Firewall rules do not take effect in China

My firewall rules are as follows:
ip.geoip.country eq “CN”

I want to block IP access from China, but the above rule is invalid, everything is normal in other regions, is there a relationship with Baidu Cloud Acceleration Cooperation in China? Or is it a bug in the firewall? How can I do this?

Why do you think it does not take effect? How do you tell requests still go through?

1 Like

Because I’m in China, adding rules has no effect, but adding other countries can take effect immediately.

The rule is invalid? Does an error show up?

If you go to example.com/cdn-cgi/trace, does it show “loc=CN”?

That is not a reason. China works just fine.

Again

Yes, “CN” is displayed, but the rule does not take effect, only CN does not take effect

What do you mean? What do you think of China’s whitelist on Cloudfalre?

So you are saying you can still reach your site via a Chinese connection, even though you have configured aforementioned rule?

  • Whats the domain?
  • Post a screenshot of your firewall rule list.
  • Post the output of DOMAIN/cdn-cgi/trace.

Also, what about a whitelist? You want to block.

The domain name is not easy to disclose. I want to deny all access from China. The following trace and firewall rule screenshots

fl=4f308
h=xxx.com
ip=101.91.60.81
ts=1582552762.753
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
colo=SJC
http=http/2
loc=CN
tls=TLSv1.3
sni=plaintext
warp=off

Not only this one domain name, I tested the same on all my domain names. The same is true for the professional version.

You need to post the domain, otherwise there is no point in trying to debug anything.

Your rule should block China, as well as all known crawlers (including Google), however I didnt ask for the rule but for the rule list.

(ip.geoip.country eq "CN") or (cf.client.bot)

Sorry, I ca n’t expose the domain name. This rule is useless for testing all domain names. It is very effective in other countries except China.

Well, if you cant post the domain the community cant help you. You need to contact support, however the configuration looks okay and should block China.

Obviously it is not a problem with my rules, because other country codes, such as
(ip.geoip.country eq "US") or (cf.client.bot), are very effective, but setting to “CN” has no effect.


I have 25 domain names in Cloudflare, I have experimented with the same rules for each domain name, and the result is: “Invalid”

My solution is to use the server’s NGINX to get $ HTTP_CF_IPCOUNTRY to determine if it is from ‘CN’. If it is, it will return a 403 error code. But this still can reach my server.

If you can do a test, say your domain name and see if I can access it.

No offence, but I am not going to play with my configuration for this ;). If you want that debugged you need to post the domain. If you dont do that your only option is to contact support.

The configuration as you posted looks fine and should block China.

1 Like

I do n’t want to expose the domain name, obviously I do n’t want to let search engines know, so sorry, I ca n’t do this, and how do I contact support?

https://support.cloudflare.com/requests/new

For the sake of the topic, I just tested a Chinese connection and it did get blocked by Cloudflare, so I would not assume there is any problem specific to China.

If you felt more comfortable you could run a check at sitemeer.com and post here the time when you ran it, so I can dig it out.

Yes, a verification code appears on the URL you provided. But why isn’t it?