Firewall Rule Block Multiple IP's using (ip.src in {x.x.x.x})

I have a few spammers hitting one of my sites so I’m blocking them with a simple Firewall rule. The problem however is, the rule is blocking more than I want. Here’s the rule:

(ip.src in {1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4})

Then > Block

My desire is to block ONLY those 4 IP addresses. Cloudflare however is blocking many more.

For example, rather than just blocking 1.1.1.1, it’s also blocking 1.1.5.2 (example). Like it’s matching the first two octets and therefore blocking.

Very odd. Am I doing something wrong here? Is the ip.src in only supposed to be used with a CIDR value and not individual IP’s?

Thnx

If you’re going to use ip.src in then it’s probably best to use CIDR notation

In your case, you would need to write it like so:

Please note I haven’t actually tested above, but I believe that should achieve what you want.

Or better yet, you can now use the brand new IP list feature

Thnx @soldier_21 - I can do that. I just wanted to get the definitive - how is it “supposed” to work? Looking at other threads (including the documentation from CF), it appears that it should work without the CIDR value.


Here is the documentation:

I believe if you enter an ip address with the final octet just being 0 like in 93.184.216.0 the Firewall will consider it a network address and perhaps block the whole 93.184.216.0/24 block

Edit: I mistakenly tested the above but didn’t realize that a previous BLOCK rule that I had disabled hadn’t yet propogated. Something else in your rule or rules must be blocking those extra IP addresses.

That should not happen. If you block an individual IP address only that address should get blocked and nothing else.

I’d suggest you check out the firewall event log and find out why that particular request got blocked. It is rather unlikely this is going to be that firewall rule.

1 Like