I do it differently. I create a zone called cloudflare. To this zone I add the services http and https. I then use curl to get the IPv4 and IPv6 listing from Cloudflare and parse the results to then use these with the firewall-cmd --add-source command for the cloudflare zone.
Obviously then remove http and https from public zone to force everything via cloudflare with no direct connections coming to your VPS. My script that does this:
#!/bin/bash
#
# Script to get Cloudflare IP's and add to firewalld zone
# Variables
CF_IPLIST=`curl -s "https://api.cloudflare.com/client/v4/ips"`
IPV4=`echo ${CF_IPLIST} | jq .result.ipv4_cidrs[] | sed 's/"//g'`
IPV6=`echo ${CF_IPLIST} | jq .result.ipv6_cidrs[] | sed 's/"//g'`
ZONE_NAME=cloudflare
# Update firewalld to allow inbound http/https
#
# Clear all source IP's CLOUDFLARE zone
for IP in `firewall-cmd --zone=${ZONE_NAME} --list-sources`
do
firewall-cmd --zone=${ZONE_NAME} --remove-source=${IP} --permanent > /dev/null
done
# Create IPV4 rules
for IP in $IPV4
do
firewall-cmd --zone=${ZONE_NAME} --add-source=${IP} --permanent > /dev/null
done
# Create IPV6 rules
for IP in $IPV6
do
firewall-cmd --zone=${ZONE_NAME} --add-source=${IP} --permanent > /dev/null
done
# Reload firewall config
firewall-cmd --reload
obviously before running the script you need to ensure the cloudflare zone has been created. I could theoretically have coded the script to deal with that and create it automatically if it didn’t exist.
The script will remove all existing source IP’s from the cloudflare zone, before adding the new ones. I run it via cron once per week so as to not get blocked pulling the IP list from cloudflare.
I’m still on Rocky 8 but will be filing this away for future reference. I’ve been using this resource with some scripts to massage the download into ipset XML files, but it sounds like I should be invoking firewall-cmd to manage the sets.
Quite possible. Rocky does not support in-place upgrades. (Neither did CentOS.)
IMHO, if you can do a fresh, clean (re)install, then life is more secure; there are no in-place options if, for example a server burns to crisp – a clean reinstall will be required.
Both el8 and el9 do have two mutually exclusive services: firewalld.service and nftables.service. (Well, iptables.service too, but it is clearly deprecated.)
Both services can create the sets.
If you have rather static environment (as production servers usually are) and you know how to write a proper ruleset, then nftables.service is a great choice.
If you don’t master filtering or there is a need for dynamics, then FirewallD is more convenient.