Firewall block country - Blocked country CF Connection

firewall
#1

I’ve blocked countries such as Netherlands, China in Cloudflare Firewall - However i keep getting port hits by cloudflare in these countries which causes my country bot to ban [Cloudflare in Netherlands] which in turn causes the cloudflare Netherlands to hit my server over and over again with requests.

Why does cloudflare not instruct those country cloudflare servers in those countries not to bother my firewall after being told not to allow that country onto my server?

#2

I think regardless of what country you ban there’s wisdom in letting the Cloudflare servers hit you even if they’re in a banned country. Those hits are probably doing all manner of keep-alive checks on your site and will almost certainly be a conduit for visitors outside of that banned country who continue to access your site (there’s not a 1-to-1 correlation of Cloudflare data centre to country so visitors in nearby countries may still access you via the NL data centre’s proxy IPs).

If you want to tighten things up somewhat, best practice is if you’re using Cloudflare to proxy all your web traffic then implement a firewall rule to only allow access from the Cloudflare IP addresses and block everything else:

Obviously this won’t affect non-HTTP(s) traffic but it’ll help a lot. You could then have your banning bot only check for hits on the non-HTTP(s) ports when banning IPs. Just let Cloudflare handle the HTTP(s) stuff for you.

1 Like
#3

If i ban the country in cloudflare… that means I don’t need/want anything in that country hitting my servers including cloudflare servers?:exploding_head: regardless of where the connection came from.

Should be a setting to allow/deny (blocked ip knocking) instead of spamming connections to the server over and over again?:thinking:

Should there be a setting that allow/deny (multiple blocked ip knocking attempts per 24 hours per ip) that hits the server to prevent spamming?:face_with_monocle:

Should there be an option to allow or deny vpn connections through cloudflare for that block? :see_no_evil:

I use cloud-flare to protect the server, not spam it.:rofl:

#4

If i ban the country in cloudflare… that means I don’t need/want anything in that country hitting my servers including cloudflare servers?:exploding_head: regardless of where the connection came from.

Thing is that users in Belgium,say, may be routed via NL at times etc. So you definitely need to think about rules for end-user and rules for your CDN as two different things. Blocking NL inc. data centres means you’re blocking non-NL users too.

Should be a setting to allow/deny (blocked ip knocking) instead of spamming connections to the server over and over again?:thinking:

Should there be a setting that allow/deny (multiple blocked ip knocking attempts per 24 hours per ip) that hits the server to prevent spamming?:face_with_monocle:

Depends how often they’re checking I guess. I’ve never seen Cloudflare ‘spam’ me. Remember that unless you’re resolving the end-user IP addresses what you think is CLoudflare spamming you could be real users hitting you via Cloudflare IP addresses (because that’s what you use Cloudflare for).

Should there be an option to allow or deny vpn connections through cloudflare for that block? :see_no_evil:

Unless you pay for Spectrum Cloudflare won’t proxy any VPN traffic unless it’s running on an HTTPS port and ‘pretending’ to be HTTPS traffic. If you do want them to proxy VPN stuff then that’s what the Spectrum service is.

I use cloud-flare to protect the server, not spam it.:rofl:

Me too, works great. And it’s free! As I say - check the access you’re seeing form Cloudflare isn’t legit users being passed on by them. The actually Cloudflare ‘pings’ are essentially negligible.