Configuring IP Access Rules

Learn to utilize IP Access Rules to restrict, challenge, or whitelist traffic to your site.


Overview

IP Access Rules are commonly used to block or challenge suspected malicious traffic.  Another common use of IP Access Rules is to whitelist services that regularly access your site (APIs, crawlers, payment providers, etc).  IP Access Rules allow whitelist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.

There are four configurable actions for an IP Access Rule:

  • Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Whitelist takes precedence over block.

Whitelisting a country code does not bypass Cloudflare's WAF.

Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any whitelisting logic takes place. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.

  • JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to visitors. Requires a visitor's browser or client to support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.
  • Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.
  • Block: Prevents a visitor from visiting your site.


Add an IP Access Rule

To create an IP Access Rule, follow these steps:

  1. Log in to your Cloudflare account.
  2. Select your domain.
  3. Click the Firewall app.
  4. Click on the Tools tab.
  5. Under IP Access Rules, enter the following details:
  6. Enter the Value as an IP, IP range, or two-letter country code.
  7. Select an Action.
  8. Select whether the rule applies to This website or All websites in the account.
  9. (Optional) add a Note (i.e. Payment Gateway).
  10. Click Add.


Types of Access Rules

There are several types of Access Rules:

Type Example Value
IPv4 address 192.0.2.3
IPv4 /24 range 192.0.2.0/24
IPv4 /16 range 192.0.0.0/16
IPv6 address 2001:db8::
IPv6 address range 2001:db8::/48, 2001:db8::/64
Country (by name or code) US, germany, tor, CN
Autonomous System Number (ASN) AS13335

IPs globally whitelisted by Cloudflare override a Country block via IP Access Rules but not a Country block via Firewall Rules.


Address range examples

CIDR Start of range (example) End of range (example) Number of addresses
/64 2001:db8:: 2001:db8:0000:0000:ffff:ffff:ffff:ffff 18,446,744,073,709,551,616
/48 2001:db8:: 2001:db8:0000:ffff:ffff:ffff:ffff:ffff 1,208,925,819,614,629,174,706,176
/32 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 79,228,162,514,264,337,593,543,950,336
/24 192.1.2.0 192.1.2.255 256
/16 192.1.0.0 192.1.255.255 65,536


IP Access Rule limits

The number of allowed IP Access Rules varies based on the number of active zones within your Cloudflare account and the plan level for each zone:

  • Free 500 rules
  • Pro 1,000 rules
  • Business 2,000 rules
  • Enterprise 10,000 rules

For example, if you have two zones at the Free level of service and one at the Pro level, the IP rule limit for your Cloudflare account will be 2,000 rules.


Two-letter country codes

Below is a full list of the two letter country codes in ISO 3166-1 Alpha 2 format needed to create Access Rules for the IP Firewall:


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk