@ruud An attacker can always get your IP from DNS history sites anyway. I guess what needs to happen is the moment the CF proxy is turned on, the firewall of the actual host would have to drop all packets from all IPs that are not CF, because only CF traffic should be coming at that point.