Firewall IPSet Test. Is not working properly?

I added an IPSet lists to the firewall.

I confirmed that the lists were downloaded to the server and are up to date.

I added the necessary rules as DROP TCP PORT 0 and ipset:Blacklist.

However, I still see visits from the IP addresses in these lists on the websites hosted on the server.

I checked downloaded list

They are in the list, but still they can visit my websites.
Is the firewall IPSet not working properly?

Another example:


Another example:


Another example:


By accident using Cloudflare proxy?

Thanks for your reply. Yes I use cloudflare on most of my sites.

That would explain why Ipset is not working. The incoming ip is the ip of Cloudflare and not the abuser IP.

How ever we rewrite the ip for logging

2 Likes

Understood. Thanks for the explanation. Best regards!

When you can not filter with server/hestia, you can filter with Cloudflare because offer block IP/country (Free)

Go to Cloudflare panel, go to your site, now go to Security and them go to WAF

Create a new rule and put a name.
In this example you can allow traffic only from 3 country.

Field: COUNTRY
Operator: DOES NOT EQUAL
Value: COUNTRY YOU WANT ALLOW
Action: BLOCK

You can do the same with IP.

Field: IP SOURCE
Operator: EQUALS // IS IN // IS IN LIST (you can do a list of IP)
Value: COMPLETE IT
Action: BLOCK

This options can do it FREE (up to 5 rules) with FREE PLANS, if you pay a better plan you can have more rules. but… you must keep the list of IP up to date manualy (country IP is automatic)

1 Like

This is a feature I’m currently using.
However, Cloudflare has been acting strangely when it comes to blacklists.
Until recently, we were able to block based on Threat Score in the WAF > Custom Rules menu.
But they removed this option not long ago. Their reasoning was: “We now handle it fully automatically.”
However, it’s absolutely terrible! They don’t even block IPs with an abuse score of 100, which are clearly listed in blacklists.
Blacklisted IPs roam around the site as they please, and Cloudflare is practically saying, “Welcome! How can I help you?”

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.