How to Use Cloudflare Firewall Rules to Protect Your Web Application

5 Min Read

What is Cloudflare Firewall Rules?

Cloudflare Firewall Rules is another firewall tools offered by Cloudflare which announced in October 2018. It is a powerful and flexible security tool to filter web application traffic.

Cloudflare Firewall Rules is available for all Cloudflare plans. The free plan can have up to 5 active Firewall rules.

A Firewall Rule consists of two parts: Matching and Action.

Matching: A defined filter that runs and match your traffic for a string or pattern
Action: the action perform on the matched traffic (block, challenge, captcha, allow)

You can also order the firewall rules to override the default sequence which is based on the rule’s action.

Firewall Rules: Matching

You can match a traffic to the HTTP request, including country, hostname, IP address, URI, referrer, known bots, threat score, and more.

Known bots (cf.client.bot) is Cloudflare defined list of “known good bots”, which includes bots from Google, Apple, Bing, Linkedin, Pingdom, Yahoo… You are recommended to add cf.client.bot in an Allowed rule to avoid blocking good crawlers which could affect your SEO and monitoring.

Cloudflare has an internal algorithm to calculate an IP’s reputation and assigns a threat score (types of threats) that range from 0 to 100. Threat score is used for the Security Level setting under Firewall:

High – for scores greater than 0
Medium – for scores greater than 14
Low – for scores greater than 24
Essentially Off – for scores greater than 49

Regular Expression matching is supported for Cloudflare Business and Enterprise plans.

Firewall Rules: Action

You can set to perform an action to a filter matched traffic

Block: the traffic is block to reach your web application
JS Challenge: JavaScript challenge. Visitors do not have JavaScript support (mostly bots) will be blocked
Challenge (Captcha): Visitor is required to pass a captcha challenge to allow access
Allow: Traffic is allowed to reach your web application

Access Cloudflare Firewall Rules

In this article, we will show you how to setup Cloudflare Firewall Rules through dashboard. You can also configure Firewall Rules through API and Terraform.

Login your Cloudflare dashboard
Select the domain name you want to configure Firewall Rules
Click Firewall from the tools at the top
Click Firewall Rules

From there, you can:

Create a new Firewall Rule
Search and filter the list of existing rules
See a list of existing rules (active and paused)
Activate or pause rules (turn on or off)
Edit a rule
Delete a rule

Cloudflare Firewall Rules Examples

Example 1 — Block all countries except Malaysia

Cloudflare Firewall Rules: Block countries except Malaysia

Expression Editor:

(ip.geoip.country ne "MY")

You can easily do country blocking using Cloudflare Firewall Rules.

Tip: Change the operator to equal to block only the chosen country in Value field. You can add more countries by clicking “OR” button.

Example 2 — WordPress Security

Cloudflare Firewall Rules: WordPress Security

Expression Editor:

((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country ne "MY"

This Firewall Rule will challenge any non-Malaysia visitor that try to access WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php). A simple rule like this could block most hack attempts to your WordPress website.

You notice that no visual builder for this rule. It is because I use a complex (nested brackets) expression.

Example 3 — Block bad bots (use Expression Editor)

Expression Editor:

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

Okay… This is a long bots blocking rule. It blocks any non-known-good-bots traffic with user agent that contain strings “crawl”, “bot”, “spider”, plus a few custom user agents.

Here we add the Firewall rule using the Expression Editor (shown in animated GIF above):

Click “Create a Firewall Rule“
Give a Rule Name
Click “Edit expression“
Copy & Paste the expression into the text area
Select “Block” action
Click “Deploy” to activate the Firewall rule

You can use Visual Builder to update a Firewall rule that is created using Expression Editor, provided you do not use nested brackets in the expression.

The same expression can be rewrite using nested bracket, grouping rule logics in single ():

(http.user_agent contains "Yandex") 
or (http.user_agent contains "muckrack") 
or (http.user_agent contains "Qwantify") 
or (http.user_agent contains "Sogou") 
or (http.user_agent contains "BUbiNG") 
or (http.user_agent contains "knowledge") 
or (http.user_agent contains "CFNetwork") 
or (http.user_agent contains "Scrapy") 
or (http.user_agent contains "SemrushBot") 
or (http.user_agent contains "AhrefsBot") 
or (http.user_agent contains "Baiduspider") 
or (http.user_agent contains "python-requests") 
or ((http.user_agent contains "crawl") 
or (http.user_agent contains "Crawl") 
or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")
or (http.user_agent contains "Bot" and not http.user_agent contains "Google") 
or (http.user_agent contains "Spider") 
or (http.user_agent contains "spider") 
and not cf.client.bot)

Does Your Cloudflare Firewall Rules work?

You have configure and active your Firewall rules. Do they work as expected? You can check the Firewall Event Log (Firewall > Events) for the list of firewall events (allow, challenge, block) and their details.

Take note on the challenged and blocked events. You do not want to mistakenly blocking good traffic because of a wrongly configured Firewall rule.

In this example, Firewall Rule blocks “magpie-crawler” bot with IP address “185.25.35.15” (United Kingdom) when it tries to access a post’s feed.

Summary

In this tutorial, you have learned what is Cloudflare Firewall Rules and how to configure it to filter traffic and protect your web application. You also learned about Expression Editor for writing complex firewall rule.

I hope you find this tutorial helpful. If you have any question, please add in the comment below.

How do you use Cloudflare Firewall Rules?

Sources:

Share This On

Try RunCloud For Free

Simplify your server management with RunCloud. Try it out for FREE for 5 days.

Free Trial

Liew CheonFong

RunCloud online community executive & technical writer, WordPress consultant, geekPapa of two. Email: liewcf@runcloud.io

18 thoughts on “How to Use Cloudflare Firewall Rules to Protect Your Web Application”

Julian
April 28, 2019 at 9:03 am

Hey Liew,

BIG thank you for the excellent explanation of how to create and set up firewall rules on CloudFlare and for the example rules. I followed your advice and easily created the rules I needed.

Reply
1. Liew CheonFong
  April 29, 2019 at 2:50 pm
  
  Hi Julian, glad that you found it useful 👍
  
  Reply
  1. Julian
    May 7, 2019 at 12:30 pm
    
    Hey Liew,
    
    These firewall rules you provide work like a charm to catch the bad guys and protect my site. Much appreciated.
    
    I’d like to add protection against the UserPro <= 4.9.17 – Authentication Bypass attack:
    https://wpvulndb.com/vulnerabilities/8950
    
    So I added:
    (http.request.uri.path contains "/?up_auto_log=true") or
    
    to the beginning of Example 2 — WordPress Security
    
    NOTE: I experimented with variations like:
    – "up_auto_log=true"
    – "up_auto_log="
    
    The original protections against attacks for xmlrpc.php, wp-login.php etc. still work but protection against Authentication Bypass attack that I added does NOT work.
    
    Can you please help?
    
    Maybe adding protection to Example 2 — WordPress Security or some other rule you might think better.
    
    I want to add this protection because I often see this attack in my logs.
    
    Thanks for considering my request.
    
    Cheers,
    Julian
    
    Reply
    1. Liew CheonFong
      May 7, 2019 at 2:11 pm
      
      hi @Julian, based on the link, the plugin fixed the vulnerability at version 4.9.17.1. Also, do not use “admin” for WordPress username.
      
      Reply
      1. Julian
        May 8, 2019 at 12:18 pm
        
        Hi Liew,
        
        Yes, I know that the vulnerability was fixed and I do not use “admin” as a user name. However, hackers still try to exploit and use this attack method for other reasons such as looking for differences in the server’s response based on the validity of submitted credentials etc.
        
        Do you know how to add this protection to a Firewall rule?
      2. Liew CheonFong
        May 8, 2019 at 2:34 pm
        
        Hi Julian, try to use match URI Query String:
        
        (http.request.uri.query eq "up_auto_log=true")
Renato
April 28, 2019 at 9:09 am

Many thanks for this post! I’ve put rules into practice and I’m getting great results.

Reply
1. Liew CheonFong
  April 29, 2019 at 2:50 pm
  
  That’s great, Renato! 👍
  
  Reply
Renato
April 29, 2019 at 11:19 am

Hello,

I applied the rules “Block Bad Bots” and I monitored the blocking of bots. I’ve noticed that Cloudflare is blocking Bingbot

User Agent
Mozilla / 5.0 (compatible; bingbot / 2.0; + http: //www.bing.com/bingbot.htm)

What are the rules for releasing Bingbot?

Thank you

Reply
1. Liew CheonFong
  April 29, 2019 at 2:58 pm
  
  Hi Renato, thanks for the feedback. I can confirm that bingbot is blocked by the rule.
  
  Please find:
  
  or (http.user_agent contains "bot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")
  
  then replace it with:
  
  or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")
  
  I also update the code in the article. thank you!
  
  Reply
Adedola
May 3, 2019 at 12:45 am

MANY THANKS lewis for this posting!

Reply
Kishore
May 7, 2019 at 1:28 am

Great article on the security setting of Cloudflare. Thanks a lot, man!
Keep it up, we always follow your suggestions.

Reply
1. Liew CheonFong
  May 7, 2019 at 2:07 pm
  
  Thank you, @Kishore! You make my day 🙂
  
  Reply
nick roberts
May 21, 2019 at 8:21 pm

thank you for this, is their a way we can allow the googlebot but still block the other bots?

Reply
1. Liew CheonFong
  May 23, 2019 at 11:22 am
  
  Hi Nick Roberts, the googlebot is excluded in the CF firewall rule in the article.
  
  “(http.user_agent contains “Bot” and not http.user_agent contains “Google”) “
  
  Reply
a C student
May 31, 2019 at 11:43 am

Thank you much, Liew, for the Block Bad Bots example. Had been looking for something like that for awhile. Very much appreciated. I hates bad bots.

Reply
1. Liew CheonFong
  May 31, 2019 at 11:46 am
  
  You’re welcome. Glad it is helpful
  
  Reply
Jumedeen khan
October 12, 2019 at 9:42 am

This guide help me lot, thanks

Reply