How do I control IP access to my site?

The Firewall app allows you to whitelist, block, and challenge visitors by IP address, country, or AS number. To whitelist or block a visitor, follow these steps:

  1. Login to your Cloudflare account.
  2. Go to the Firewall app.
  3. Add an entry to the Access Rules and select the action.

There are four possible actions:

  • Whitelist: Whitelisting a visitor excludes them from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by security features. Whitelists take precedence over blocks.
  • JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to any visitors. I'm Under Attack Mode requires JavaScript to be enabled for a visitor to proceed. I'm Under Attack Mode is useful for blocking DDoS attacks with minimal impact to visitors.
  • Challenge: The challenge option requires a user to complete a CAPTCHA in order to visit your site. This will prevent bots from accessing the site, but real humans can complete the CAPTCHA to proceed (including attackers).
  • Block: When a visitor is blocked, no CAPTCHA option is presented so there is no way for the visitor to access your site. The Block option is appropriate to use when you know, with a high level of certainty, that you do not want the IP address to visit your site.

Note: You can only set a rule to fully block by country code on the Enterprise plan. On Free, Pro, and Business levels, you can only set up a challenge page to visitors from the countries you decide to block. A human visitor could still enter your site from that country by passing the challenge page.

Types of access rules

There are several types of access rules that can be put in place:

Block Example(s)
IPv4 address.
IPv4 /24 range
IPv4 /16 range
IPv6 address. 2001:db8::
IPv6 address range. 2001:db8::/48, 2001:db8::/64
Country (by name or code) US, germany, tor, CN
ASN AS13335

Address Range Examples


CIDR (larger number = smaller block) Start of range (example) End of range (example) Number of addresses
/64 2001:db8:: 2001:db8:0000:0000:ffff:ffff:ffff:ffff 18,446,744,073,709,551,616
/48 2001:db8:: 2001:db8:0000:ffff:ffff:ffff:ffff:ffff 1,208,925,819,614,629,174,706,176
/32 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 79,228,162,514,264,337,593,543,950,336
/24 256
/16 65,536


Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk