Firewall Access Rules: probable bug

firewall

#1

I want to tell you guys about my experience with Cloudflare Firewall Access Rules.
First of all, it is a useful service, which can even be used with a free plan. This is great!
That being said, sometimes it doesn’t work when I want to block an IP range (captchas seem to work properly all the time instead). In my experience, blocking always works when I enter an ASN: both my logs and Cloudflare’s Firewall Events confirm that the suspicious IP addresses from that ISP are being blocked. However, as you would expect, blocking an entire AS doesn’t always make sense because of the huge number of addresses that may belong to the AS, and that have nothing to do with the unwelcome visitor(s) using a dynamic address. So I often prefer to block just a /16 range. Well, in this case, CF’s firewall is not very reliable. Some users manage to visit my site anyway: I see them in my logs, and CF’s Firewall Events doesn’t list them, thus confirming what my logs say. The only way to block these users is to block their whole AS, in which case CF’s Firewall starts to work properly again. The problem seems to be related to CF’s Firewall and those ISPs (not the specific users or their hypothetical ability to overcome firewalls). It is no accident that I always see this probable bug with the same ISPs, regardless of the user’s location, operating system, time of day etc.
On the other hand, I can block addresses belonging to other ISPs just fine, using either the /16 notation or the entire AS.


#2

This doesn’t make sense at all. Most ASNs have waaaaay less then /16. Being ASN myself we only have like /22. So by blocking /16 your are pretty much most likely blocking way more then just one ASN. Small regional ISP can have like /20 maybe /19.


#3

the first two examples I can think of:
AS7922 (Comcast Cable): 71M addresses
AS7018 (AT&T): 100M addresses
etc.
Anyway, this is off-topic


#4

I took random prefix from AS7018 (AT&T) and checked if whole /16 is theirs - no, it’s not.


We can go like that all day but you surely know that my point is valid.


#5

…it’s valid for the specific address that you chose. We could choose a different address and your example wouldn’t work. Anyway, you’re off-topic: the problem, here, is not whether big ISPs own contiguous addresses. It’s irrelevant.

For the record, I noticed the same (probable) bug in CF’s firewall blocking /24 and /32 (one address) ranges. So I confirm the issue.


#6

My suggestion would be to open a support ticket within the Cloudflare administration console. If you have a specific rule/ruleset in place that would be the best way for us to help you troubleshoot/validate the issue.