Sorry, I do not value($$$) your privacy. :^)

blocking cloudflare IP-range be like

So, like an absolute madperson I tried blocking cloudflare IP-ranges on my laptop, cloudflare nicely provide the list their website (otherwise there is stuff like peeringDB and ISPs looking glasses). Also my laptop has it's own DNS resolver (with unbound) with no forwarding so I ended up getting a bunch of unreachale hosts just because they where using a cloudflare-bound nameserver.

Configuration

configuration file for nftables

#!/sbin/nft -f

flush ruleset

table inet filter {
        # https://www.cloudflare.com/ips-v4
        set cloudflare_ipv4 {
                type ipv4_addr
                flags interval
                elements = {
                        173.245.48.0/20,
                        103.21.244.0/22,
                        103.22.200.0/22,
                        103.31.4.0/22,
                        141.101.64.0/18,
                        108.162.192.0/18,
                        190.93.240.0/20,
                        188.114.96.0/20,
                        197.234.240.0/22,
                        198.41.128.0/17,
                        162.158.0.0/15,
                        104.16.0.0/12,
                        172.64.0.0/13,
                        131.0.72.0/22
                }
        }

        # https://www.cloudflare.com/ips-v6
        set cloudflare_ipv6 {
                type ipv6_addr
                flags interval
                elements = {
                        2400:cb00::/32,
                        2606:4700::/32,
                        2803:f800::/32,
                        2405:b500::/32,
                        2405:8100::/32,
                        2a06:98c0::/29,
                        2c0f:f248::/32
                }
        }

        chain output {
                type filter hook output priority 0
                policy accept

                #ct state invalid drop

                ip daddr @cloudflare_ipv4 counter reject
                ip6 daddr @cloudflare_ipv6 counter reject
        }

        chain input {
                type filter hook output priority 0
                policy accept

                #ct state invalid drop

                ip saddr @cloudflare_ipv4 counter reject
                ip6 saddr @cloudflare_ipv6 counter reject
        }
}

Unreachable services

Unreachable hosts

Here is some notable ones, reduced to the NS zone when applicable:

Note: most of the time the www.domain.tld host is a CNAME to www.domain.tld.cdn.cloudflare.net. Which at least means that the rest of the domain should be reachable.

I applied this filterting on the 2020-05-17 and ended up reverting it few days later because I needed access to most of these sites and I couldn't use Tor for the few of them because cloudflare is basically anti-tor by design and opinion.

This means that quite a lot of websites can be censored, same goes for domains. And cloudflare litterally declares that they are basically an extension of the cops as they are taking actions based on their own morality compass (juridiction) and actively working with the states.

Fediverse post for comments, published on 2020-06-02T20:00:00Z, last updated on 2020-06-02T20:13:00Z

article only(plain XHTML)