FirewallAccessRule
Source:
src/Cloudflare/Firewall/AccessRule.ts
A Cloudflare IP Access rule — block, challenge, or whitelist requests by IP, CIDR range, ASN, or country, either on a single zone or across the whole account.
A rule’s identity is its configuration (target + value) within a scope:
Cloudflare rejects a second rule for the same configuration with a
duplicate error, and the configuration cannot be changed after creation —
only mode and notes are mutable. Changing configuration or moving
the rule between zone and account scope triggers a replacement.
Safety: IP Access rules carry no ownership markers. When there is no
prior state, read scans the scope for an existing rule with the same
configuration and reports it as Unowned, so the engine refuses to take
it over unless --adopt (or adopt(true)) is set.
Blocking an IP
Section titled “Blocking an IP”Block a single IPv4 address on a zone
yield* Cloudflare.FirewallAccessRule("BlockBadActor", { zoneId: zone.zoneId, configuration: { target: "ip", value: "198.51.100.4" }, mode: "block", notes: "repeated credential stuffing",});Block a CIDR range account-wide
// No zoneId — the rule applies to every zone in the account.yield* Cloudflare.FirewallAccessRule("BlockScannerRange", { configuration: { target: "ip_range", value: "203.0.113.0/24" }, mode: "block",});Challenging traffic
Section titled “Challenging traffic”// `block` for country targets is Enterprise-only; challenges work on// all plans.yield* Cloudflare.FirewallAccessRule("ChallengeCountry", { zoneId: zone.zoneId, configuration: { target: "country", value: "KP" }, mode: "managed_challenge",});Whitelisting
Section titled “Whitelisting”yield* Cloudflare.FirewallAccessRule("AllowOffice", { zoneId: zone.zoneId, configuration: { target: "ip", value: "192.0.2.10" }, mode: "whitelist", notes: "office egress IP",});