Firewall Rules vs IP Access - Best method for my idea?

So I am trying to set up some rules to JSChallenge anyone from outside of the United states and its minor outlying areas. My engine building company does not ship outside the USA, so our primary focus is US based customers. So making it slightly more challenging for those outside of our area is ok if it can possibly eliminate some spam/attacks on my website. My question is to the best way to implement this. From poking around, it looks like I will be doing this with my 1 of 5 Firewall rules, or doing it via IP Access Rules. I am getting a little confused on which to use and whether or not one would take priority over the other and vice versa. I temporarily tried the following firewall rule which SEEMED to work, but until I get to work and re-test, connecting to it using a VPN routed through Russia, I wont know for sure if the JSChallenge part is functional. For now it is disabled until I hear back from you guys:

Country is NOT equal to United States
Country is NOT equal to United States Outlying Areas

*** BUT…I also do NOT want to block good bots. I want all good bots to be able to scan my website. How or where would I add this into the mix if using the above rule set? Would I add it inside the existing above rule or would it be a completely separate rule? If separate rule, would I place it above or below the current one, or does that order even matter? Or, can I use IP Access rules instead, for the same stuff as above, so as to not waste Firewall rules since I only have 5? Thanks!

With access rules you cannot negate and whitelisting the US and challenging everyone else might not be a good idea as that would literally whitelist all US requests, even those which are usually blocked.

Your best bet might be a firewall rule of this sort


I did not even realize I could add multiple values inside the value box. Thats great news versus adding additional ANDs for each country. One last question. What would be the difference between what you proposed “is not in” and using “does not equal” for the operator in my scenario? Thanks for your quick response!

These are equivalent, one is for lists the other for individual entries.

1 Like

OK thank you very much

I have a similar rule as my first Firewall Rule, but I also added a threat factor to apply the JS challenge to certain visitors even within the countries I’m allowing in:

(not in {"BR" "US" "AR" "CL" "UY" "PY" "BG" "MD"} and not or (cf.threat_score ge 15)

Couple more questions. So I have another rule in my Firewall section that looks like this:

Does it matter what order my rules are organized? Does this one need to be before or after my country challenge one? And last, is there a more compact or cleaner way to achieve what I am doing in this particular rule, just like there was in the country block rule? Thanks!

On the topic or order, do IP Access rules override or get overridden by Firewall rules or vice versa, and does ordering matter in IP Access?

You generally dont need that rule as requests with such hostnames should never reach your server anyhow. Cloudflare performs the mapping based on the hostname in the first place.

As for the order, that still seems a bit messy and Cloudflare is working on consolidating a lot but currently it should be

  • Page rules
  • Sanity checking
  • IP Access Rules (IP Firewall)
  • Firewall Rules
  • Zone lockdown
  • User Agent Blocking
  • Browser Integrity Check
  • Hot linking protection
  • L7-to-L7 DDoS mitigations
  • IP Reputation and Threat Intelligence
  • Rate limiting
  • WAF

Though @alexcf should be able to provide even more insight

1 Like

Hmmm…that seems like a good idea, but let me ask. I have my general “Security Level” setting set to “Medium”. How does this compare to setting a specific threat level via firewall rule like you did?

The only reason I have those in there is that somehow throughout the last year of building the site (which by the way, I have not had all this Cloudflare setup properly the whole time unfortunately), those specific domains somehow attached SPAM backlinks to my domain and google noted these crappy backlinks in google search console. I am just trying to make sure that there is not a way specifically for these domains to attach to me as SPAM backlinks. I also plan to disavow them to try remove the links in Google’s eyes. Am I wasting my time with that?

If you check for the hostname, yes. Such requests will never reach your server.

OK excellent, so it looks like IP Access take priority so good to know. I will be careful in how I add these things in that regard? Let me ask this, if I have two firewall rules like I do now, with the two we have discussed, does the order of those two matter?

Also, per the comment floripare made. Would adding a threat level of “15” to even my allowed countries do anything different than what is already being done via my general “Security Level” being set to “Medium”? Or are they completely different things?

Good question! I’m not so sure I can give you a definite answer, because Cloudflare itself provides slightly different answers to what Security Level means on its Firewall tab > Security Level > Help and here.

The one benefit I see in putting the cf.threat_score on a Firewall Rule is that you have a means to fine-tune this control.

So if with “greater than”, say, 14, you keep seeing bad visitors making it to your origin server, you could change that to 13, then to 12 etc, until you find the best balance between protecting your website and not scaring away your legitimate visitors.

While if you see bad actors coming to you website under Security Level = Medium, your only option would be to elevate that to High, which would jump from 14 to 0 according to the page linked above.

1 Like

It does, the first one triggers.

It shouldnt, I am not sure which level Medium uses but if it is 15, it will challenge applicable requests in any case. But the more granular control mentioned by @cbrandt is certainly a good point.

1 Like

Actually, my recent experience would indicate that, except for the Allow action, the most stringent rule prevails.

I have a second rule with Action = Block for certain known WordPress URLs hackers like to probe, such as /author= and /installer.php etc, and they are always triggered, even when, like most guys trying this kind of stuff, they come from countries where my first rule (JS Challenge) would apply. Even this morning I had about 50 hits with sequential URLs starting with /author=1 to /author=50 coming from an authorized country and they were all beautifully blocked :sunglasses:

1 Like

That might be too, my understanding has always been the first one counts, but its unfortunately not overly clear -> @alexcf :slight_smile:

Thank you very much for all the info both of you! I really appreciate all of it!

What would be your recommend for blocking these specific bad domains then? Should I try to locate their IP addresses and block those IPs instead? Would that work?

And to just be clear, if I were to BLOCK use the following:

(cf.threat_score ge 15)

then if it is blocking too many good users, I would INCREASE the number higher?

Can you explain what you mean by that?