WAF allowing traffic from mobile against WAF deny-all policy

Answer these questions to help the Community help you with Security questions.

Have you searched for an answer?

Describe the issue you are having:
We have several pfSense firewall guis that should only be accessible from specified IP addresses. We have a simple allow / deny WAF config (below) that has been working fine but recently noticed that 1. successful access attempts aren’t being logged in Cloudflare firewall events - access logs and more importantly 2. mobile phones can get through the WAF policy even though that are not on allow list.

What steps have you taken to resolve the issue?

  1. Confirmed access from allowed IP, confirmed no access from PC/MAC on several different networks have no access, presented a Cloudflare
  2. Confirmed DNS on mobile phone for pfsense firewalls are returning Cloudflare IPs as expected but still allowed access

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

  1. Access site from allowed IP works
  2. Access from other networks fail, except from mobile phones for some reason

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

Create 1 rule. ‘Ip address not in’ and set an action to block.

Your second rule blocks IPv4 requests maybe? But most noble is IPv6. Anyway it is not needed as it can be accomplished with a single rule.

It WAS ipv6! I updated the deny all with a second OR for ::/0 and now its blocked.

@cscharff You are right, that is more elegant. Thanks for your input.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.