Block IP address through firewall doesn't see to work

This was address previously and I took suggestions from a peer here, however we are back at the same problem, no matter what I do the rule doesn’t work. I need to block all these IPs from visiting a website.

Greetings,

I am sorry to hear you an experiencing an issue here.

May I ask what is the position and where is that Firewall Rule located?

Is this the 1st rule from above on the Firewall Rule list in your Cloudflare dashboard → Firewall → Firewall Rules?

And this Firewall Rule is enabled / active, correct?

You aren’t using any of the Page Rules which could have some specific options disabled like “Security”, etc. for your (sub)domain or page URL?

Is the DNS record (hostname) like A yourdomain.com proxied and set to :orange: to make sure the Firewall Rules (and other features) applies to it?

It’s at the top of all the rules.

Page rules only 301 redirects nothing in that regards.

Yes, DNS record is domain.com proxied through Cloudflare.

Thank you for sharing a screenshot.

I see a duplicate of the IP 209.59.185.4 at first glance → remove the duplicate and leave only one.

May I ask have you tried blocking your own IP by looking up for your own IP (type in Google “whatsmyip”) and adding it here along within them, therefore wait for few minutes to apply the changes and check if you can access your Website or rather you are seeing “1020 Access Denied” page from Cloudflare?

Page Rules execute (first) before Firewall Rules as far as I know, that could be the reason why “it’s not working” as far as the requests are being redirected rather than being blocked?

I removed the duplicate however that’s the same IP it keeps coming back to the website. I added my IP address and the rule worked however Cloudflare did not record the block on the counter.

What happens if you temporary disable a Page Rule for that 301 redirect and wait for a few minutes and try again? Are you blocked or redirected?

Related topic:

Tagging security colleague @erictung who is more experienced and might know more about this.

Sorry it did record my block when I clicked the activity. Page rules are not the problem, this is the IP address that keeps spamming the web server and Cloudflare can’t seem to block it. I’ve tried to block Liquid Web and the bots are persistent.

NetRange: 209.59.128.0 - 209.59.191.255
CIDR: 209.59.128.0/18
NetName: LIQUIDWEB
NetHandle: NET-209-59-128-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS32244
Organization: Liquid Web, L.L.C (LQWB)
RegDate: 2004-07-27
Updated: 2016-12-19
Ref: https://rdap.arin.net/registry/ip/209.59.128.0

OrgName: Liquid Web, L.L.C
OrgId: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US
RegDate: 2001-07-20
Updated: 2020-04-29
Ref: https://rdap.arin.net/registry/entity/LQWB

May I ask have you tried blocking the AS number using Firewall → Tools → IP Access Rules?

I check and I see multiple ASNs (not only one):

AS201682 LIQUID-WEB-BV
AS32244 LIQUIDWEB
AS53824 LIQUIDWEB

Helpful article how to manage IP Access Rules:

No I haven’t how do you do that?

1 Like

Exactly :+1:

From now on in future (give it a try 24 hours or so), you can filter out and check if any request is being blocked:

May I ask if the Bot Fight Mode is enabled so far?

Some user-agents to watch out and block with Firewall Rules:

May I ask how is this happening? Like commets, pingback, xmlrpc, etc.?

Therefore, some Firewall Tips are published here:

Using the search :search: :

Furthermore, may I suggest you reading articles from the below:

Useful guide in case if needed:

1 Like

Yes, bot fight mode is enabled, also there is google captcha, this person keeps filling our contact form with obscene text. They keep coming back with different names and filling the forms out. The forms detect the IP address and that’s how we know who it was.

Ou wow, o-oh :open_mouth:

Hopefully this works now. I’ll keep an eye on it. Thanks for your help!

1 Like

@rjm2884 May I ask if this has been resolved and working now?

Hi, thanks for following up. I just checked the filter for service ASN and there are no reports yet. I’ll continue to monitor this and update the post.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.