.0.0 host2.com
just for info how the cloudflar network treats my IP after blocking them, I get scans from 89.248.163.168… recyber.net… Impudence
Hello Mumpitz,
am currently not sure what you try to accomplish?! If you want to calculate the CIDRs to IPs, IPFire does have some Perl modules for this if you want to stay in bash, this tool → https://github.com/TechAssistance/CIDR-to-IP/blob/main/cidrip.sh might be a possibility.
was interested in it and tested the script. OK, on my IPFire Prime machine it tooks →
./cidr2ip.sh -i cloudflare_cidrs > cloudflare_ips_fromcidr 578.64s user 593.73s system 113% cpu 17:10.74 total
to compute it. You have then ‘2.615.808’ millions IPs out of 2213 CIDRs whereby only a few IPs points to registered domains like e.g.
1.0.0.1.in-addr.arpa domain name pointer one.one.one.one.
1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.
you simply can not say what IPs are for (also in the future) so in my opinion the above mentioned information investigation does not makes much sense if you want it to use it in this way.
Best,
Erik
2 Likes
Hi Erik,
I want to ban cloudflare from my internet world, like cloudflare banned Tor browser.
IPfire is my firewall. I have now thanks to the script all possible IP address ranges of cloudflare entered in the iptables.
That is already a step.
My PC (with which I am next to the smartphone most on the Internet) is configured so that everything that does not go through VPN tunnel to a provider is blocked, except internal network access.
This allows me to use the squid proxy on the ipfire to get past the VPN tunnel to the internet where cloudflare has also been banned because the iptables rules for the proxy also apply.
The Tor proxy on the ipfire is not affected by the rules, or you use directly the Tor network, which is 100% not provided by cloudflare servers. The same applies to the Tor node of the ipfire.
Now to my idea,
I use the multi-container principle of Firefox in combination with the container proxy addon to connect the containers with different proxies via SSL tunnels worldwide. But these SSL tunnels all connect to the proxies through the VPN connection, which means that the iptables rules to block cloudflare don’t work here.
I also use the uBlock addon, which can be combined with the different blocklists.
The addon is a kind of firewall for the browser, which works with lists that act like a DNS blocklist and depending on how you configure the addon you can create more rules for each page.
Now if I can find a way to create a hosts file in the format for uBlock from all the cloudflare IP ranges that can be created by IPfire, I would put that file into uBlock.
A NAS I would have on the network where I could update the file regularly and browsers could update.
On the smartphone I also use uBlock so would have already freed the browser from the plague.
Yes, that’s the first one, I need each IP individually and then the corresponding hostnames, if an IP is unused it doesn’t need to be in the list.
Last step would be to put a 0.0.0.0 in front of each hostname and the uBlock list would be ready. This would be done automatically once a month as a script, it would be the perfect solution.
Once write down all IPs individually 17hours?
How long would it take to get the hostnames?