How to Use Cloudflare Firewall Rules to Protect Your Web Application

Cloudflare-firewall-rules-banner

What is Cloudflare Firewall Rules?

Cloudflare Firewall Rules is another firewall tools offered by Cloudflare which announced in October 2018. It is a powerful and flexible security tool to filter web application traffic.

Cloudflare Firewall Rules is available for all Cloudflare plans. The free plan can have up to 5 active Firewall rules.

A Firewall Rule consists of two parts: Matching and Action.

  • Matching: A defined filter that runs and match your traffic for a string or pattern
  • Action: the action perform on the matched traffic (block, challenge, captcha, allow)

You can also order the firewall rules to override the default sequence which is based on the rule’s action.

Firewall Rules: Matching

You can match a traffic to the HTTP request, including country, hostname, IP address, URI, referrer, known bots, threat score, and more.

Known bots (cf.client.bot) is Cloudflare defined list of “known good bots”, which includes bots from Google, Apple, Bing, Linkedin, Pingdom, Yahoo… You are recommended to add cf.client.bot in an Allowed rule to avoid blocking good crawlers which could affect your SEO and monitoring.

Cloudflare has an internal algorithm to calculate an IP’s reputation and assigns a threat score (types of threats) that range from 0 to 100. Threat score is used for the Security Level setting under Firewall:

  • High – for scores greater than 0
  • Medium – for scores greater than 14
  • Low – for scores greater than 24
  • Essentially Off – for scores greater than 49

Regular Expression matching is supported for Cloudflare Business and Enterprise plans.

Firewall Rules: Action

You can set to perform an action to a filter matched traffic

  • Block: the traffic is block to reach your web application
  • JS Challenge: JavaScript challenge. Visitors do not have JavaScript support (mostly bots) will be blocked
  • Challenge (Captcha): Visitor is required to pass a captcha challenge to allow access
  • Allow: Traffic is allowed to reach your web application

Access Cloudflare Firewall Rules

In this article, we will show you how to setup Cloudflare Firewall Rules through dashboard. You can also configure Firewall Rules through API and Terraform.

  1. Login your Cloudflare dashboard
  2. Select the domain name you want to configure Firewall Rules
  3. Click Firewall from the tools at the top
  4. Click Firewall Rules
Cloudflare Firewall Rules panel
Cloudflare Firewall Rules panel

 

From there, you can:

  • Create a new Firewall Rule
  • Search and filter the list of existing rules
  • See a list of existing rules (active and paused)
  • Activate or pause rules (turn on or off)
  • Edit a rule
  • Delete a rule

Cloudflare Firewall Rules Examples

Example 1 — Block all countries except Malaysia

Cloudflare Firewall Rules: Block countries except Malaysia
Cloudflare Firewall Rules: Block countries except Malaysia

 

Expression Editor:

(ip.geoip.country ne "MY")

You can easily do country blocking using Cloudflare Firewall Rules.

Tip: Change the operator to equal to block only the chosen country in Value field. You can add more countries by clicking “OR” button.

Example 2 — WordPress Security

Cloudflare Firewall Rules: WordPress Security
Cloudflare Firewall Rules: WordPress Security

 

Expression Editor:

((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country ne "MY"

This Firewall Rule will challenge any non-Malaysia visitor that try to access WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php). A simple rule like this could block most hack attempts to your WordPress website.

You notice that no visual builder for this rule. It is because I use a complex (nested brackets) expression.

Example 3 — Block bad bots (use Expression Editor)

Animation: Create Cloudflare Firewall Rule using Expression Editor
Animation: Create Cloudflare Firewall Rule using Expression Editor

 

Expression Editor:

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

Okay… This is a long bots blocking rule. It blocks any non-known-good-bots traffic with user agent that contain strings “crawl”, “bot”, “spider”, plus a few custom user agents.

Here we add the Firewall rule using the Expression Editor (shown in animated GIF above):

  1. Click “Create a Firewall Rule
  2. Give a Rule Name
  3. Click “Edit expression
  4. Copy & Paste the expression into the text area
  5. Select “Block” action
  6. Click “Deploy” to activate the Firewall rule

You can use Visual Builder to update a Firewall rule that is created using Expression Editor, provided you do not use nested brackets in the expression.

The same expression can be rewrite using nested bracket, grouping rule logics in single ():

(http.user_agent contains "Yandex") 
or (http.user_agent contains "muckrack") 
or (http.user_agent contains "Qwantify") 
or (http.user_agent contains "Sogou") 
or (http.user_agent contains "BUbiNG") 
or (http.user_agent contains "knowledge") 
or (http.user_agent contains "CFNetwork") 
or (http.user_agent contains "Scrapy") 
or (http.user_agent contains "SemrushBot") 
or (http.user_agent contains "AhrefsBot") 
or (http.user_agent contains "Baiduspider") 
or (http.user_agent contains "python-requests") 
or ((http.user_agent contains "crawl") 
or (http.user_agent contains "Crawl") 
or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")
or (http.user_agent contains "Bot" and not http.user_agent contains "Google") 
or (http.user_agent contains "Spider") 
or (http.user_agent contains "spider") 
and not cf.client.bot)

Does Your Cloudflare Firewall Rules work?

You have configure and active your Firewall rules. Do they work as expected? You can check the Firewall Event Log (Firewall > Events) for the list of firewall events (allow, challenge, block) and their details.

Take note on the challenged and blocked events. You do not want to mistakenly blocking good traffic because of a wrongly configured Firewall rule.

Firewall Event Log
Cloudflare Firewall event log

 

In this example, Firewall Rule blocks “magpie-crawler” bot with IP address “185.25.35.15” (United Kingdom) when it tries to access a post’s feed.

Summary

In this tutorial, you have learned what is Cloudflare Firewall Rules and how to configure it to filter traffic and protect your web application. You also learned about Expression Editor for writing complex firewall rule.

I hope you find this tutorial helpful. If you have any question, please add in the comment below.

How do you use Cloudflare Firewall Rules?

Sources:

Share This On
Share on facebook
Share on twitter
Share on linkedin
Share on reddit

20 thoughts on “How to Use Cloudflare Firewall Rules to Protect Your Web Application”

  1. Hey Liew,

    BIG thank you for the excellent explanation of how to create and set up firewall rules on CloudFlare and for the example rules. I followed your advice and easily created the rules I needed.

      1. Hey Liew,

        These firewall rules you provide work like a charm to catch the bad guys and protect my site. Much appreciated.

        I’d like to add protection against the UserPro <= 4.9.17 – Authentication Bypass attack:
        https://wpvulndb.com/vulnerabilities/8950

        So I added:
        (http.request.uri.path contains "/?up_auto_log=true") or

        to the beginning of Example 2 — WordPress Security

        NOTE: I experimented with variations like:
        – "up_auto_log=true"
        – "up_auto_log="

        The original protections against attacks for xmlrpc.php, wp-login.php etc. still work but protection against Authentication Bypass attack that I added does NOT work.

        Can you please help?

        Maybe adding protection to Example 2 — WordPress Security or some other rule you might think better.

        I want to add this protection because I often see this attack in my logs.

        Thanks for considering my request.

        Cheers,
        Julian

        1. Liew CheonFong

          hi @Julian, based on the link, the plugin fixed the vulnerability at version 4.9.17.1. Also, do not use “admin” for WordPress username.

          1. Hi Liew,

            Yes, I know that the vulnerability was fixed and I do not use “admin” as a user name. However, hackers still try to exploit and use this attack method for other reasons such as looking for differences in the server’s response based on the validity of submitted credentials etc.

            Do you know how to add this protection to a Firewall rule?

          2. Liew CheonFong

            Hi Julian, try to use match URI Query String:

            (http.request.uri.query eq "up_auto_log=true")

  2. Hello,

    I applied the rules “Block Bad Bots” and I monitored the blocking of bots. I’ve noticed that Cloudflare is blocking Bingbot

    User Agent
    Mozilla / 5.0 (compatible; bingbot / 2.0; + http: //www.bing.com/bingbot.htm)

    What are the rules for releasing Bingbot?

    Thank you

    1. Liew CheonFong

      Hi Renato, thanks for the feedback. I can confirm that bingbot is blocked by the rule.

      Please find:

      or (http.user_agent contains "bot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")

      then replace it with:

      or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")

      I also update the code in the article. thank you!

    1. Liew CheonFong

      Hi Nick Roberts, the googlebot is excluded in the CF firewall rule in the article.

      “(http.user_agent contains “Bot” and not http.user_agent contains “Google”) “

  3. Thank you much, Liew, for the Block Bad Bots example. Had been looking for something like that for awhile. Very much appreciated. I hates bad bots.

  4. Another question…
    In your Example 2 — WordPress Security rule
    What happens if the hacker/attacker comes from Malaysia? or uses a VPN to use an IP from Malaysia?
    Any suggestions to prevent that?
    thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

You May Also Like

Scroll to Top