New to self-hosting, ideal way to block countries not my own?

So my networking is rudimentary at best. I’m familiar with just enough to ensure I end up less secure than I started :frowning:

I have reached the point in which i’m trying to create rules/policies etc to balance security and convenience for my use case.

I want to block all countries not my own. (i realize this only goes so far considering VPN’s are a thing) but this is beyond the scope of my inquiry.

I’m using a zero trust tunnel to host a variety of web apps from the starr suite to calibre to share books with F&F.

I see we have an option in the dashboard via security > WAF to create such a rule. However we also have gateway > Firewall Policies in the zero trust dashboard. Finally we have rules within the access > applications themselves to require or exclude particular countries.

I’m trying to understand which avenue is preferable and/or what the differences are? It appears the first option (WAF) may be deprecated and as such shouldnt be considered at this point?

Appreciate any insight!

WAF is the way to go here, and it isn’t being deprecated but migrated to the ruleset. You can just make a rule that only allows your country.


Thank you for the reply. While im perfectly happy to take your word for it, just so I have one less thing to inquire about and understand one more thing as far as self hosting here goes…

why is that the case? what is the difference between using WAF vs an application policy requiring a country or a zero trust firewall policy?

also i “assume” WAF rules apply to all subdomains?

and just to be clear/confirm. the tunnels as well? I have no vpn installed and really would prefer not to purely to change my ip and test.

if aall the aforementioned is true, it makes the application rule option of requiring a certain country or blocking a certain country entirely redundant or?

how would it evaluate rules if they were conflicting then? does WAF apply to the site itself whereas application policies in zero trust would apply to the cloudflare access page pre even getting to the website? aka they arent redundant and both could be used effectively?

Access is more of an identity aware proxy, which isn’t what you are looking for. You would just be creating a bypass policy for access for the countries. Plus WAF is easier

Depends on how you set them up. You can restrict them to specific hosts or have them be for the whole zone.

What do you mean by tunnels as well? As long as the tunnel DNS record is :orange: then your WAF will run in front of it.

Access runs before WAF so if you set up an access policy and WAF people wouldn’t hit WAF

perfect, exactly the information I was looking for! appreciate it very much!

I do have access policies set up to only allow certain emails so it sounds like WAF would be redundant then.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.