This is something that is configurable though. If you leave your Firewall security mode to default, then yes it will block IPs with bad rep.
If I don't care about anti-ddos, I just set the Firewall security to Low, and create a Firewall rule to allow everything from 0.0.0.0/0, simple as that.
Good to know that about Cloudflare. Believe it or not, there is at least one DoS protection provider/Web Application Firewall service/whatever you want to call it, that seems to default to asking you to solve captchas to view web pages.
If I don't care about anti-ddos, I just set the Firewall security to Low, and create a Firewall rule to allow everything from 0.0.0.0/0, simple as that.