Firewall Operator

ExpertTip

#1

There all,
Can someone please explain the usage of these Firewall Operators.

equals:

does not equal:

is in:

is not in:

Thanks


#2

The “equal” ones are looking for exact matches or not exactly something. This needs to be precise.
Is In (or not in) are for lists, like Countries: (US FR DE MX).


#3

Thanks.
What is the the firewall operator to block all countries except Ghana. And also permit Google Bots?


#4

NOT Ghana and NOT bots get blocked.


#5

Thanks, it worked. But how I have blocked GTMATRIX, how do I exclude or permit this like the “known bots”?


#6

On Dashboard > Firewall > Tools > IP Access Rules, you can add GTMetrix servers IPs and set them to “whitelist”.


#7

Thanks.


#8

How do I get Gtmatrix IPs please? I used the reply IP from ping Gtmarix and did not work.


#9

They appear to list them here:

https://gtmetrix.com/locations.html


#10

Have you got that setup working? I am asking, because access and firewall rules are AFAIK still somewhat separate entities and do not affect each other. So whitelisting in an access rules would not necessarily skip a firewall rule. But @alexcf should hopefully be able to shed light here :slight_smile:


#11

Why not add: AND UserAgent DoesNotContain GTmetrix to the Firewall Rule?

Yes, someone could spoof that, but I’ve not seen rampant use of that.


#12

I use it with a similiar setup except I’m not blocking, but JS-challenging countries other than (list). So I have a Firewall Rule:

If country not in {US, BR etc}
and not “known bots”
then
JS-Challenge

Which stopped GTMetrix until I set the IP rule with a whitelist action.


#13

Thanks for the clarification, the interaction between all the rule engines is still a mystery to me :smile:


#14

You’re not alone in this. :smile: I’m glad I have a couple of testing domains I can use to check things before implementing.


#15

The rules are confusing honestly. I whitelisted a dev support IP via tools, and by server resources hit the roof. I blocked her IP, and every became normal. Still cannot understand why.


#16

The security engines are still somewhat work in progress, but AFAIK Cloudflare does plan to consolidate them in the coming months (possibly Q2 or Q3)


#17

I need this help pls, how can I permanently block all kinds of bots from reaching my websites using CloudFlare.
Getting sick of their activities.


#18

Define “all kind of bots”? Also Google for example?

It is difficult to target all bots, you would need a pattern.


#19

Here are the “known bots” that are allowed. If you use the rule I posted above, anything else not originating from Ghana will be blocked.

I also posted an exception to let GTmetrix through. If you want to block some of those Known Bots, you’ll need to add to the rule to exclude them. I expect that all the ones on that list respect robots.txt, so that would be another option for letting bots know you don’t want your site crawled.

So, as @sandro suggested, let us know which bots are still hitting your site and we’ll try to help you block them.


#20

Thats a good point, actually. Considering you block everything except for one country you should be already somewhat on the safe side. Assuming there is not a large share of automated traffic coming from that country.