Serious Discussion Cloudflare Gateway Free Plan

Currently, I am testing Gateway with WARP as an anti-malware firewall.
I leverage the fact that configuring DOH in the web browser bypasses Zero Trust. So, I can block many things via Zero Trust without affecting web browsing.

1769814217179.png

1769814274390.png

1769814356526.png

1769814431403.png

1769814503874.png


The full list of TLDs (often abused by phishing or malware):
[.](accountants|ac|ad|am|al|app|asia|bar|bd|beauty|bid|boats|bot|br|buzz|bz|cc|cd|cf|cfd|ci|club|cm|cn|co|country|cx|cyou|cz|date|de|dev|digital|download|ee|email|es|esq|fi|fit|fo|foo|fr|fun|ga|gdn|gq|hair|help|hk|host|hu|icu|id|il|im|in|info|ing|ink|jetzt|jp|ke|kim|la|lat|lc|lgbt|li|life|link|live|locker|loan|loans|lol|ltd|ly|md|me|meme|ml|mobi|mom|monster|mov|mw|mx|net|ng|nl|okinawa|one|online|page|part|ph|pics|pk|pictures|pink|pizza|pocker|pro|pub|pw|qpon|quest|ren|rest|review|ro|ru|sbs|sh|shop|site|space|skin|st|store|stream|su|surf|sx|td|th|tk|tn|to|top|town|tr|trade|tv|tw|vc|vg|vip|wang|wiki|work|world|ws|win|wtf|xin|xxx|xyz|zip|zw)$

Edit1.
It is possible that some geolocation rules for continents can work too.
Edit2.
These policies also involve whitelisting. The links below can be useful:
learn.microsoft.com

Connection endpoints for Windows 11 Enterprise - Windows Privacy

Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
learn.microsoft.com
learn.microsoft.com

Connection endpoints for Windows 10 Enterprise, version 21H2 - Windows Privacy

Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
learn.microsoft.com
 
Last edited:
  • +Reputation
  • Like
Reactions: SeriousHoax and simmerskool
Andy Ful said:
1. Currently, I am testing Gateway with WARP as an anti-malware firewall.

2. It is possible that some geolocation rules for continents can work too.
Click to expand...
1. Nice (y): that is why I use Next DNS in the router with only limited TLD's allowed (inspired by @TairikuOkami and @Sampei.Nihira who block a lot at TLD level). I don't use it for our phones and laptops but for IOT devices (I have an old Sony smartscreen TV, which still works okay and has not received a firmware update in 2 years).
One tip when you can also include "xn--" which filters out websites containing punicode characters.

2. No does not work in free plan, I tested it. When I asked AI it seemed to confirm that.
 
Last edited:
  • Like
Reactions: Sampei.Nihira and Andy Ful
Although I am very conservative about blocking advertisements and tracking at DNS level (don't want the hassle to add exclusions), I finally decided to use the Github automation of GitHub - jacobgelling/cloudflare-gateway-block-ads: A GitHub Actions script to automatically create and update Cloudflare Gateway ad blocking lists and policy this automation uses the OISD small (optimized) version of GitHub - cbuijs/oisd: Optimized version of OISD BlockLists.

Because of my reservations towards blocking ads at DNS level, I opted for the optimized version of OISD small. Stephan van Ruth the guy who setup OISD already takes a lot of precautions to make OISD hassle free (e.g. remove dead domains and applies his own whitelist), Chris Buijs added some extra checks (see below) which weed out some more:
- Suggested excludes (domains.exclude)
- Safe list, suggested excludes removed (domains.safe)
- Domains actually used according TOP-N lists (domains.top-n)
 
  • Like
Reactions: Sampei.Nihira and Andy Ful
Hi! Is anyone familiar on how to configure this to block trackers and also pause the connection on trusted networks? I already added some domain on firewall policies and set it to block. I want it to perform like warp+ whenever I got home instantly pause connection. Would appreciate any assistance on this. Thank you!
 
LinuxFan58 said:
Although I am very conservative about blocking advertisements and tracking at DNS level (don't want the hassle to add exclusions), I finally decided to use the Github automation of GitHub - jacobgelling/cloudflare-gateway-block-ads: A GitHub Actions script to automatically create and update Cloudflare Gateway ad blocking lists and policy this automation uses the OISD small (optimized) version of GitHub - cbuijs/oisd: Optimized version of OISD BlockLists.

Because of my reservations towards blocking ads at DNS level, I opted for the optimized version of OISD small. Stephan van Ruth the guy who setup OISD already takes a lot of precautions to make OISD hassle free (e.g. remove dead domains and applies his own whitelist), Chris Buijs added some extra checks (see below) which weed out some more:
- Suggested excludes (domains.exclude)
- Safe list, suggested excludes removed (domains.safe)
- Domains actually used according TOP-N lists (domains.top-n)
Click to expand...
This script is outdated; it maxes at 100 lists while Cloudflare support 300 lists now. You should use @SeriousHoax script, just change the blocklist URL and that's it. Btw feel free to use OISD Big blocklist; it doesn't break websites, but blocks garbage more efficiently.
 
  • Like
Reactions: Sampei.Nihira and Andy Ful
Marko :) said:
This script is outdated; it maxes at 100 lists while Cloudflare support 300 lists now. You should use @SeriousHoax script, just change the blocklist URL and that's it. Btw feel free to use OISD Big blocklist; it doesn't break websites, but blocks garbage more efficiently.
Click to expand...
Thanks for the tip, but the santized OISD small is less than 51K rules, so 100 is not a problem. Also I doubt the effectiveness of adding more rules for websites which I probably never visit anyway. At DNS level it is not a problem to add more unlike in an extension(where it feels like dragging a trailer behind my car with all sorts of spare tires for cars I don't drive).

But tI will look again at Serious Hoax repo. When I previously looked at his repo the readme did not mention which secrets to add, so I tried one with more explantion on how to use it. Is this the only place where I should change the blocklist URL
1769856727770.png
 
  • Like
Reactions: simmerskool, Sampei.Nihira and Marko :)
LinuxFan58 said:
Thanks for the tip, but the santized OISD small is less than 51K rules, so 100 is not a problem. Also I doubt the effectiveness of adding more rules of websites I probably don't visit anyway. At DNS level it is not a problem to add more unlike in an extension it feels like dragging a trailer behind my car with all sorts of spare tires for cars I don't drive).
Click to expand...
You never know when the list will become big. HaGeZi Pro++ usually contained 190.000 rules; now it contains more than 210.000 rules. Using more up-to-date script gives you a piece of mind if filter size suddenly increases.
LinuxFan58 said:
But thanks for the tip. When I looked at his repo the readme did not mention which secrets to add, so I tried one with more explantion on how to use it.
Is this the only place where I should change the blocklist URL
View attachment 295216
Click to expand...
@SeriousHoax script doesn't use variables, only secrets for your Cloudflare credentials. The blocklist is embedded directly in the script and in the part you highlighted. Just change these values to URLs leading to OISD list and you're good to go.
 
  • Like
  • Thanks
Reactions: simmerskool, SeriousHoax, Sampei.Nihira and 1 other person
Marko :) said:
You never know when the list will become big. HaGeZi Pro++ usually contained 190.000 rules; now it contains more than 210.000 rules. Using more up-to-date script gives you a piece of mind if filter size suddenly increases.

@SeriousHoax script doesn't use variables, only secrets for your Cloudflare credentials. The blocklist is embedded directly in the script and in the part you highlighted. Just change these values to URLs leading to OISD list and you're good to go.
Click to expand...
I use small blocklists for a reason, also the check of Chriss Buijs guarantees only TOP-n domains are included (my previous neighbor, who was a security expert, jokingly told me using adblock biglists is as usefull as buying MySize for protection when your are average sized). Chris Buijs also has a cleaned up big list (I will have a look at that).

EDIT: I tried randomly 10 domains from the sanatized OISD big blocklist and all were blocked by Cloudflare security related, so I will keep the sanatized OIS small.
Thanks for your tips.
 
Last edited:
  • Like
Reactions: simmerskool and Sampei.Nihira
LinuxFan58 said:
I use small blocklists for a reason, also the check of Chriss Buijs guarantees only TOP-n domains are included (my previous neighbor, who was a security expert, jokingly told me using adblock biglists is as usefull as buying MySize for protection when your are average sized). Chris Buijs also has a cleaned up big list (I will have a look at that).
Click to expand...
Honestly, there's nothing wrong with using big blocklists, especially on DNS level. They do provide absolutely better protection than the smaller lists. And yes, sure... 90% of the websites uses the same advertising and analytics company which are already located in all popular blocklists. But remember that advertising companies can and often change their domains in order to avoid domain blocking hence avoid their domains being in top 1M ad/tracker domains. Piracy-related sites also don't tend to use legit advertising services and instead use shady ones that are 100% not located in any top 1M ad/tracker lists. This is why I use full blocklist and not tiny ones.

HaGeZi also has Normal blocklist that is updated multiple times a day and has better efficiency than OISD without breaking anything. Pro, Pro++ and Ultimate lists have mini versions that only contain domains found in top 1/10M lists (Umbrella, Cloudflare, Tranco, Chrome, BuiltWith, Majestic, DomCop).

Conclusion: if you always visit the same exact websites and don't wander anywhere else on the web, then you're more than fine than any small blocklist. But if you're like me, having no limit where I surf, then you absolutely need a large size blocklist as that will show clearly when you visit less popular websites.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, SeriousHoax, Sampei.Nihira and 2 others
Marko :) said:
1. Honestly, there's nothing wrong with using big blocklists, especially on DNS level.
2 Conclusion: if you always visit the same exact websites and don't wander anywhere else on the web, then you're more than fine than any small blocklist.
3. But if you're like me, having no limit where I surf, then you absolutely need a large size blocklist as that will show clearly when you visit less popular websites.
Click to expand...
1. That is what I posted, (" At DNS level it is not a problem to add more unlike in an extensio")
2. I limit my surfing (with AdGuard) to a few common TLD's, Schengen and 5 Eyes am fine with OISD small reduced to TOP-n domains
3. Most likely not ;) I only use less than 74K adblock rules in my surfing profile

1769860102666.png
 
Last edited:
  • Like
Reactions: Sampei.Nihira and Marko :)
LinuxFan58 said:
1. That is what I posted, (" At DNS level it is not a problem to add more unlike in an extensio")
2. I limit my surfing (with AdGuard) to a few common TLD's, Schengen and 5 Eyes but I even with that scope I am fine with OISD small reduced to TOP-n domains

View attachment 295219
Click to expand...
Generally, it's not recommended to use large number of filters in ad blocker because it slows it down. Some say this isn't a problem with uBO but it is as I experienced this myself. MV3 limiting the number of rules that can be used might reduce the level of ad blocking, though it will also stop ad blockers from slowing down loading times of the websites. It's double edged sword really.

This is why I use uBO with basic filters + CZT with HaGeZi Pro++ list (not mini). CZT is incredible when it comes to DGA domains which are known to serve pop-up ads; something that ordinary blocklists aren't good with.
 
  • Like
Reactions: simmerskool, SeriousHoax, Sampei.Nihira and 1 other person
LinuxFan58 said:
Resolved IP country code geolocation does not work in free plan, so I assume IP continent does not also.
Click to expand...

They work for me. I can see the blocks in the Log. I blocked all continents except Europe and North America.
For example, the domains "client.wns.windows.com", "wns.notify.trafficmanager.net", and skydrive.wns.windows.com (used by the Windows Push Notification Service) are blocked because they are located in Asia.
The domains "ooc-g2.tm-4.office.com", "outlook.office365.com", and "cs.dds.microsoft.com" are blocked because they are located in Oceania.

Post updated
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, SeriousHoax, Sampei.Nihira and 1 other person
Andy Ful said:
Currently, I am testing Gateway with WARP as an anti-malware firewall.
I leverage the fact that configuring DOH in the web browser bypasses Zero Trust. So, I can block many things via Zero Trust without affecting web browsing.

View attachment 295199
View attachment 295200
View attachment 295201
View attachment 295202
View attachment 295203

The full list of TLDs (often abused by phishing or malware):
[.](accountants|ac|ad|am|al|app|asia|bar|bd|beauty|bid|boats|bot|br|buzz|bz|cc|cd|cf|cfd|ci|club|cm|cn|co|country|cx|cyou|cz|date|de|dev|digital|download|ee|email|es|esq|fi|fit|fo|foo|fr|fun|ga|gdn|gq|hair|help|hk|host|hu|icu|id|il|im|in|info|ing|ink|jetzt|jp|ke|kim|la|lat|lc|lgbt|li|life|link|live|locker|loan|loans|lol|ltd|ly|md|me|meme|ml|mobi|mom|monster|mov|mw|mx|net|ng|nl|okinawa|one|online|page|part|ph|pics|pk|pictures|pink|pizza|pocker|pro|pub|pw|qpon|quest|ren|rest|review|ro|ru|sbs|sh|shop|site|space|skin|st|store|stream|su|surf|sx|td|th|tk|tn|to|top|town|tr|trade|tv|tw|vc|vg|vip|wang|wiki|work|world|ws|win|wtf|xin|xxx|xyz|zip|zw)$

Edit1.
It is possible that some geolocation rules for continents can work too.
Edit2.
These policies also involve whitelisting. The links below can be useful:
learn.microsoft.com

Connection endpoints for Windows 11 Enterprise - Windows Privacy

Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
learn.microsoft.com
learn.microsoft.com

Connection endpoints for Windows 10 Enterprise, version 21H2 - Windows Privacy

Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
learn.microsoft.com
Click to expand...

I had to whitelist many domains not to break Microsoft services (links to Microsoft documentation added in my previous post):

1769881114150.png


I also blocked all continents except Europe and North America.

Edit1.
Such a setup is not recommended for most users. It requires caution and proper whitelisting.
Currently, I use it for testing. Fortunately, the Zero Trust firewall restrictions can be deactivated (if necessary) with one click.

Edit2.
Updated the screenshot of the whitelisted domains.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, SeriousHoax and Sampei.Nihira
LinuxFan58 said:
Resolved IP country code geolocation does not work in free plan, so I assume IP continent does not also.
Click to expand...
As Andy said, it works. I even added screenshot for you in the previous page. Maybe your policy wasn't configured correctly.
Andy Ful said:
Currently, I am testing Gateway with WARP as an anti-malware firewall.
I leverage the fact that configuring DOH in the web browser bypasses Zero Trust. So, I can block many things via Zero Trust without affecting web browsing.

View attachment 295199
View attachment 295200
View attachment 295201
View attachment 295202
View attachment 295203

The full list of TLDs (often abused by phishing or malware):
[.](accountants|ac|ad|am|al|app|asia|bar|bd|beauty|bid|boats|bot|br|buzz|bz|cc|cd|cf|cfd|ci|club|cm|cn|co|country|cx|cyou|cz|date|de|dev|digital|download|ee|email|es|esq|fi|fit|fo|foo|fr|fun|ga|gdn|gq|hair|help|hk|host|hu|icu|id|il|im|in|info|ing|ink|jetzt|jp|ke|kim|la|lat|lc|lgbt|li|life|link|live|locker|loan|loans|lol|ltd|ly|md|me|meme|ml|mobi|mom|monster|mov|mw|mx|net|ng|nl|okinawa|one|online|page|part|ph|pics|pk|pictures|pink|pizza|pocker|pro|pub|pw|qpon|quest|ren|rest|review|ro|ru|sbs|sh|shop|site|space|skin|st|store|stream|su|surf|sx|td|th|tk|tn|to|top|town|tr|trade|tv|tw|vc|vg|vip|wang|wiki|work|world|ws|win|wtf|xin|xxx|xyz|zip|zw)$

Edit1.
It is possible that some geolocation rules for continents can work too.
Edit2.
These policies also involve whitelisting. The links below can be useful:
learn.microsoft.com

Connection endpoints for Windows 11 Enterprise - Windows Privacy

Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
learn.microsoft.com
learn.microsoft.com

Connection endpoints for Windows 10 Enterprise, version 21H2 - Windows Privacy

Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
learn.microsoft.com
Click to expand...
WoW! This seems too extreme. Could give many false positives. Keep testing.

@Marko :) @rashmi Previously when I said that I updated my script to improve empty list deleting logic, turned out I made the changes locally on my device but forgot to push the changes to GitHub. I pushed it today. So, update your script if you want.
I also added a guide in my readme file about how to set it up on GitHub similar to the guide of mrrfv's script. I should have added it earlier for new users because without a guide, it's impossible to know what to do with the script.
 
  • Thanks
  • +Reputation
  • Like
Reactions: simmerskool, rashmi and Marko :)
LinuxFan58 said:
@SeriousHoax

I did exactly the same and it does not work.
What plan are you on and what website did you use to test it.
Click to expand...
Free legacy plan with no credit card info provided.

I checked these sites:
SeriousHoax

Serious Discussion Post in thread 'Cloudflare Gateway Free Plan'

Marko :) said:
Dunno what my work's IT does, but WARP and Zero Trust WARP+ refuse to connect; DoH works normally, though, blocked websites are still inaccessible. I believe they use some kind of DPI.

If I use Wireguard, turn off Wi-Fi, connect and then turn Wi-Fi on again, it works for some time, but sooner or later handshake fails and I'm stuck without internet for few minutes. After 10 minutes of repeated tries, handshake is completed successfully and then internet access works again, but it will again stop working after some time.
Click to expand...
If they are using DPI then anything is possible I assume. In...
  • Like
  • +Reputation
 
  • +Reputation
Reactions: simmerskool

You may also like...