Best Practice To Block IP?

I am trying to block 3 IP addresses (crawlers/bots) from bombarding my site. Should I create three different rules, or can I add each of the IP addresses to ONE rule using “or” ?

You could certainly block all 3 in 1 rule. I personally tend to use IP Access Rules for the ability to add a comment (course I may also randomly create rules multiple times a day for demos so my use cases are a bit different than most). :slight_smile:

2 Likes

Thanks for the quick response - I’m a newbie to this. I have also noticed there are IP Access rules. Which is better?

I can create an IP Access rule in Tools and apply it to all websites. Is this a better option vs. creating individual Firewall rules?

What is the difference between a Firewall rule and an Access rule?

Thanks for your help.

Additionally, since I’m using CloudFlare is blocking these IP addresses here adequate? Or should I also block them in my server/cpanel?

And thus begins anew a debate which has no end. :slight_smile: IP Access Rules are, I guess for lack of a better term, “dumb” firewall rules. They have three unique features currently (one, you mentioned is the ability to apply the rule to all your websites, the ability to add comments which I mentioned and the other is whitelisting).

Over time the whitelisting functionality is being incorporated into individual firewall rules in a slightly different manner, which will potentially make it more powerful. Commenting in firewall rules… is uh, something the firewall team is aware of as a feature request… no idea when it will make an appearance. Applying a firewall rule to all zones in the UI probably won’t be a thing anytime soon (though one can do it via script or automation tools where it makes sense).

IP Access Rules existed first and Firewall Rules is not a perfect replacement for them so they both continue to live on in the product. For the ease/value of commenting and applying to all websites in an org I tend to suggest using IP Access rules to my customers for simple blocking.

But for more advanced actions (like allowing users from North Korea to all potions of a website except the admin area for example) the firewall rules allow for better control/scoping.

If I polled my peers I bet they’d split pretty evenly on which to use (some prefer to manage all the rules in 1 place and pretend the IP Access Rules no longer exists). So there’s no better or best really… just personal preference when it comes to simple IP blocking.

2 Likes

Well in an ideal world you would restrict direct access to your server on port 80/443 to these IP addresses only: https://www.cloudflare.com/ips/ (along with perhaps a maintenance IP address or two for sites managed out of a corporate office of some kind. This isn’t always feasible (depends on the level of access you have to your site/server and technical skill level). I admit I don’t bother with the IP address restrictions on my personal sites, but they are hobby sites at best (and the cobbler’s children have no shoes).

1 Like