How do I control IP access to my site?

With the Cloudflare Firewall app, you can whitelist, block, and challenge visitors by IP address, country, or AS number. To whitelist or block a visitor:

  1. Log in to Cloudflare.
  2. Go to the Firewall app.
  3. Add an entry to the Access Rules and select the action.

There are four possible actions:

  • Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by security features. Whitelists take precedence over blocks. Whitelisting a country code does not prevent the request from bypassing the WAF.
  • JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to any visitors. I'm Under Attack mode requires JavaScript to be enabled for a visitor to proceed. This mode is useful for blocking DDoS attacks with minimal impact to visitors.
  • Challenge: Requires the user to complete a CAPTCHA in order to visit your site. This will prevent bots from accessing the site, but real humans can complete the CAPTCHA to proceed (including attackers).
  • Block: When a visitor is blocked, no CAPTCHA option is presented so there is no way for the visitor to access your site. The Block option is appropriate to use when you know, with a high level of certainty, that you do not want the IP address to visit your site.

Note: You can only set a rule to fully block by country code on the Enterprise plan. On Free, Pro, and Business levels, you can only set up a challenge page to visitors from the countries you decide to block. A human visitor could still enter your site from that country by passing the challenge page.  

Types of access rules

There are several types of access rules that can be put in place:

Block Example(s)
IPv4 address. 192.0.2.3
IPv4 /24 range 192.0.2.0/24
IPv4 /16 range 192.0.0.0/16
IPv6 address. 2001:db8::
IPv6 address range. 2001:db8::/48, 2001:db8::/64
Country (by name or code) US, germany, tor, CN
ASN AS13335

Address Range Examples

CIDR (larger number = smaller block) Start of range (example) End of range (example) Number of addresses
/64 2001:db8:: 2001:db8:0000:0000:ffff:ffff:ffff:ffff 18,446,744,073,709,551,616
/48 2001:db8:: 2001:db8:0000:ffff:ffff:ffff:ffff:ffff 1,208,925,819,614,629,174,706,176
/32 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 79,228,162,514,264,337,593,543,950,336
/24 192.1.2.0 192.1.2.255 256
/16 192.1.0.0 192.1.255.255 65,536

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk