Block ports with WAF rule

Hi Everyone,

I’m utilising a free account and wondered if the following WAF rule will block ALL ports apart from 80 and 443;

( contains "" and not cf.edge.server_port in {80 443})

BTW, the action is set to “Block”

Any thoughts or advice would be greatly appreciated.

That should work. Have you tried it?

G’day sdayman,

Thanks for responding to my query.

Not yet, I was concerned I might break everything else.

Would you know if the effect is immediate or if it takes a day or so?

More or less. That also means you can turn it off just as quickly, though.

I’ve enable the rule and

I’ll give it a few minutes though.

WAF rules aren’t going to make DNS changes.

No lock so far.

Is the expression written differently if I change it from the domain to the IP.

So would it look like;

( contains “” and not cf.edge.server_port in {80 443})


Your host header will never contain an IP, so that rule won’t do anything if it even saves.

1 Like

Is there a different expression if I wanted to utilise the IP instead but also block all but those two ports?

Which IP do you want to use and how do you want to use it?

You can certainly use the IP of the visitor makingtheconnectionattempt. Neither your origin server IP or Cloudflare IPs should be useful on a WAF rule.

1 Like

Blocking by port number is not available with the Free Plan, as mentioned in the documentation:

Block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following:
Source; Network ports · Cloudflare Fundamentals docs

Oddly enough, and contrary to Cloudflare WAF’s standard behavior, the rule will save without an error message, leading users who scan the documentation without noticing that limitation to think they can use it.

However, the same field cf.edge.server_port is available in Redirect Rules for all plans. So what I would do is to redirect all requests not on {80 443} to the equivalent URL in 443.

When incoming requests match... (open the Expression Editor)
not (cf.edge.server_port in {80 443})

Redirect URL
Type: Dynamic
Expression: concat("", http.request.uri.path)
Status: 303

Alternatively, if you think you should instead block all such requests — keeping in mind some good bots might use ports other than 80 or 443 —, you can redirect them to a specific URL:

Type: Static

Then block it with a WAF rule:

URI Path equals "/port-not-allowed"


Many thanks cbrandt.

I’ll work towards implementing your suggestions and continue testing.

Thanks again.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.