How does Cloudflare Firwall rules order work?

Solution 1:

It depends ...

By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the Rules List.

Once there are more than 200 total rules (including inactive rules), you must manage evaluation using priority ordering, in which Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest.

Source: https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/

When a http request gets evaluated in list order and the request matches an expression the associated action determines what happens next.

Most actions are an exit and no further firewall rules will be evaluated for that request. You would describe this also as ”first match”

When ”priority ordering” is used there can be multiple expressions with the same priority, they will all be evaluated and a http request can match several expressions concurrently.
Then the precedence of the action determines what will happen. The allow action has precedence over the block action.

Again after a match most actions are an exit and no further firewall rules of lower priority will be evaluated for that request.

https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/

———

In list ordering

Rule 1: Block ASN
Rule 2: Allow IP

The request from IP will match rule 1 and the request will be blocked. Rule 2 will not be evaluated.
To exempt the IP the rule order needs to be reversed.

On the other hand in priority ordering:

Priority 2 : Rule 1: Block ASN
Priority 2 : Rule 2: Allow IP

The request from IP matches both rules. The Allow action has greater precedence than the Block action and thus the request will be allowed.