firewalld-cloudflare-http

An RPM package that uses firewalld ipset + rich rules to allow HTTP/HTTPS (80/443) only from Cloudflare IPs.

Installation

# Build and install the RPM
make rpm
sudo dnf install ~/rpmbuild/RPMS/noarch/firewalld-cloudflare-http-*.rpm

How It Works

The following steps are performed automatically during installation:

1. Fetches Cloudflare's public IP lists (IPv4, IPv6)
2. Creates firewalld ipsets (cloudflare-ipv4, cloudflare-ipv6)
3. Adds rich rules to the default zone to allow HTTP/HTTPS
4. Sets up a weekly systemd timer to automatically update the IP lists

Post-Installation Verification

# Check ipsets
sudo firewall-cmd --get-ipsets
sudo firewall-cmd --info-ipset=cloudflare-ipv4
sudo firewall-cmd --info-ipset=cloudflare-ipv6

# Check rich rules
sudo firewall-cmd --list-rich-rules

# Check timer
systemctl status firewalld-cloudflare-http-update.timer

Disabling Existing HTTP/HTTPS Services

To deny HTTP/HTTPS from non-Cloudflare IPs, remove the http/https services from the zone:

sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --permanent --remove-service=https
sudo firewall-cmd --reload

Manual Update

# Manually update the IP lists
sudo /usr/libexec/firewalld-cloudflare-http/update update

# Re-run setup (optionally specify a zone)
sudo /usr/libexec/firewalld-cloudflare-http/update setup [zone]

Uninstallation

sudo dnf remove firewalld-cloudflare-http

Rich rules and ipsets are automatically removed during uninstallation.

Build Requirements

• rpmbuild (rpm-build package)
• make

sudo dnf install rpm-build make
make rpm

License

Apache License 2.0