Block ports with WAF rule

LeftMeUnsupervised · August 14, 2023, 2:31am

Hi Everyone,

I’m utilising a free account and wondered if the following WAF rule will block ALL ports apart from 80 and 443;

(http.host contains "ourdomainname.com" and not cf.edge.server_port in {80 443})

BTW, the action is set to “Block”

Any thoughts or advice would be greatly appreciated.

sdayman · August 14, 2023, 3:49am

That should work. Have you tried it?

LeftMeUnsupervised · August 14, 2023, 4:03am

G’day sdayman,

Thanks for responding to my query.

Not yet, I was concerned I might break everything else.

Would you know if the effect is immediate or if it takes a day or so?

epic.network · August 14, 2023, 4:20am

More or less. That also means you can turn it off just as quickly, though.

LeftMeUnsupervised · August 14, 2023, 4:28am

I’ve enable the rule and https://dnschecker.org/port-scanner.php

I’ll give it a few minutes though.

epic.network · August 14, 2023, 4:35am

WAF rules aren’t going to make DNS changes.

LeftMeUnsupervised · August 14, 2023, 4:36am

No lock so far.

Is the expression written differently if I change it from the domain to the IP.

So would it look like;

(http.host contains “xxx.xxx.xxx.xxx” and not cf.edge.server_port in {80 443})

LeftMeUnsupervised · August 14, 2023, 4:36am

*luck

epic.network · August 14, 2023, 5:05am

Your host header will never contain an IP, so that rule won’t do anything if it even saves.

LeftMeUnsupervised · August 14, 2023, 5:44am

Is there a different expression if I wanted to utilise the IP instead but also block all but those two ports?

epic.network · August 14, 2023, 1:35pm

Which IP do you want to use and how do you want to use it?

You can certainly use the IP of the visitor makingtheconnectionattempt. Neither your origin server IP or Cloudflare IPs should be useful on a WAF rule.

cbrandt · August 14, 2023, 5:19pm

Blocking by port number is not available with the Free Plan, as mentioned in the documentation:

Block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following:
Source; Network ports · Cloudflare Fundamentals docs

Oddly enough, and contrary to Cloudflare WAF’s standard behavior, the rule will save without an error message, leading users who scan the documentation without noticing that limitation to think they can use it.

However, the same field cf.edge.server_port is available in Redirect Rules for all plans. So what I would do is to redirect all requests not on {80 443} to the equivalent URL in 443.

When incoming requests match... (open the Expression Editor)
not (cf.edge.server_port in {80 443})

Then 
Redirect URL
Type: Dynamic
Expression: concat("https://example.com", http.request.uri.path)
Status: 303

Alternatively, if you think you should instead block all such requests — keeping in mind some good bots might use ports other than 80 or 443 —, you can redirect them to a specific URL:

Type: Static
URL: https://example.com/port-not-allowed

Then block it with a WAF rule:

URI Path equals "/port-not-allowed"

LeftMeUnsupervised · August 14, 2023, 11:33pm

Many thanks cbrandt.

I’ll work towards implementing your suggestions and continue testing.

Thanks again.

system · August 29, 2023, 11:34pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.