Allow List Retrieval and Append Advanced Firewall Rules To List

Post Reply
Firewalls4Life
Junior Member
Posts: 73
Joined: 21 Nov 2011, 18:43

Allow List Retrieval and Append Advanced Firewall Rules To List

Post by Firewalls4Life »

I would love to be able to use an allow list to retrieve the CloudFlare IP addresses regularly at these URLs, then apply my own advanced allowed rules to these IP addresses.
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6

Similar to the feature of the Block Lists text file, where one can configure a URL to retrieve IP addresses from to be downloaded regularly and blocked in the firewall, is there currently a feature for an allow list? If so, is it possible to use advanced firewall rules on the allow list? ie Retrieve this list at this URL, then allow TCP traffic from those listed IPs at ports 80,443, and 2408?

I have looked through the documentation at https://download.configserver.com/csf/readme.txt but don't believe there is such a feature currently.
23. IP Block Lists
##################

This feature allows csf/lfd to periodically download lists of IP addresses and
CIDRs from pubished block or black lists. It is controlled by the file:
/etc/csf/csf.blocklists

Uncomment the line starting with the rule name to use it, then restart csf and
then lfd.

Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
NAME : List name with all uppercase alphabetic characters with no
spaces and a maximum of 25 characters - this will be used as the
iptables chain name
INTERVAL: Refresh interval to download the list, must be a minimum of 3600
seconds (an hour), but 86400 (a day) should be more than enough
MAX : This is the maximum number of IP addresses to use from the list,
a value of 0 means all IPs
URL : The URL to download the list from

Note: Some of thsese lists are very long (thousands of IP addresses) and
could cause serious network and/or performance issues, so setting a value for
the MAX field should be considered.

After making any changes to this file you must restart csf and then lfd.

If you want to redownload a blocklist you must first delete
/var/lib/csf/csf.block.NAME and then restart csf and then lfd.

Each URL is scanned for an IP/CIDR address per line and if found is blocked.

AND

10. Advanced Allow/Deny Filters
###############################
Post Reply