Serious Discussion Cloudflare Gateway Free Plan

[Marko :)]

I mean, mrrfv's isn't that slow and usually completes in less than 2 minutes. It did once take 3m 20s, but that was just one case (dunno what happened). The most important thing for me is that filtering doesn't stop while the list updates and that I don't exceed 2.000 minutes of Actions by the end of the month.

I'm running the script every 4 hours because Gerd updates blocklists multiple times a day. Currently, I'm on 220 minutes out of 2.000.

 

[SeriousHoax]

I mean, mrrfv's isn't that slow and usually completes in less than 2 minutes. It did once take 3m 20s, but that was just one case (dunno what happened). The most important thing for me is that filtering doesn't stop while the list updates and that I don't exceed 2.000 minutes of Actions by the end of the month.

View attachment 294072

I'm running the script every 4 hours because Gerd updates blocklists multiple times a day. Currently, I'm on 220 minutes out of 2.000.

View attachment 294073

Yeah, it's fast enough and great. He knows what he's doing. It's just too fragmented for me with many file dependencies.
A one or couple of file based solution would be better. Also python is much easier to understand and modify for me. I already have python installed on my device so I can run the script locally also without relying on GitHub action.
I should try to match his incremental approach. I think @rashmi is also trying to something similar.

 

[LinuxFan58]

What I like about Cloudflare is the option to filter on Source IP country location and Resolved IP country location

 

[Divergent]

What I like about Cloudflare is the option to filter on Source IP country location and Resolved IP country location

Cloudflare cannot see the "real" home IP (or its country) if a user is behind a secure, non-transparent VPN or Proxy; it only sees the IP of the VPN/ISP server connecting to the edge.

If that IP belongs to a VPN in Germany, Cloudflare sees the user as being in Germany, regardless of their actual physical location. Just as it's exceptionally rare for users to live right next to their ISP server.

Now days a trace route is about as close as you get and even then it's the same, whether they are in ISP server or VPN their true geolocation is masked.

 

[Marko :)]

Cloudflare cannot see the "real" home IP (or its country) if a user is behind a secure, non-transparent VPN or Proxy; it only sees the IP of the VPN/ISP server connecting to the edge.

If that IP belongs to a VPN in Germany, Cloudflare sees the user as being in Germany, regardless of their actual physical location. Just as it's exceptionally rare for users to live right next to their ISP server.

Now days a trace route is about as close as you get and even then it's the same, whether they are in ISP server or VPN their true geolocation is masked.

You misunderstood. @LinuxFan58 is talking about a feature in Cloudflare Zero Trust, network protection service rather than user blocking.

 

[rashmi]

Let me know how non JSON method goes for you.

I reviewed some Python scripts and tried to create a fresh Python script and YAML file including essential features and my preferences with Gemini and DeepSeek. Cloudflare "Locations" is tricky; it didn't work after trying many AI-generated scripts. Everything worked—the non-JSON/SSH/hash/file version/file list logic—but the script couldn't create the policy. The script also failed to create a policy for the Cloudflare Policy "Description" method. I'll try again when I have more time.

 

[rashmi]

@Marko :), this YAML file deletes Cloudflare file lists. It uses mrrfv's repository. The file uses his "lists delete" script. It's for mrrfv's method only. Delete the policy first.

name: Delete File Lists

on:
  workflow_dispatch:

jobs:
  lists:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          repository: "mrrfv/cloudflare-gateway-pihole-scripts"
          ref: "v1"

      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: ".node-version"

      - name: Install npm dependencies
        run: npm ci

      - name: Delete File Lists
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          CGPS_DELETION_ENABLED: 'true'
        run: node cf_list_delete.js

 

[Divergent]

You misunderstood. @LinuxFan58 is talking about a feature in Cloudflare Zero Trust, network protection service rather than user blocking.

Im not misunderstanding I'm just stating that having this information is generally pointless.

 

[rashmi]

I just realized I need to use the "Code" option from the toolbar for scripts. Previously, I used the "Quote" option, which alters the script's structure. It seems to be the reason my scripts didn't work for @Marko :).

 

[Marko :)]

I just realized I need to use the "Code" option from the toolbar for scripts. Previously, I used the "Quote" option, which alters the script's structure. It seems to be the reason my scripts didn't work for @Marko :).

Could be. I always use Code option to keep formatting.

 

[SeriousHoax]

Im not misunderstanding I'm just stating that having this information is generally pointless.

It's not pointelss. For example if a user wants block all websites that are hosted in China a.k.a. the site's IP address resolved to China then Cloudflare Zero Trust can block them if such a policy is set by the user.

I don't block any county but I just created a rule to test this and show you

 

[Divergent]

It's not pointelss. For example if a user wants block all websites that are hosted in China a.k.a. the site's IP address resolved to China then Cloudflare Zero Trust can block them if such a policy is set by the user.

I don't block any county but I just created a rule to test this and show you
View attachment 294077

I stated generally pointless not completely.

The Cloudflare Gateway Free plan is primarily a Secure Web Gateway (SWG) designed to protect outbound traffic (what you do on the internet).

If you want to block specific apps (like TikTok or Facebook) or stop kids from visiting certain site categories across the whole house.

Avoid if, you think it will hide your home IP or stop inbound hackers. For that, you need a hardware firewall or a Cloudflare Tunnel to hide your server behind Cloudflare's network.

 

[rashmi]

I like Cloudflare's service so I decided to add the card in order to get Free plan as legacy one might be gone soon. Nothing was billed and I removed card afterwards just to be safe.

Do you have 50 locations after removing payment info? Can you create more than 3 locations? If not, your account reverted to the legacy plan. The legacy plan offers 3 locations. I need more than that and am considering the free upgraded plan.

 

[Marko :)]

Do you have 50 locations after removing payment info? Can you create more than 3 locations? If not, your account reverted to the legacy plan. The legacy plan offers 3 locations. I need more than that and am considering the free upgraded plan.

I haven't tried this, but this is what it says in Cloudflare One dashboard settings.

Update: yes, I can create more than 3 locations; here's four.

 

[SeriousHoax]

Avoid if, you think it will hide your home IP or stop inbound hackers. For that, you need a hardware firewall or a Cloudflare Tunnel to hide your server behind Cloudflare's network.

Correct but I don't think anyone here said otherwise. It's just a DNS with some advanced features.

 

[Divergent]

Correct but I don't think anyone here said otherwise. It's just a DNS with some advanced features.

No one did, I just said it was generally useless. I did not say completely useless, nor did I state anyone said anything to the contrary. It was a meer observation.

It's really no different then blocking TLDs with nextDNS ECT. May even be considered over kill.

You have block list for a reason and these are better suited for blocking sites for your children ECT. Blocking entire countries can limit information if your researching items ECT. Not all websites in countries are malicious. With my research and analysis tools, if I block tons of TLDs for example it cripples it's efficiency. So I'm stating, what's the point of blocking entire regions. For me this personality makes the setting generally useless just as blocking TLDs in nextDNS is.

[.] Com for example. It's a highly abused TLD. But should we block the entire thing? It would certainly make getting around the net rather difficult wouldn't it?

 

[Marko :)]

I block everything that isn't necessary for websites to work and I won't block any specific country IPs or TLDs as you never know from where will some website pull its assets.

This is my current and final setting for Cloudflare's own filters:

 

[rashmi]

I haven't tried this, but this is what it says in Cloudflare One dashboard settings.

View attachment 294082

Update: yes, I can create more than 3 locations; here's four.

View attachment 294087

The next billing date is January 2026; let's see if the updated free plan sticks or reverts to the legacy plan after removing the card or payment info. Do update here...

 

[Sampei.Nihira]

I have a question.

Is CZT malware/phishing block due to the combination of CloudFlare filtering and your chosen filter list?

If we take the results of this fairly recent test at face value:

Public DNS malware filters to be tested in 2025

Cloudflare for families = 95.82% of blocks, to which you need to add the filtering of your chosen list.

Is that roughly how it works, or are there other factors involved?

 

[Marko :)]

I have a question.

Is CZT malware/phishing block due to the combination of CloudFlare filtering and your chosen filter list?

If we take the results of this fairly recent test at face value:

Public DNS malware filters to be tested in 2025

Cloudflare for families = 95.82% of blocks, to which you need to add the filtering of your chosen list.

Is that roughly how it works, or are there other factors involved?

I'm not sure what you're asking exactly but Cloudflare for Families only relies on Cloudflare's threat intelligence and website classification with no additional blocklists.
You could enhance protection, by using Zero Trust and adding additional blocklists hence increase the level of protection. I myself have it set up like that.

So;
Cloudflare for Families = only Cloudflare's threat intelligence and website classification service
Cloudflare Zero Trust = Cloudflare's threat intelligence + website classification service + your own blocklist (if you set it up that way)