How to limit connections source?

Image source :

How do i acomplish that "limit connections to origin to allow only cloudflare ips" ? Do i need to add the ip's to firewall wan zone's subnet list, or lan zone's subnet list, or both, or other place ?

Is your question OpenWrt related in some way?

If so - in order to assist you, please [clearly and concisely] explain how it's related to OpenWrt.

You are free to firewall any IPs you desire - so perhaps you want to better explain the issue you're experiencing.

i mean, how to allow global connection to my openwrt device only from cloudflare ip's (

i created an "online trigger" following this tutorial [OpenWrt Wiki] Hotplug extras
and then create a shell script to fetch the cloudflare ip with below code :


logger -t "Custom Script - CFFW" "Updating cloudflare IPs"
if curl -X GET >/tmp/cloudflareips;then
	logger -t "Custom Script - CFFW" "Obtained cloudflare ip list"
	for cfip in $(cat /tmp/cloudflareips);do
		for firewall_zone in $(uci -X show firewall | grep "=zone$" | awk -F"=" '{print $1}');do
			zone_name=$(uci get ${firewall_zone}.name) &&
			case ${zone_name} in
				logger -t "Custom Script - CFFW" "Add ${cfip} to ${zone_name} firewall zone"
				uci -q del_list ${firewall_zone}.subnet="${cfip}" &&
				uci add_list ${firewall_zone}.subnet="${cfip}" &&
				uci commit ${firewall_zone}.subnet
	logger -t "Custom Script - CFFW" "Reload firewall"
	/etc/init.d/firewall reload
	logger -t "Custom Script - CFFW" "Failed to obtain cloudflare ip list"

exit 0

but it doesn't seem right

It's not really clear what that means. So using what I can determine from your script, I'll give an example for allowing the IPs on the WAN zone.

Interesting script...not sure what "trigger", etc - but nonetheless I would do something like this and add it to a cron job (if you want to write the fail loop and logger events, I'll leave you to work on that). Also in my example, I'll be using wget, since curl is not installed by default and the UCI method of just editing the respective config files (instead of scripting uci commands):


cd /tmp || exit 1
rm /tmp/cloudflareips.txt

wget "" -O ->> /tmp/cloudflareips.txt

fw4 reload-sets

exit 0

Declaring the set in the firewall:

# in /etc/config/firewall

config ipset              
        option name 'cloudflareips'
        option match 'src_net'
        option loadfile '/tmp/cloudflareips.txt'

Here's an example firewall rule:

# in /etc/config/firewall

config rule                          
        option name 'Allow_cloudflareips'
        option src 'wan'               
        option family 'ipv4'   
        option proto 'all'              
        option ipset 'cloudflareips'              
        option target 'ACCEPT'