VPS Firewall & Cloudflare

Discussion in 'Linux VPS/Dedicated - cPanel' started by Linerd, Dec 24, 2012.

  1. Linerd

    Linerd New Member

    I just got set up with a new VPS a few days ago. My previous experience has only been on a shared hosting account, so many things on the VPS are new to me.

    About 2 or 3 times a day I get an email from the system that a certain IP address has been temporarily blocked due to too many connections. Is this going to cause issues with Google crawling my site?

    I used Cloudflare previously with my shared hosting and I was planning to use it again with my VPS. I'm thinking the temporary blocking that my firewall is doing will cause issues with Cloudflare since all of the traffic will appear to come from their servers. How do I set up the firewall to not block Cloudflare?

    I'm using cPanel/WHM with my account if that helps.
  2. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member


    You are absolutely correct that having all traffic come from Cloudflare can cause issues. To avoid this issue, we simply need to whitelist Cloudflare's IP ranges in the CSF firewall.

    To do this, login to WHM, scroll to the bottom of the left column and select the "Configserver Firewall" plugin. From there, you want to enter the ranges into the "whitelist IP" box.

    Alternatively, you can do this from the command line using "csf -a" where is one of their IP ranges.
  3. Linerd

    Linerd New Member


    Thanks for the quick reply. This should give me what I need to set up the whitelist.

    I noticed that iptables is running on my container. I'm not familiar with CSF. Is it a front end to iptables or is it a completely separate firewall for my VPS?
  4. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Any time!

    CSF is simply a way to interface with iptables.
  5. Linerd

    Linerd New Member

    The command you posted:
    adds an IP range the /etc/csf/csf.allow file. I noticed in that file the following:
    Should I be adding the CloudFlare IP ranges to the csf.ignore file as well/instead?

  6. Dan

    Dan Moderator

    Hi Linerd,

    Yes you should be adding Cloudflare's IP numbers instead of the example given.
  7. Linerd

    Linerd New Member

    Hi Dan,

    Thanks for the reply. What I meant in my question was, should the CloudFlare IP ranges be only in csf.allow, only in csf.ignore, or should they be in both files?

    Right now I have them only in csf.ignore and everything appears to be working correctly. My traffic seems to be a little bit down, but I'm hoping that's due to the Holidays.
  8. Dan

    Dan Moderator

    I'm sorry Linerd I read through your email pretty quickly and missed the actual gist of your question!

    No you should only put it into the csf.allow file. The csf.ignore file is for IP numbers that you want CSF to completely ignore such as your own IP number and the IP numbers of, say, KH support.
  9. digitalsmokes

    digitalsmokes New Member

    I know this post is 2 years old, but it's still coming up as an answer, according to Cloudflare they say they should be whitelisted both in allow and ignore, so now I don't know what is correct.....anyone?

Share This Page