The following steps were done and tested in version 23.7.8_1
.
Go to Firewall
> Aliases
and add an alias
Enabled: checked
Name: CloudFlare_IPs
Type: External (advanced)
Description: https://www.cloudflare.com/en-gb/ips/
There are multiple ways of achieving this, where the easiest is to use SSH.
I usually add my custom scripts in /usr/local/custom-scripts
.
Pick a directory for yours and run vi cloudflare-ips-alias.sh
and paste the following:
#!/bin/sh
usage() {
cat<< EOF
Usage: ./cloudflare-ips.sh [-h] [-v] -a MyAlias
Fetch CloudFlare IPs range (IPv4) and set them to the given OPNSense alias.
Note: The Alias should be of type "External (Advanced)"
Available options:
-h, --help Print this help and exit
-v, --verbose Print script debug info
-a, --alias The OPNSense alias to add the IPs to
EOF
exit
}
msg() {
echo >&2 "${1-}"
}
die() {
msg=$1
code=${2-1} # default exit status 1
msg "$msg"
exit "$code"
}
parse_params() {
# default values of variables set from params
alias=''
while :; do
case "${1-}" in
-h | --help) usage ;;
-v | --verbose) set -x ;;
-a | --alias)
alias="${2-}"
shift
;;
-?*) die "Unknown option: $1" ;;
*) break ;;
esac
shift
done
# check required params and arguments
[ -z "${alias-}" ] && die "Missing required parameter: alias"
return 0
}
cloudflare_ips() {
curl -s \
--request GET \
--url https://api.cloudflare.com/client/v4/ips \
--header 'Authorization: Bearer undefined' \
--header 'Content-Type: application/json' | \
python3 -c "import sys, json; print(' '.join(json.load(sys.stdin)['result']['ipv4_cidrs']))"
}
parse_params "$@"
ips=$(cloudflare_ips)
[ -z "${ips-}" ] && die "Unable to fetch CloudFlare IPs"
pfctl -T "$alias" -T flush # Clean alias
for ip in $ips
do
pfctl -t "$alias" -T add "$ip" # Add IPs
done
chmod 700 cloudflare-ips-alias.sh
Under /usr/local/opnsense/service/conf/actions.d/
create a new file named actions_cloudflare-ips-alias.conf
. The name of this file needs to start with actions_
, the rest is up to you.
Paste the following content:
[reload]
command:
/usr/local/bin/flock -n -E 0 /tmp/cloudflare-ips-alias.lock /usr/local/custom-scripts/cloudflare-ips-alias.sh -a CloudFlare_IPs
type:script
message:reloading cloudflare IPs
description:Reload CloudFlare IPs alias
$> service configd restart
...
$> configctl cloudflare-ips-alias reload
If you go to Firewall > Diagnostics > Aliases > CloudFlare_IPs
you should see the same IPs this website displays.
Go to System
> Settings
> Cron
and add a new one:
Enabled: checked
Minutes: 0
Hours: 5
Days of the month: *
Months: *
Days of the week: *
Command: Reload CloudFlare IPs alias
Parameters:
Description: Reload CloudFlare IPs alias