IP Firewall only allows /16 and /24 CIDR blocks

firewall

#1

I would like to block access from all AWS servers as they just scrape my page though not allowed to.

Unfortunately, Cloudflare IP Firewall allows only /16 and /24 CIDR blocks (or individual IPs) to be blocked.
But AWS also uses /13, /14, /15,… blocks - obviously I cannot block the IPs individually as those are millions of IPs and Cloudflare doesn’t allow me to add that many rules either.

Could this perhaps get fixed, as there is no real reason to allow only /16 and /24 blocks in the firewall.


#3

For example hostname of IP 50.19.0.0 is ec2-50-19-0-0.compute-1.amazonaws.com
So you can create a Firewall Rule that checking the hostname with field hostname contains amazonaws.com, block action


#4

Where in the IP Firewall can I use hostnames?
Also this would slow things down things drastically wouldn’t it, since Cloudflare would need to look up the hostname for all requests?

Btw. these are the IP blocks I want to block: https://ip-ranges.amazonaws.com/ip-ranges.json


#5

It’s possible to block custom IP ranges via CF workers:

https://tech.mybuilder.com/determining-if-an-ipv4-address-is-within-a-cidr-range-in-javascript/

One of these could easily be used in a CF worker script that 403’s if the IP is from AWS.


#6

Thanks, yes, but it’s completely over-the-top & adds overhead time, so I’d rather use the much faster nginx/iptables firewall cloudflare’s core depends on.
Especially there isn’t any technical reason for only allowing /16 and /24 blocks, I guess?


closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.