Resource icon

Cloudflare Firewall Rule: Ban Country Codes from Registration

Wouldn't this need to be the other way round? You want the first rule to block everything, and the second to allow x with a threat level of x.

Can that fit into a single rule? Block everything that does not match x.
I wanted to let all the US-based non-threat traffic though the firewall first, then challenge non-US traffic with a threat score, right? Should be the other way around?
 
Just an FYI.

I set this up exactly how it is listed with the add-on. Thought I was doing really well with spam because I hadn't had to remove any in several days.

Then, I set up the brave browser to see how it worked. Checked the settings and it uses TOR. I was thinking about removing that in case there is an increase in people using this browser, but decided to go try to register first. Sure enough, it blocked me on the brave browser.

Out of curiosity, I hit the register link on chrome, firefox, and Edge. I was blocked from registering on all those browsers as well.

After further review (been too busy to check this lately), I have had zero registrations since adding this to cloudflare, and about 500 blocked registrations. My current IP addresses this evening are included in the blocks IP's.
Yep I got exactly the same, on paper it looked all set up right but was blocking people (and myself) from countries it shouldn't have.

I pay for the $20 cloudflare and it claims to save 3tb of data a month which at face level sounds reasonable value, but that doesn't really stack up using their figures for the uncached data and what my host says. I think they oversell their service.
 
Just an FYI.

I set this up exactly how it is listed with the add-on. Thought I was doing really well with spam because I hadn't had to remove any in several days.

Then, I set up the brave browser to see how it worked. Checked the settings and it uses TOR. I was thinking about removing that in case there is an increase in people using this browser, but decided to go try to register first. Sure enough, it blocked me on the brave browser.

Out of curiosity, I hit the register link on chrome, firefox, and Edge. I was blocked from registering on all those browsers as well.

After further review (been too busy to check this lately), I have had zero registrations since adding this to cloudflare, and about 500 blocked registrations. My current IP addresses this evening are included in the blocks IP's.
Try the workaround I've mentioned here - it will likely work.
 
Try the workaround I've mentioned here - it will likely work.
That won't stop it falsely identifying users though, it's more a way to disable the modal / ajax so the challenge screen actually works I beleive.

Fundamentally it seems there is issues with the cloudflare rules not behaving as they should do.
 
The believe the code as written in this tip will block all traffic to "/register" regardless of country.

Code:
(http.request.uri.path contains "/register") or (http.request.uri.path contains "/?register" and ip.geoip.country in {"AF" "DZ" "AO" "AM" "AZ" "BH" "BD" "BY" "BJ" "BT" "BA" "BW" "BN" "BG" "BF" "BI" "KH" "CM" "CF" "CV" "TD" "CN" "CG" "CD" "CI" "HR" "CZ" "DJ" "EG" "GQ" "ER" "EE" "ET" "GF" "GA" "GM" "GE" "GH" "GW" "GN" "HT" "HU" "IN" "ID" "IR" "IQ" "JO" "KZ" "KP" "KR" "KE" "XK" "KW" "KG" "LA" "LV" "LB" "LS" "LR" "LY" "LT" "MK" "MG" "MW" "MY" "ML" "MR" "YT" "MD" "MN" "ME" "MA" "MZ" "MM" "NA" "NP" "NE" "NG" "OM" "PK" "PG" "PL" "RO" "QA" "RU" "RW" "SA" "SY" "ZM" "XX" "T1" "ZW" "YE" "EH" "TN" "TM" "AE" "UZ" "TR" "UY" "VN" "UG" "TJ" "SR" "SD" "SZ" "LK" "SS" "VE" "UA" "TG" "SO" "SI" "SL" "RS" "SN" "SK" "TZ" "TH" "TL"})
 
This is because CloudFlare's expression builder doesn't allow you to nest what I would call an "if" statement.

What you really want to do is match both URLs first in one statement, then check the country as an AND to those statements.

What the current filter is doing, as explained by @dougdirac is ALWAYS matching on /register.

Long story short, this filter, based on the countries in the original post should work fine (click Edit Expression to put this in):
Code:
((http.request.uri.path contains "/register") or (http.request.uri.path contains "/?register")) and ip.geoip.country in {"AF" "DZ" "AO" "AM" "AZ" "BH" "BD" "BY" "BJ" "BT" "BA" "BW" "BN" "BG" "BF" "BI" "KH" "CM" "CF" "CV" "TD" "CN" "CG" "CD" "CI" "HR" "CZ" "DJ" "EG" "GQ" "ER" "EE" "ET" "GF" "GA" "GM" "GE" "GH" "GW" "GN" "HT" "HU" "IN" "ID" "IR" "IQ" "JO" "KZ" "KP" "KR" "KE" "XK" "KW" "KG" "LA" "LV" "LB" "LS" "LR" "LY" "LT" "MK" "MG" "MW" "MY" "ML" "MR" "YT" "MD" "MN" "ME" "MA" "MZ" "MM" "NA" "NP" "NE" "NG" "OM" "PK" "PG" "PL" "RO" "QA" "RU" "RW" "SA" "SY" "ZM" "XX" "T1" "ZW" "YE" "EH" "TN" "TM" "AE" "UZ" "TR" "UY" "VN" "UG" "TJ" "SR" "SD" "SZ" "LK" "SS" "VE" "UA" "TG" "SO" "SI" "SL" "RS" "SN" "SK" "TZ" "TH" "TL"}
NB: You can't visualise this in the expression builder as it's not supported (too complex to visualise probably)

Proof of the above working in my CloudFlare Event log:
1622717183356.png

Hope this helps!
 
Top Bottom