Keeping your origin server properly locked down is an important step when running behind Cloudflare. This post explains how to automatically maintain Cloudflare’s constantly changing IP ranges using `ipset`, and how to integrate them with UFW so that only Cloudflare’s proxy network can reach your web ports. With boot-time restoration and scheduled updates, you can prevent direct-to-origin access, strengthen your firewall setup, and ensure all traffic continues to benefit from Cloudflare’s protection layer.
Keeping UFW Updated with Cloudflare Networks
