Firewall IPSet Test. Is not working properly?

Community Support Firewall
1

I added an IPSet lists to the firewall.

image
image1289×381 23.4 KB

I confirmed that the lists were downloaded to the server and are up to date.

image
image1028×399 27.3 KB

I added the necessary rules as DROP TCP PORT 0 and ipset:Blacklist.

image
image1274×225 10.2 KB

However, I still see visits from the IP addresses in these lists on the websites hosted on the server.

image
image1243×240 30.7 KB

I checked downloaded list

image
image277×139 5.07 KB

They are in the list, but still they can visit my websites.
Is the firewall IPSet not working properly?

image
image665×663 27.1 KB

Another example:

image
image277×121 4.87 KB

image
image1261×407 48.3 KB

Another example:

image
image222×137 4.33 KB

image
image1315×698 96.9 KB

Another example:

image
image263×118 4.23 KB

image
image1285×498 68.2 KB

2

By accident using Cloudflare proxy?

3

Thanks for your reply. Yes I use cloudflare on most of my sites.

4

That would explain why Ipset is not working. The incoming ip is the ip of Cloudflare and not the abuser IP.

How ever we rewrite the ip for logging

2 Likes
5

Understood. Thanks for the explanation. Best regards!

6

When you can not filter with server/hestia, you can filter with Cloudflare because offer block IP/country (Free)

Go to Cloudflare panel, go to your site, now go to Security and them go to WAF

Create a new rule and put a name.
In this example you can allow traffic only from 3 country.

Field: COUNTRY
Operator: DOES NOT EQUAL
Value: COUNTRY YOU WANT ALLOW
Action: BLOCK

image
image1214×643 19.4 KB

You can do the same with IP.

Field: IP SOURCE
Operator: EQUALS // IS IN // IS IN LIST (you can do a list of IP)
Value: COMPLETE IT
Action: BLOCK

This options can do it FREE (up to 5 rules) with FREE PLANS, if you pay a better plan you can have more rules. but… you must keep the list of IP up to date manualy (country IP is automatic)

1 Like
7

This is a feature I’m currently using.
However, Cloudflare has been acting strangely when it comes to blacklists.
Until recently, we were able to block based on Threat Score in the WAF > Custom Rules menu.
But they removed this option not long ago. Their reasoning was: “We now handle it fully automatically.”
However, it’s absolutely terrible! They don’t even block IPs with an abuse score of 100, which are clearly listed in blacklists.
Blacklisted IPs roam around the site as they please, and Cloudflare is practically saying, “Welcome! How can I help you?”

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.