Firewall not working (properly)

hero · July 4, 2019, 4:50pm

Based on my experience and recent firewall logs, “IP Access Rules” should take precedence over “Firewall Rules”. That is, if a request matches a blocked ASN or IP address range, it should be blocked right away and not matched against any “firewall rules”. This has changed since about 2 days ago: requests from blocked AS’s that would have been blocked by “IP Access Rules” were now being blocked by “Firewall Rules” (that managed to catch them).

In another zone, which is covered by the same (global) ASN-based “IP Access Rules”, but doesn’t have “Firewall Rules”, I noticed a request from a blocked ASN that was let through. More worryingly, when I created a test “Firewall rule” for this zone, the rule didn’t even work.

Is anyone else having similar issues?

sdayman · October 21, 2019, 10:02pm

That’s contrary to @alexcf’s confirmation in the following thread. Not that I’m saying you’re wrong. Maybe something really has changed.

sandro · July 4, 2019, 6:55pm

Sorry, just configured an IP access rule to block my own ASN and it worked as expected. Same for firewall rules.

Last but not least, I created an access and a firewall rule and it appears the access rule fired first.

hero · July 5, 2019, 2:34am

Sorry, just configured an IP access rule to block my own ASN and it worked as expected. Same for firewall rules.

This is what my “Firewall Event Log” looks like. Every request you see (except the one that has been completely pixelated) should have been blocked by an ASN-based access rule. (What does an “Unknown” rule ID mean by the way?)

~~When I made my post I also created a test firewall rule that should’ve blocked myself (ip.geoip.asnum ne 8075). That rule still isn’t working.~~ (There was an IP access rule that whitelisted my own address. See details below.)

I just found out that once an IP access rule whitelists a request, it would override any firewall rules that would’ve blocked it. You can test this using the following procedure.

Using a test zone, create a firewall rule that would block yourself (like ip.geoip.asnum ne 0).
Visit the site and you should get an “Error 1020” page.
Create an IP access rule that whitelists your own IP address.
Visit the site and it should work normally.

sandro · July 5, 2019, 5:52am

I am afraid I can only repeat what I wrote earlier. I set up two rules and got blocked by the IP access rule, once I removed that rule I still got blocked, this time by the firewall rule though.

As for your second scenario, that seems to bea completely different issue. Right?

hero · July 5, 2019, 6:58am

Unfortunately I wasn’t able to reproduce it, either. But as you can see, the firewall event log clearly says some of the recent requests were blocked by firewall rules instead of ASN-based IP access rules. Those with an “Unknown” “Rule ID” were also in fact from a blocked AS.

sandro · July 5, 2019, 7:00am

Contacting support might be the best course of action at this point.

hero · July 5, 2019, 8:58am

Well, could someone from Cloudflare at least tell me what those “Unknowns” mean?

sdayman · October 21, 2019, 9:27pm

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

hero · July 5, 2019, 2:39pm

I did. Got a boilerplate/automatic response with grossly irrelevant suggestions. Not sure if I’ll ever get a reply from a human; I’ll see what I can share here if I do.

sdayman · July 5, 2019, 2:43pm

Post the ticket #. The mods usually check in on unresolved tickets.

hero · July 5, 2019, 2:53pm

I read the automatic response again and it says I had to make another reply to actually “reach a Cloudflare Technical Support Engineer”. If I don’t hear back within a few days I may post the ticket number here.

sandro · July 5, 2019, 3:03pm

Post the ticket number nonetheless.

hero · July 6, 2019, 3:18am

No. It’s now being handled by a support engineer. I’ll see what I can share publicly when the ticket is closed.

sandro · July 6, 2019, 4:33am

I really love these polite responses .

Posting that number would have been for a Cloudflare staff member. Its not like I collect them to access your bank account and wire you the $10 million dollars from the Bill Gates foundation you became eligible for.

The only “thanks” in this entire thread is from the link @sdayman posted .

hero · July 16, 2019, 3:49pm

Well I certainly appreciate the feedback and suggestions from every participant, and not just in this thread. I understand that my previous response could be interpreted as tactless or rude and for that I’d like to apologize. I don’t see much of a point in disclosing the ticket number here since I’m not having any trouble with the support experience itself. Again, I’ll share anything I deem appropriate when I get a satisfactory answer from support.

Update: There was a defect which Cloudflare has supposedly fixed but refused to elaborate on.

system · August 3, 2019, 4:50pm

This topic was automatically closed after 30 days. New replies are no longer allowed.