Cloudflare Docs
Magic Firewall
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Define an IP list

IP lists are a part of Cloudflare’s custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions.

IP lists are defined at the account level and can be used to match against ip.src and ip.dst fields. Currently, Magic Firewall only supports IPv4 addresses in these lists, not IPv6.

To use this feature:

​​ 1. Create a new IP list.

For example:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rules/lists \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"name": "iplist",
"description": "This contains IPs that should be allowed.",
"kind": "ip"
}'

​​ 2. Add IPs to the list

Next, create list items. This will add elements to the current list.

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rules/lists/{list_id}/items \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '[
{"ip":"10.0.0.1"},
{"ip":"10.10.0.0/24"}
]'

​​ 3. Use the list in a rule

Finally, add a Magic Firewall rule referencing the list into an existing ruleset:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"action": "skip",
"action_parameters": {
"ruleset": "current"
},
"expression": "ip.src in $iplist",
"description": "Allowed IPs from iplist",
"enabled": true
}'

​​ Managed lists

You can create rules with managed lists. Managed IP Lists are lists of IP addresses maintained by Cloudflare and updated frequently.

You can access these managed lists when you create rules with either IP destination address or IP source address in the Field dropdown, and is in list or is not in list in the Operator dropdown.

For example:

FieldOperatorValue
IP destination addressis in listAnonymizers