74 replies

Firewalld Cloudflare Proxy Whitelisting

But again, my suspicion it would be the order of priority that makes it all fall apart.

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

MIGHT be able to fix that, if you insist on the two drop rules.

Cloudflare Developers•3y ago•

74 replies

DarkDeviL

Firewalld Cloudflare Proxy Whitelisting

But again, my suspicion it would be the order of priority that makes it all fall apart.

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

MIGHT be able to fix that, if you insist on the two drop rules.

Firewalld Cloudflare Proxy Whitelisting

Firewalld Cloudflare Proxy Whitelisting

Similar Threads