catchdave

# MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh

mrgarymartin

#!/usr/bin/env bash
#https://techstat.net/automatic-whitelist-cloudflare-ips-firewalld-bash-script-via-cron-job/

SERVER_IP=xxx.xxx.xxx.xxx

for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done
for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=443 protocol=tcp accept'; done

for i in $(curl "https://www.cloudflare.com/ips-v6"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port=80 protocol=tcp accept'; done
for i in $(curl "https://www.cloudflare.com/ips-v6"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port=443 protocol=tcp accept'; done

AndrewJDR

#!/bin/bash
# Based on a template iptables config file, create a new
# iptables file that includes whitelist rules for CloudFlare's
# servers to connect to our HTTP and HTTPS ports. This is useful
# if you want to really lock down your web server so that it only
# communicates with cloudflare's servers, not with the general public.
# It works like this:
# * Get an up-to-date list of CloudFlare's server IPs
# * Read in config template from /etc/sysconfig/iptables.template
# * Output an iptables configuration file /etc/sysconfig/iptables