IP Firewall - What do I need for DNS Settings?


If I am going to set up the IP Firewall, for example to block certain countries from visiting my site, what do I need to do in the DNS settings to have this work? Right now I am only managing DNS (the cloud icon is gray.) I am guessing that I would need CF to act as an http proxy (which is what the orange color seems to do) so that “traffic goes through Cloudflare” and CF will filter it. Is this correct?

If so, which can or should I choose to be orange/on? I know in the past that some items didn’t work well (I have WHM/Cpanel) and that I should limit this option and caching. Note, I am also using a forum software and did see an article on ensuring that you make modifications in the forum software otherwise banning IP addresses will be CF IP addresses and not the original visitor.


Yes, you’ll need :orange: for Cloudflare to protect your site. In Cloudflare DNS, you need to set example.com and www.example.com to :orange:. With the caveat that example.com is only a web server, and not a mail server as well.

You can’t block countries unless you’re on a Business or Enterprise plan, but you can “challenge” country visitors using Cloudflare’s Firewall settings.

Or you can configure your site to block visitors with the HTTP header of HTTP_CF_IPCOUNTRY that matches the two letter country codes you want to block.

If you’re banning IP addresses, you need to find a way to restore visitor IP addresses on your server or software:


Thanks much for your great and quick response! For the most part, my site appeals to US traffic and perhaps Canada and Mexico and limited countries in Europe (which I wouldn’t miss). Elsewhere it’s pure spam and pretty heavy, especially the eastern bloc of Europe, Russia, China, etc. where it’s just all malicious traffic. Won’t miss them. Mail isn’t an issue - and thanks for making that clear.

So my options are turning on CF to protect the site, A name for domain.com and C name for www.domain.com and then set up the IP Firewall. (It allows me to block although I’ll assume on free accounts it says block but is only a challenge.)

The other option - does that also require turning on CF then? I could put the country list in the header but I’m wondering which is faster and will limit the hit on page load. My guess is that using option 1 is probably faster because hitting the server and then forcing a looking back to CF from an http request would probably require additional trip(s).

Thanks again for your great help.


Anything here requires Cloudflare to be turned on your domain.

Yeah, the free account says “block,” but that’s a mistake. It works for now, but they’re working on that. It’s an upper paid-plan feature. Lower plans can Challenge, and that’s what I do. It’s been pretty effective at blocking abusive countries.