Fail2Ban & CloudFlare - "Filter not found" and other questions

Hello everyone!

First off, apologies if this is the incorrect place to ask, or if a similar question has been posted, I have looked, but can’t seem to solve this one.

I’m using Fail2Ban and would like to forward IP addresses from Fail2Ban into my CloudFlare account.
Specifically, I would like to have a single firewall rule, that is updated whenever Fail2Ban bans a new IP address on my origin server.

For testing purposes, I’m currently running the curl command in a terminal, and I’m confused as to where I can get my filter ID. In the command below, I’ve added comments for these two sections I’m unsure about.

Looking at the documentation, (specifically this link) this looks like it should be relatively straightforward, but I’m a little stuck on the “filters” section of my API request.

This is the configuration I’m currently using, with sensitive keys and such redacted.

curl -X PUT \
	-H "X-Auth-Email: [email protected]" \
	-H "X-Auth-Key: GlobalAPIKeyForNow" \
	-H "Content-Type: application/json" \
	-d '{
  	"id": "f2d427378e7542acb295380d352e2ebd", # <-- Where does this ID come from?
  	"paused": false,
  	"description": "Fail2Ban Automatic IP Blocking.",
  	"action": "block",
  	"priority": 0,
  	"filter": {
		"id": "b7ff25282d394be7b945e23c7106ce8a", # <-- How is this ID different from the one above, and where does it come from?
		"expression": "(ip.src eq 1.2.3.5)",
		"paused": false,
		"description": "Fail2Ban"
  	}
}' "https://api.cloudflare.com/client/v4/zones/ZONE/firewall/rules/FIREWALLID"

With the configuration I’m currently using, I’m seeing this error:

"errors": [
    {
      "code": 10203,
      "message": "filter not found",
      "source": {
        "pointer": "/filter"
      }
    }
  ],

Is what I’m trying to do even possible? I’ve seen lots of examples online of this working, but none seem to update and add Fail2Ban IP’s to existing firewall rules. As a free tier user with some firewall rules already in place, it’s important I can have one rule for all my Fail2Ban IPs, rather than a new rule per new banned IP.

I hope that all made some sense, and someone can point me in the right direction.

Thanks a lot.

@eva2000 does something similar to this, though I do not remember the details.

from https://developers.cloudflare.com/firewall/api/cf-firewall-rules/get/ the first id is firewall id and 2nd is filter id

Thanks, I did see that but I’ve got some questions.

  • The filter ID, where can I find it?
  • If I can’t “find” the filter ID, how / where is it generated?

Sorry for these newbie questions.

The filter should be listed along with the firewall rule in:

Thanks for all the replies so far, I’ve figured out the curl put request, and I’m not getting any authentication or syntax errors. However my rules don’t appear to be updating at all. As I mentioned in my 1st post, I have an existing rule that I’d like new IP addresses to be added to each time Fail2Ban jails a new IP on my origin server.

At the moment, I’m using the expression:
"expression": "(ip.src eq 4.3.2.1)",
In my put request.

With my current rule using:
(ip.src eq 1.2.3.4)

Do I need to use a different expression, such as (ip.src in {9.8.7.6}) if I want multiple IP’s to be able to be added?

Thanks.

When I have API syntax trouble, I make the change by hand in the Dashboard, and then check the Audit Log to look at the meta data for that command.

1 Like

I got it!

Long story short, I fount it was easier for me to interface with the lists API, rather than the firewall directly.
Using the lists API to talk to my block list, that in turn is used in a firewall block rule works really well.
Thanks for everyone who chimed in with this one!

2 Likes