Learn to utilize IP Access Rules to restrict, challenge, or whitelist traffic to your site.
IP Access Rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access Rules is to whitelist services that regularly access your site (APIs, crawlers, payment providers, etc). IP Access Rules allow whitelist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.
There are four configurable actions for an IP Access Rule:
- Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Whitelist takes precedence over block.
- Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.
- Block: Prevents a visitor from visiting your site.
Add an IP Access Rule
To create an IP Access Rule, follow these steps:
- Log in to your Cloudflare account.
- Select your domain.
- Click the Firewall app.
- Click on the Tools tab.
- Under IP Access Rules, enter the following details:
- Enter the Value as an IP, IP range, or two-letter country code.
- Select an Action.
- Select whether the rule applies to This website or All websites in the account.
- (Optional) add a Note (i.e. Payment Gateway).
- Click Add.
Types of Access Rules
There are several types of Access Rules:
|IPv4 /24 range||192.0.2.0/24|
|IPv4 /16 range||192.0.0.0/16|
|IPv6 address range.||2001:db8::/48, 2001:db8::/64|
|Country (by name or code)||US, germany, tor, CN|
Address Range Examples
|CIDR (larger number = smaller block)||Start of range (example)||End of range (example)||Number of addresses|