Form an expression
Rules are written as using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the Rules language documentation.
To start with a simple case, review below how you would match a source IP:
ip.src == 192.0.2.0Expressions can be more complex by joining multiple clauses via a logical operator:
ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset) Capabilities
You can use Magic Firewall to skip or block packets based on source or destination IP, source or destination port, protocol, packet length, or bit field match.
Restrictions
Wirefilter comparisons support CIDR notation, but only inside sets. For example:
ip.src == 192.0.2.0/24 # badip.src in { 192.0.2.0/24 } # goodExpressions have a complexity limit that is easily reached when many joined or nested clauses are in the expression. Here’s an example:
(tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017)If the limit is reached, the response will have a 400 status code and an error message of ruleset exceeds complexity constraints. Split the expression into multiple rules and try again.