Network-level CrowdSec blocking loses per-service rule granularity

When CrowdSec firewall bouncer is configured at host level instead of as Traefik middleware, IP blocking applies to all services uniformly. Per-service CrowdSec policies cannot be implemented because the bouncer operates before Traefik processes the request. Additionally, captcha challenges are not possible with the firewall bouncer (it only blocks), and CrowdSec decisions don't appear in Traefik access logs.

Understand that moving CrowdSec to network layer trades per-service flexibility for stability. All services will share the same ban lists. Design CrowdSec scenarios and collections to work at the host level. For services requiring different security policies, consider separate Traefik instances or accept uniform protection.