With the Cloudflare Firewall app, you can whitelist, block, and challenge visitors by IP address, country, or AS number. To whitelist or block a visitor:
- Log in to Cloudflare.
- Go to the Firewall app.
- Add an entry to the Access Rules and select the action.
There are four possible actions:
- Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by security features. Whitelists take precedence over blocks. Whitelisting a country code does not prevent the request from bypassing the WAF.
- Challenge: Requires the user to complete a CAPTCHA in order to visit your site. This will prevent bots from accessing the site, but real humans can complete the CAPTCHA to proceed (including attackers).
- Block: When a visitor is blocked, no CAPTCHA option is presented so there is no way for the visitor to access your site. The Block option is appropriate to use when you know, with a high level of certainty, that you do not want the IP address to visit your site.
Note: You can only set a rule to fully block by country code on the Enterprise plan. On Free, Pro, and Business levels, you can only set up a challenge page to visitors from the countries you decide to block. A human visitor could still enter your site from that country by passing the challenge page.
Types of access rules
There are several types of access rules that can be put in place:
|IPv4 /24 range||192.0.2.0/24|
|IPv4 /16 range||192.0.0.0/16|
|IPv6 address range.||2001:db8::/48, 2001:db8::/64|
|Country (by name or code)||US, germany, tor, CN|
Address Range Examples
|CIDR (larger number = smaller block)||Start of range (example)||End of range (example)||Number of addresses|