You are here

Script that re-syncs Cloudflare IPs

Submitted by Alan Mels on Wed, 01/14/2026 - 02:17

Here’s a clean, idempotent, copy-paste-safe script that:

• fetches current Cloudflare IPv4 + IPv6 ranges
• removes any existing Cloudflare-related UFW rules
• re-adds only Cloudflare-scoped 80/443 rules
• does not touch SSH or your custom ports
• can be safely re-run anytime


0) /usr/local/sbin/ufw-cloudflare-sync.sh

#!/usr/bin/env bash
set -euo pipefail
 
CF_IPV4_URL="https://www.cloudflare.com/ips-v4"
CF_IPV6_URL="https://www.cloudflare.com/ips-v6"
 
echo "Fetching Cloudflare IP ranges..."
 
CF_IPV4=$(curl -fsSL "$CF_IPV4_URL")
CF_IPV6=$(curl -fsSL "$CF_IPV6_URL")
 
echo "Removing existing Cloudflare HTTP/HTTPS rules..."
 
# Remove previous CF rules (80/443 only)
ufw status numbered | \
grep -E '80/tcp|443/tcp' | \
grep -E 'ALLOW IN' | \
grep -E 'Cloudflare|cf' || true
 
# Remove by rule number (reverse order to keep numbering stable)
ufw status numbered | \
grep -E '80/tcp|443/tcp' | \
awk -F'[][]' '{print $2}' | \
sort -rn | \
while read -r num; do
  ufw delete "$num"
done
 
echo "Adding Cloudflare IPv4 rules..."
for ip in $CF_IPV4; do
  ufw allow from "$ip" to any port 80 proto tcp comment 'Cloudflare HTTP'
  ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare HTTPS'
done
 
echo "Adding Cloudflare IPv6 rules..."
for ip in $CF_IPV6; do
  ufw allow from "$ip" to any port 80 proto tcp comment 'Cloudflare HTTP'
  ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare HTTPS'
done
 
ufw reload
 
echo "Done. Cloudflare-only HTTP/HTTPS rules updated."

1) Install & use

sudo nano /usr/local/sbin/ufw-cloudflare-sync.sh
sudo chmod +x /usr/local/sbin/ufw-cloudflare-sync.sh
sudo /usr/local/sbin/ufw-cloudflare-sync.sh

2) Cloudflare changes IP ranges rarely, but this is safe:

sudo crontab -e

3) Add:

0 4 1 * * /usr/local/sbin/ufw-cloudflare-sync.sh >/dev/null 2>&1

4) Final sanity check

sudo ufw status verbose