Are there particular IPs that KDE Neon ESTABLISHES at boot that will ignore custom iptables DROP rules, e.g. connections to repositories?

Using ss or netstat displays these IPs for a few minutes after boot as ESTABLISHED, and restoring iptables custom DROP rules does not affect their established status.

When I look the IPs up, they are all direct assignments on CLOUDFLARENET.

When I look up information on Cloudflare, all I get are generic company blurbs regarding their network services.

I have spent a more than sufficient amount of time searching this issue, and other than supplementing my knowledge of netfilter and iptables, I've gained no ground.

Would someone kindly explain, or at least direct me to a productive source of information on, these possibly default established connections?

Thank you.