VPS Firewall & Cloudflare


New Member
I just got set up with a new VPS a few days ago. My previous experience has only been on a shared hosting account, so many things on the VPS are new to me.

About 2 or 3 times a day I get an email from the system that a certain IP address has been temporarily blocked due to too many connections. Is this going to cause issues with Google crawling my site?

I used Cloudflare previously with my shared hosting and I was planning to use it again with my VPS. I'm thinking the temporary blocking that my firewall is doing will cause issues with Cloudflare since all of the traffic will appear to come from their servers. How do I set up the firewall to not block Cloudflare?

I'm using cPanel/WHM with my account if that helps.

You are absolutely correct that having all traffic come from Cloudflare can cause issues. To avoid this issue, we simply need to whitelist Cloudflare's IP ranges in the CSF firewall.

To do this, login to WHM, scroll to the bottom of the left column and select the "Configserver Firewall" plugin. From there, you want to enter the ranges into the "whitelist IP" box.

Alternatively, you can do this from the command line using "csf -a" where is one of their IP ranges.

Thanks for the quick reply. This should give me what I need to set up the whitelist.

I noticed that iptables is running on my container. I'm not familiar with CSF. Is it a front end to iptables or is it a completely separate firewall for my VPS?
The command you posted:
csf -a
adds an IP range the /etc/csf/csf.allow file. I noticed in that file the following:
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

Should I be adding the CloudFlare IP ranges to the csf.ignore file as well/instead?

Hi Linerd,

Yes you should be adding Cloudflare's IP numbers instead of the example given.
Hi Dan,

Thanks for the reply. What I meant in my question was, should the CloudFlare IP ranges be only in csf.allow, only in csf.ignore, or should they be in both files?

Right now I have them only in csf.ignore and everything appears to be working correctly. My traffic seems to be a little bit down, but I'm hoping that's due to the Holidays.
I'm sorry Linerd I read through your email pretty quickly and missed the actual gist of your question!

No you should only put it into the csf.allow file. The csf.ignore file is for IP numbers that you want CSF to completely ignore such as your own IP number and the IP numbers of, say, KH support.
I know this post is 2 years old, but it's still coming up as an answer, according to Cloudflare they say they should be whitelisted both in allow and ignore, so now I don't know what is correct.....anyone?