Based on my experience and recent firewall logs, “IP Access Rules” should take precedence over “Firewall Rules”. That is, if a request matches a blocked ASN or IP address range, it should be blocked right away and not matched against any “firewall rules”. This has changed since about 2 days ago: requests from blocked AS’s that would have been blocked by “IP Access Rules” were now being blocked by “Firewall Rules” (that managed to catch them).
In another zone, which is covered by the same (global) ASN-based “IP Access Rules”, but doesn’t have “Firewall Rules”, I noticed a request from a blocked ASN that was let through. More worryingly, when I created a test “Firewall rule” for this zone, the rule didn’t even work.
Sorry, just configured an IP access rule to block my own ASN and it worked as expected. Same for firewall rules.
This is what my “Firewall Event Log” looks like. Every request you see (except the one that has been completely pixelated) should have been blocked by an ASN-based access rule. (What does an “Unknown” rule ID mean by the way?)
When I made my post I also created a test firewall rule that should’ve blocked myself (ip.geoip.asnum ne 8075). That rule still isn’t working. (There was an IP access rule that whitelisted my own address. See details below.)
I just found out that once an IP access rule whitelists a request, it would override any firewall rules that would’ve blocked it. You can test this using the following procedure.
Using a test zone, create a firewall rule that would block yourself (like ip.geoip.asnum ne 0).
Visit the site and you should get an “Error 1020” page.
Create an IP access rule that whitelists your own IP address.
I am afraid I can only repeat what I wrote earlier. I set up two rules and got blocked by the IP access rule, once I removed that rule I still got blocked, this time by the firewall rule though.
As for your second scenario, that seems to bea completely different issue. Right?
Unfortunately I wasn’t able to reproduce it, either. But as you can see, the firewall event log clearly says some of the recent requests were blocked by firewall rules instead of ASN-based IP access rules. Those with an “Unknown” “Rule ID” were also in fact from a blocked AS.
I did. Got a boilerplate/automatic response with grossly irrelevant suggestions. Not sure if I’ll ever get a reply from a human; I’ll see what I can share here if I do.
I read the automatic response again and it says I had to make another reply to actually “reach a Cloudflare Technical Support Engineer”. If I don’t hear back within a few days I may post the ticket number here.
Posting that number would have been for a Cloudflare staff member. Its not like I collect them to access your bank account and wire you the $10 million dollars from the Bill Gates foundation you became eligible for.
The only “thanks” in this entire thread is from the link @sdayman posted .
Well I certainly appreciate the feedback and suggestions from every participant, and not just in this thread. I understand that my previous response could be interpreted as tactless or rude and for that I’d like to apologize. I don’t see much of a point in disclosing the ticket number here since I’m not having any trouble with the support experience itself. Again, I’ll share anything I deem appropriate when I get a satisfactory answer from support.
Update: There was a defect which Cloudflare has supposedly fixed but refused to elaborate on.
.