Firewall Rule to both Bypass and Allow

I’m trying to set up 2 firewall rules that use the same expression. I want to add a Bypass to avoid certain IPs hitting out rate limits, and then explicitly Allow that same set of IPs so they don’t get processed by subsequent firewall rules.

The expressions is pretty simple - it is just
(ip.src in $my_ip_list)

However the issue is that I cannot have 2 firewall rules that use the same expression. I just hit the “config duplicates an already existing config (Code: 10102)” error. This means that instead of just Allowing my IP list, I have to explicitly exclude it from any subsequent firewall rules that might Block or issue a Challenge, which seems pretty clumsy.

Is there a way to do both a Bypass and Allow in the same rule, or to broaden the duplicate config check so it takes into account the Action on the rule?

I usually just modify one of the rules to match any kinds of traffic on top of your existing firewall expression. For example, (ip.src in $my_ip_list and http.host contains "."), where basically I’m checking whether the hostname contains a dot . (since your subdomains are going to have a dot in between anyway)

1 Like

Nice workaround. Just what I was looking for. Still a shame that this is even required though. Would be really nice to keep my terraform DRY, but I guess this will do for now.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.