Cannot block ports with WAF rules

I can’t get WAF rules to work. I’m trying to block all traffic except port 443 but the following rule does not work. I have tried setting the proxy status to proxied and DNS only, but get the same result each time. When I run the command nc -zv 2052, the request is not blocked. I’ve also tried the rule cf.edge.server_port ne 443 and traffic is still allowed on non 443 ports.

The only thing I can think of is that the DNS is a CNAME rule to a Cloudflare Worker. I’ve tried removing the HTTP Route (in Workers Routes) but port traffic is still allowed. Have I missed something obvious?

Per the How to block traffic on additional ports

Expression: not (cf.edge.server_port in {80 443})

nc -zv 2052 is checking to see if a port is open, not if the traffic is proxied to the origin.

1 Like

Thanks, is there any way to block incoming requests that don’t match a specific port?

Besides the one that you’re using / @anon9246926 linked to? Is it an issue that Cloudflare is listening on that port if requests to the origin are blocked? If so, why?

Good point. I’m just trying to pass penetration testing. I’ll call this out as a false positive.

Penetration testing should really be done on your server, not on Cloudflare’s, otherwise it’s rather pointless.
You need to use your server’s IP or a domain that resolves to your server for the test, not a domain that resolves to Cloudflare.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.