Multiple conditions in a WAF rule, and unable to get it to work properly

Before asking, did you search first? Press :mag: at the upper right to search.

I did try to find similar topics.

I’m trying to figure out the proper way to use WAF rules, but I’m really lost at how it works. I’m trying to only allow US for specific hostname and URI, and allow specific countries only.

( ne "US" and ne "" and http.request.uri.path ne "/webhooks/pubsub") or (not in {"DK" "EE" "FI" "SE"})

Then I set block, but that results in me accessing the whole thing to be blocked too from Finland. In my mind it should be if:

  • If it’s not from US, with the specified host AND path of the webhook, it should be allowed.
  • If it’s from those listed geo, it should be allowed.

Instead I get blocked.

From what I see, you should be able to access from Finland and the other countries in the list. Almost Everything else would be blocked from everywhere.

(not in {"DK" "EE" "FI" "SE"})

This block all requests from outside these countries.

( ne "" and http.request.uri.path ne "/webhooks/pubsub")

The US thing at the beginning does nothing, so I will ignore it. Requests from the US are already blocked by the first part, and not US is everyone else.

This part blocks everything from everyone, unless the hostname is or the path is /webhooks/pubsub.
So and should be accessible from the countries in your list.

What are you trying to achieve?

I’m trying to only allow Google’s FeedFetcher (which needs access to the pubsub webhook endpoint) that happens to result in traffic from US but I don’t want to allow other US sourced traffic.
While also geoblocking most countries from accessing my domain.

So it should be the full url: that should be allowed from US. Everything else from the listed countries.

First rule:

Country equals US and hostname equals and path equals /webhooks/pubsub
Skip remaining Rules

Though you could also use User-Agent equals Feedfetcher-Google instead of the US rule.

Second Rule:

Country not in {List of countries}

If you want to combine both into a single rule, you would do (not (rule1)) AND (rule2) then block.

There is no “skip remaining rules” in security/waf/custom-rules/? Which is why I’m confused as to where/how this is supposed to be done?

It should look like this:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.