Blocking Reverse Proxys from cloudflare

The proxy should be in general no problem since INPUT and OUTPUT is firewalled. Also, VPNs with IPFire as endpoint should be manageable since the whole VPN firewalling works via FORWARD chain and the script as above already mentioned uses also CUSTOMFORWARD. Is it with Tor on IPFire the same ? Probably, but Tor does also have own Chains in the firewall script. The best way might be to check it out with and without.

May things can be made better ? Let´s see.



1 Like

Should work too, why not at your IPFire side, I don’t know.

I use this way with “fake gateway” for tests and finding an specific IP of a bunch of others.
Also you can add computer with Wireshark at DMZ where fake gateway IP is for loging hits and ports.

in the firewall rules there are 3 rows, the upper one is shown with the default rules of the networks. If I set the forward option in the settings to Blocked, the standard rules disappear.

Please goto Firewall Options there Firewall settings, set “Show colors, remarks, emty, all” to ON.

Or do I have to set Forward to blocked and define all rules myself?

Yes, you need to do so.


There are all on ;D
Here now my rules —>

In and outcoming have cloudflare block, the rules generate DROP_INPUT in log, nothing calls cloudflare :smiley:

My green hosts have block for internet, but they don’t call anywhere either, just serves conscience.
And the block for the blue network for the internet does not work because the default policy in the firewall is Forward allow, these generate a lot of traffic in the log with FORWARDFW entries.

So far so good. But a question is still in the room, if the cloudflare block rule, with me very likely only for the squid proxy applies.
Could I use DNS querys to Ipfire to also enable a cloudflare block for the VPN clients on the PC? Instead of using the DNS server from the VPN tunnel, I could bypass it and send the DNS request to the IPfire.
Would the firewall rules then take effect or would I have to create a separate DNS block list like hosts?

Hi Erik

i used this script now to make a test, i typed “a” and “cloudflare” but it does not work because this i my output from iptables after using the script

any advise to do it right?

As Ummeegge wrote, you need to test that by yourself.

In general
The local IPFire incoming and outgoing are set to drop for the specific IP CIDRs you edited.
The VPN tunnel by IPFire will not connect to any of them.
The Tor tunnel by IPFire will not connect to any of them.

But who communicate through the tunnel, is not affected by this firewall rule, unless at the other side of tunnel there is also an firewall what do manage the outgoing there.

Since the local clients requests services at local IPFire, they are for this task restricted to proxy and local DNS too. DHCP DNS1 DNS2 NTP1 NTP2 … proxy.pac … wpad.dat … wpad.localdomain … none transparent proxy … etc.

But, there are applications, who are able to resolve DoH at them communication or have own VPN tunnel or contact an external proxy service where client information leak can be forwarded, as ex. smart phones… Those will further could be able to request from the outside at the other side of tunnel. And because of the magic of TLS, you will not be able to control all the communication and information.
If anyone know a way to block such communication, they will surely suggest that to you soon.
In other words, you need an restrict and an control at the clients themselves too.

For your last question to Ummeegge
I think you need to disabled the two firewall outgoing/incoming rules, before testing the script of Ummeegge.


I do not secure a network or am a perverse IT snooper therefore also the question if that works with DNS locks also, then I would use the list of IPs for DNS BLocker and install on the clients, too, no problem. So whether the possible exists of a bypass does not matter as long as I can change it myself in an easy way like DNS blacklist, I want to ban cloudflare from my internet, but still continue to use my VPNs/Proxys/Tor.
So far there are only small things I notice when using the squid proxy, where cloudflare is no longer part of the accessible internet. So my idea works.

ok I wanna try, but I thought the list would be much longer so now the additional ASNs would be in the iptables…

Is this available as a plugin?

Hi all,

it depends on what you are doing, what environment are in usage. It is impossible to give some advise if your usage is unclear. As already above mentioned try it with and without VPN, TOR, etc. . Encapsulated packages can not be seen by the FW.

There is no ASN in IPTables. If you use the script you can just type ‘L’ [ENTER] and you get a list of all used/investigated Classless Inter-Domain Routing addresses which can also be find under /etc/ipset/ipset.conf (grep for companies if more is in there).
You can use any of those listed networks, open your terminal and try to ping IPs from them and beneath ‘ping: sendmsg: Operation not permitted’, take a look into CUSTOMOUTPUT. The same is true for CUSTOMINPUT and CUSTOMFORWARD.

Hello @hvacguy , the script is not plugged in somewhere but it uses location (libloc) to investigate company CIDRs via ASNs for IPTables to create, delete and list blocked and via IPSet hashed networks and REJECT them via firewall rules for three different chains (CUSTOM{INPUT,OUTPUT,FORWARD}).



I tested the tor proxy, it definitely connects to cloudflare, it has his own rules…and I would believe that no tor node is hosted nor protected from cloudflare and the tor proxy from ipfire has only one idea, to go to the next guard node…but maybe I have more ideas what is good to block so it is good to know.
Ipfire is VPN Server for mobile, so cloudlare is not the problem

misunderstanding, as you can read above, I only have found one ASN Number for cloudflare and my Hosts a defined of the 13. IP Ranges (CIDRs?) in one cloudflare group which I use in the out and incoming firewall rules to block them.

Then you told us, that there are more then one ASN Number and the ten ASNs you found, give 2200 CIDRs.
So this is pretty too much to type as hosts in the Firewall groups options.
Now I tried your script to block the other 9 ASNs with option “a” and type “cloudflare”. after short time, script seems ready. I Think this script makes from ASN CIDRs and wrote them in a file which is used bei iptables but the file seems to be empty.

After disabling the cloudflare block rules and running the script again, I get some others IP Ranges (little terminal window) which I typed in the firewall rules, the Groups grows from 13 entry’s to 23. have a look in the file
lol now I see the page goes a little bit further :smiley:
Ok this List is quite long. Can I use this list for a DNS Blocklist in android or the very best solution for browsing an uBlock list? Then the VPN and Proxys are effected quite easy…

I would need a way to write the IP ranges completely as single IP addresses into a list, and then convert them into the host. This will be a few million queries and millions of commands. But would this be possible? How long would the individual operations take approximately?
If it is not directly impossible to query the matching host from known IP addresses, I would not care about the time for now.
The output in the file has to look like

just for info how the cloudflar network treats my IP after blocking them, I get scans from…… Impudence

Hello Mumpitz,
am currently not sure what you try to accomplish?! If you want to calculate the CIDRs to IPs, IPFire does have some Perl modules for this if you want to stay in bash, this tool → might be a possibility.

:grin: was interested in it and tested the script. OK, on my IPFire Prime machine it tooks →

./ -i cloudflare_cidrs > cloudflare_ips_fromcidr  578.64s user 593.73s system 113% cpu 17:10.74 total

to compute it. You have then ‘2.615.808’ millions IPs out of 2213 CIDRs whereby only a few IPs points to registered domains like e.g. domain name pointer domain name pointer

you simply can not say what IPs are for (also in the future) so in my opinion the above mentioned information investigation does not makes much sense if you want it to use it in this way.




Hi Erik,
I want to ban cloudflare from my internet world, like cloudflare banned Tor browser.
IPfire is my firewall. I have now thanks to the script all possible IP address ranges of cloudflare entered in the iptables.
That is already a step.
My PC (with which I am next to the smartphone most on the Internet) is configured so that everything that does not go through VPN tunnel to a provider is blocked, except internal network access.
This allows me to use the squid proxy on the ipfire to get past the VPN tunnel to the internet where cloudflare has also been banned because the iptables rules for the proxy also apply.
The Tor proxy on the ipfire is not affected by the rules, or you use directly the Tor network, which is 100% not provided by cloudflare servers. The same applies to the Tor node of the ipfire.

Now to my idea,
I use the multi-container principle of Firefox in combination with the container proxy addon to connect the containers with different proxies via SSL tunnels worldwide. But these SSL tunnels all connect to the proxies through the VPN connection, which means that the iptables rules to block cloudflare don’t work here.
I also use the uBlock addon, which can be combined with the different blocklists.
The addon is a kind of firewall for the browser, which works with lists that act like a DNS blocklist and depending on how you configure the addon you can create more rules for each page.
Now if I can find a way to create a hosts file in the format for uBlock from all the cloudflare IP ranges that can be created by IPfire, I would put that file into uBlock.
A NAS I would have on the network where I could update the file regularly and browsers could update.
On the smartphone I also use uBlock so would have already freed the browser from the plague.

Yes, that’s the first one, I need each IP individually and then the corresponding hostnames, if an IP is unused it doesn’t need to be in the list.
Last step would be to put a in front of each hostname and the uBlock list would be ready. This would be done automatically once a month as a script, it would be the perfect solution.

Once write down all IPs individually 17hours?
How long would it take to get the hostnames?

Ok, i have found a project with people which have the same in mind in the case of cloudflare… I do not know how but the provide all Hostnames of cloudflare in several files.

I will check if i can write a script myself to convert this files in uBlock Fornat. I think that is no big magic and I will find the commands and put then toghter

A question about the script of @ummeegge and namely how I can detect a log entry from this rules, or are no entries made and if not how can I activate log entries?

Thanks a lot!

So, I have found a way.
There are a total of 37 files with a number of included cloudflare domains from about 85K each to about 3.1M. My total number of blocked domains has swelled in uBlock from about 2Mio to almost 38Mio.
For the add you should take your time, the download and insert in uBlock takes its time and is very CPU intensive, that my Firefox was unusable in the time. Afterwards, however, everything runs smoothly again.
I did not have to download and edit any files, it was enough to paste the download link into uBlock import field from each list that you find behind the link above. More than 10 links at once I would not recommend.
Ok, also adding exceptions requires so much CPU for some time that you better do something else during it… and you should collect the exceptions to unlock everything from one page for example, here the logger helps a lot.



IPSet logs it packets and bytes via counter flag for the respective CIDRs under /etc/ipset/ipset.conf which is in your case meanwhile useless since you do not use IPSet for your use case.




Now I’m back to square one, it was unfortunately too good to be true. But unfortunately not only adding the cloudflare blocklist domains was very CPU intensive, but also adding exceptions or just starting Firefox… it loads the 38 million domains every time and that takes way too long, Firefox swells up to 7GB data and 100% CPU usage and becomes unusable in minutes.

I thought by the script the individual IPs are written out and blocked by iptables.
Then you should get a firewall log entry from it, or not?

The biggest problem is still how I block the domains on request before the requests go through the SSL tunnels or VPN tunnels, something like when a request goes to the DNS as a response comes the IP from the blacklist, this is not contacted… is this not possible? and if so, please how? Am grateful for any advice.


if you remember or read again in the history, it was your intention to get IPs out of the investigated CIDRs (from the script) which i was interested causing the pour amount of IPs comming out of all subnets so the script from Github to ‘calculate’ the IPs from the CIDRs comes up. As already mentioned, i use the CIDRs no IPs via IPSet sets to block potential companies with this script.

As also already mentioned in here, you have defeat your own censorship if you want to regulate something but give the regulator nothing to regulate…



ok i undestand.

The rest of the network is protected from cloudflare, only the VPN/SSL tunnels are not. Can’t these DNS requests be forwarded to Ipfire instead of through the tunnel? The Ipfire makes the request over TLS, so fingerprinting is not possible.

It depends on what VPN configuration are in usage. If your client gateway will be redirected via VPN server (is it OpenVPN?) i think it will be prioritized over ‘dhcp-option DNS’ . Even this article → describes the opposite of your purpose it might give some hints.

It might also be may interesting for others how you solve the protection on the rest of you network ?



1 Like

I use Ipsec at the moment but OpenVPN is also possible.

Yes this way is possible, I can use other DNS Servers, but not over TLS.
For the cloudflare iptable rules i must bypass the tunnel with DNS Server = Ipfire.
DNS Leak is not the problem because I never use the DNS of my ISP.
BUT is there any danger to leak the real IP? Because the dns query goes with TLS over DNS with the real IP, if I set the Ipfire DNS Servers, or not?
So I can access the Internet from the client not only via the VPN, but also with the Squid proxy past the tunnel with real IP. This outer VPN shell I can equip with another DNS but not via TLS. For the SSL Tunnels I must see how I can set a DNS Server, because every Tunnel has his own.

With the script and the iptables rules for the CIDRs from cloudflare, this rules are working for the blue network and the green network, only one or sometimes two clients uses VPN or proxys.

Found another possibility a DNS Server
with DNS over TLS and cloudfare is gone.