Allow ranges of IP through Cloudflare WAF

Ant

10/29/23, 3:04 PM

I need to allow some IP ranges through Cloudflare, for receiving a webhook.

Setting them through WAF -> Tools one by one works, but I have some /28 subnets masks that are not allowed there, because:

Only an IPv4 range (CIDR) value of /16 or /24 is allowed for IP Access Rules. Use Firewall Custom Rules and IP Lists instead.

I created a list and tried adding it in Firewall rules, ie. (ip.src in $allowlist), but it doesn't seem to work. I also tried adding a different rule with a bunch of "IP source address is in" "or" but that doesn't seem to work either, ex: (ip.src in {x.x.x.x}) or (ip.src in {y.y.y.y}) [...] or (ip.src in {z.z.z.z/28})

Is the Allow in Rules different than the Allow in the IP Access Rules, or am I doing something very wrong?

499

1 + 6

firewall

cloudflare

jabbson

10/29/23, 5:10 PM

Just tried to use the firewall rule with expression `if (not ip.src in {<range including my home IP>/28}) then Block` and was able to access from home, but not from work pc, firewall rules are working as expected for me. Could you elaborate on the setup for when it is not working for you with firewall rules?

Ant

10/29/23, 5:46 PM

In the case of the list I have a rule of `(ip.src in $allowlist)` And the complex one is in the form of `(ip.src in {x.x.x.x}) or (ip.src in {y.y.y.y}) [...] or (ip.src in {z.z.z.z/28})` Then `Allow`

jabbson

10/29/23, 5:53 PM

and it doesn't work in the way that it is blocked even though the IP that connects is in the allow list? do you have an explicit Block rule? Did you look into the logs for that rule to see what was blocked?

Ant

10/29/23, 5:58 PM

I have no real control over the request endpoint, but I can see that the request passes when I add the IP in IP Access Rules, and it does not when I add it through custom. I have not set any explicit block rules, no. As far as the logs for the rules go, there is zero activity on them, and as such the logs are empty.

jabbson

10/29/23, 6:01 PM

but you get the access denied page when you try to access?

Ant

10/29/23, 6:10 PM

I suppose so, the only think I can do is force a simple GET request from them and they should get a reply. I do not know the exact issue on the other side of the web hook, but they do not see my reply, if the rules are not in the WAF Tools. Mind you anybody can see the reply, so I think it might get blocked as a bot (which it technically)

Score:0

Server

Ant

10/29/23, 7:25 PM

Apparently there is a difference between the two!

In IP Access Rules Allow also skips things like the Bot Fight Mode, which in my case was the culprit!

The simple solution is to just turn the BFM off, since according to the documentation:

The current version of BFM/SBFM has limited control. You can’t bypass or skip BFM/SBFM using Firewall Rules or Page Rules. SBFM can be bypassed with IP access "Allow" action rules. BFM will be disabled if there are any IP access rules present.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow ranges of IP through Cloudflare WAF

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.