WAF rules based on managed lists
We are using Cloudflare managed lists on the Enterprise subscription. The Cutom Rule is quite simple and are supposed to block visitors from using Proxies, VPNs and Anonymizers. Actually, it looks like this:
(ip.src in $cf.anonymizer) or (ip.src in $cf.open_proxies) or (ip.src in $cf.vpn)
But I tried it with more than 70 different locations using HMA, NordVPN and MulvadVPN. Not a single IP was blocked by the rule.
Did someone else face anything similar?1 Reply
Shouldn't this part of the rule
(ip.src in $cf.vpn) cover the VPNs? And what is the probability that none of more than 70 IPs from major VPNs was detected?
Thanks for your responses!
Yeah, that's basically what we did. Community-driven lists of known VPN IPs and ASNs kinda did the trick. I'm just curious why CF's advertised Enterpise-only feature does literally 0 work ( I was wondering if I probably missing something.
Neither did I. Thanks anyway! )