CloudFlare IP range


If you are using CloudFlare and have CSF (ConfigServer Firewall) installed on a VPS, I would suggest to add the following IP range to the CSF whitelist:

WHM > Plugins > ConfigServer Security & Firewall > Firewall Allow IP

# start of cloudflare ip range - added June 9th 2013 #
# end of cloudflare ip range #

Hi Jean,

This is a great recommendation as if CSF blocks their IPs (which would be very possible with the kind of traffic you would see with CloudFlare) then the service would not work at all for you.

If I recall correctly I even had to add cPanel's update servers to the allow list at one point as everytime I would run an update it would block them lol
Yeah my list of CSF Allowed IP is pretty large with all the addons and auto-update we have. It can range from CloudFlare, Softaculous, PingDom, HyperSpin, eNom or whmcs licence server!

Keeping those firewall tight can be a full time job!

Ohh, I forgot KnownHost NOC IP's !!
I can't remember where I found this, but here is a script I run in cron to make sure the Pingdom probes are not blocked. I am sure this could be easily modified for Cloudflare or other services that publish their IPs publicly.

# Update the pingdom firewall rules based on their feed
# rotate pingdom ip list (keep 8 days)
LIST=$(ls -r /root/pingdom_ips*);
for i in $LIST; do
    # get index of file
    INDEX=$(ls $i | cut -d"." -f 2)
    # if there's no index, rename to pingdom_ips.0
    if [ $INDEX = "/root/pingdom_ips" ]; then
        mv $i $NEW
    # remove files with index > 6 (keep 8 files)
    elif [ $INDEX -gt 6 ]; then
        rm $i
    # increment index for all other files
        BASE=$(ls $i | cut -d"." -f 1)
        mv $i $NEW
# get pingdom ips from their rss feed
wget -O /root/probe_servers.xml -o /dev/null
cat /root/probe_servers.xml | grep IP | sed -e 's/.*IP: //g' | sed -e 's/; Host.*//g' | grep -v IP > /root/pingdom_ips
# if old lists do not exist, just allow all ips
if [ ! -f /root/pingdom_ips.0 ]; then
    cat /root/pingdom_ips | xargs -n 1 csf -a
    # if there any differences between previous and current list, replace ips in allow list
    if ! diff -q /root/pingdom_ips /root/pingdom_ips.0 > /dev/null; then
        cat /root/pingdom_ips.0 | xargs -n 1 csf -ar
        cat /root/pingdom_ips | xargs -n 1 csf -a