logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: 1a3412b7ae11f9bf0544952e100ed1fc08a1c3f3
parent 93d196f0341f1d1370250bd9a6b44fcb365404a7
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Tue,  2 Jun 2020 20:00:00 +0000

articles/blocking cloudflare be like: New

Diffstat:

Aarticles/blocking cloudflare IP-range be like.shtml15+++++++++++++++
Aarticles/blocking cloudflare IP-range be like.xhtml106+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mfeed.atom11+++++++++++
Mhome.shtml1+
4 files changed, 133 insertions(+), 0 deletions(-)

diff --git a/articles/blocking cloudflare IP-range be like.shtml b/articles/blocking cloudflare IP-range be like.shtml @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html lang="en"> + <head> +<!--#include file="/templates/head.shtml" --> + <meta property="og:type" content="article"/> + <meta property="og:title" content="blocking cloudflare IP-range be like"/> + <title>blocking cloudflare IP-range be like — Cyber-home of lanodan</title> + </head> + <body> +<!--#include file="/templates/en/nav.shtml" --> +<!--#include file="/articles/blocking cloudflare IP-range be like.xhtml"--> + <a href="/articles/blocking%20cloudflare%20IP-range%20be%20like.xhtml">article only(plain XHTML)</a> +<!--#include file="/templates/en/footer.html" --> + </body> +</html> diff --git a/articles/blocking cloudflare IP-range be like.xhtml b/articles/blocking cloudflare IP-range be like.xhtml @@ -0,0 +1,106 @@ +<article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry"> +<a href="/articles/blocking%20cloudflare%20IP-range%20be%20like"><h1>blocking cloudflare IP-range be like</h1></a> +<p>So, like an absolute madperson I tried blocking cloudflare IP-ranges on my laptop, cloudflare nicely provide the list their website (otherwise there is stuff like peeringDB and ISPs looking glasses). Also my laptop has it's own DNS resolver (with unbound) with no forwarding so I ended up getting a bunch of unreachale hosts just because they where using a cloudflare-bound nameserver.</p> +<h2>Configuration</h2> +<details> +<summary>configuration file for nftables</summary> +<pre><code> +#!/sbin/nft -f + +flush ruleset + +table inet filter { + # https://www.cloudflare.com/ips-v4 + set cloudflare_ipv4 { + type ipv4_addr + flags interval + elements = { + 173.245.48.0/20, + 103.21.244.0/22, + 103.22.200.0/22, + 103.31.4.0/22, + 141.101.64.0/18, + 108.162.192.0/18, + 190.93.240.0/20, + 188.114.96.0/20, + 197.234.240.0/22, + 198.41.128.0/17, + 162.158.0.0/15, + 104.16.0.0/12, + 172.64.0.0/13, + 131.0.72.0/22 + } + } + + # https://www.cloudflare.com/ips-v6 + set cloudflare_ipv6 { + type ipv6_addr + flags interval + elements = { + 2400:cb00::/32, + 2606:4700::/32, + 2803:f800::/32, + 2405:b500::/32, + 2405:8100::/32, + 2a06:98c0::/29, + 2c0f:f248::/32 + } + } + + chain output { + type filter hook output priority 0 + policy accept + + #ct state invalid drop + + ip daddr @cloudflare_ipv4 counter reject + ip6 daddr @cloudflare_ipv6 counter reject + } + + chain input { + type filter hook output priority 0 + policy accept + + #ct state invalid drop + + ip saddr @cloudflare_ipv4 counter reject + ip6 saddr @cloudflare_ipv6 counter reject + } +} +</code></pre> +</details> +<h2>Unreachable services</h2> +<ul> + <li>Cloudflare MITM (border-patrol reverse proxy) service and anything behind it</li> + <li>Cloudflare Nameserver service (DNS for your own domains)</li> + <li>Cloudflare DNS-over-TCP/HTTPS service (centralising all your DNS to one point)</li> + <li>DigitalOcean and Linode nameservers goes to Cloudflare IPs, probably cloudflare own nameservers</li> +</ul> +<h2>Unreachable hosts</h2> +<p>Here is some notable ones, reduced to the NS zone when applicable:</p> +<ul> + <li>A bunch of the fediverse (feels similar as to when IPv4 goes occasionally down for me)</li> + <li>joinmastodon.org</li> + <li>Some blogs, few from people which I though to be a bit privacy-conscious. For example angristan.fr and PatternsInTheVoid.net</li> + <li>www.DeepL.com</li> + <li>LineageOS.org, openwrt.org, mxlinux.org, elementary.io, parrotlinux.org, alpinelinux.org</li> + <li>adafruit.com</li> + <li>SSLLabs.com</li> + <li>cryptocoding.net</li> + <li>lojban.org</li> + <li>explainxkcd.com (XKCD is fine btw)</li> + <li>questionablecontent.net</li> + <li>pirate-punk.net, ektoplazm.com, jamendo.com</li> + <li>nhentai.net</li> + <li>pixiv.net</li> + <li>gitlab.com</li> + <li>matrix.org, vector.im, riot.im</li> + <li>www.mozilla.org</li> + <li>readthedocs.io</li> + <li>lkml.org</li> +</ul> +<p>Note: most of the time the <code>www.domain.tld</code> host is a <code>CNAME</code> to <code>www.domain.tld.cdn.cloudflare.net</code>. Which at least means that the rest of the domain should be reachable.</p> +<p>I applied this filterting on the 2020-05-17 and ended up reverting it few days later because I needed access to most of these sites and I couldn't use Tor for the few of them because cloudflare is basically anti-tor by design and opinion.</p> +<p>This means that quite a lot of websites can be censored, same goes for domains. And cloudflare litterally declares that they are basically an extension of the cops as they are taking actions based on their own morality compass (juridiction) and actively working with the states.</p> +<p><a href="">Fediverse post for comments</a>, published on 2020-06-02T20:00:00Z, last updated on 2020-06-02T20:00:00Z</p> +</article> diff --git a/feed.atom b/feed.atom @@ -11,6 +11,17 @@ <!-- new.sh: new articles here --> <entry> + <title>blocking cloudflare IP-range be like</title> + <link rel="alternate" type="text/html" href="/articles/blocking%20cloudflare%20IP-range%20be%20like"/> + <id>https://hacktivis.me/articles/blocking%20cloudflare%20IP-range%20be%20like</id> + <published>2020-06-02T20:00:00Z</published> + <updated>2020-06-02T20:00:00Z</updated> + <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> +<!--#include file="/articles/blocking cloudflare IP-range be like.xhtml"--> + </div></content> + </entry> + + <entry> <title>2020-04 Summary</title> <link rel="alternate" type="text/html" href="/articles/2020-04%20Summary"/> <id>https://hacktivis.me/articles/2020-04%20Summary</id> diff --git a/home.shtml b/home.shtml @@ -7,6 +7,7 @@ <body> <!--#set var="transPageUrl" value='accueil' --><!--#set var="feedURL" value='/feed.atom'--><!--#include file="templates/en/nav.shtml" --> +<!--#include file="/articles/blocking cloudflare IP-range be like.xhtml"--> <!--#include file="/articles/2020-04 Summary.xhtml"--> <!--#include file="/articles/BadWolf, one year later.xhtml"--> <!--#include file="/articles/2020-03 Summary.xhtml"-->