Firewall rules do not take effect in China

My firewall rules are as follows: eq “CN”

I want to block IP access from China, but the above rule is invalid, everything is normal in other regions, is there a relationship with Baidu Cloud Acceleration Cooperation in China? Or is it a bug in the firewall? How can I do this?

Why do you think it does not take effect? How do you tell requests still go through?

1 Like

Because I’m in China, adding rules has no effect, but adding other countries can take effect immediately.

The rule is invalid? Does an error show up?

If you go to, does it show “loc=CN”?

That is not a reason. China works just fine.


Yes, “CN” is displayed, but the rule does not take effect, only CN does not take effect

What do you mean? What do you think of China’s whitelist on Cloudfalre?

So you are saying you can still reach your site via a Chinese connection, even though you have configured aforementioned rule?

  • Whats the domain?
  • Post a screenshot of your firewall rule list.
  • Post the output of DOMAIN/cdn-cgi/trace.

Also, what about a whitelist? You want to block.

The domain name is not easy to disclose. I want to deny all access from China. The following trace and firewall rule screenshots

uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0

Not only this one domain name, I tested the same on all my domain names. The same is true for the professional version.

You need to post the domain, otherwise there is no point in trying to debug anything.

Your rule should block China, as well as all known crawlers (including Google), however I didnt ask for the rule but for the rule list.

( eq "CN") or (

Sorry, I ca n’t expose the domain name. This rule is useless for testing all domain names. It is very effective in other countries except China.

Well, if you cant post the domain the community cant help you. You need to contact support, however the configuration looks okay and should block China.

Obviously it is not a problem with my rules, because other country codes, such as
( eq "US") or (, are very effective, but setting to “CN” has no effect.

I have 25 domain names in Cloudflare, I have experimented with the same rules for each domain name, and the result is: “Invalid”

My solution is to use the server’s NGINX to get $ HTTP_CF_IPCOUNTRY to determine if it is from ‘CN’. If it is, it will return a 403 error code. But this still can reach my server.

If you can do a test, say your domain name and see if I can access it.

No offence, but I am not going to play with my configuration for this ;). If you want that debugged you need to post the domain. If you dont do that your only option is to contact support.

The configuration as you posted looks fine and should block China.

1 Like

I do n’t want to expose the domain name, obviously I do n’t want to let search engines know, so sorry, I ca n’t do this, and how do I contact support?

For the sake of the topic, I just tested a Chinese connection and it did get blocked by Cloudflare, so I would not assume there is any problem specific to China.

If you felt more comfortable you could run a check at and post here the time when you ran it, so I can dig it out.

Yes, a verification code appears on the URL you provided. But why isn’t it?