Cannot block ports with WAF rules

eliot.harper · June 23, 2023, 7:59am

I can’t get WAF rules to work. I’m trying to block all traffic except port 443 but the following rule does not work. I have tried setting the proxy status to proxied and DNS only, but get the same result each time. When I run the command nc -zv app.healthcheck.live 2052, the request is not blocked. I’ve also tried the rule cf.edge.server_port ne 443 and traffic is still allowed on non 443 ports.

The only thing I can think of is that the DNS is a CNAME rule to a Cloudflare Worker. I’ve tried removing the HTTP Route (in Workers Routes) but port traffic is still allowed. Have I missed something obvious?

anon9246926 · June 23, 2023, 8:10am

Per the How to block traffic on additional ports

Expression: not (cf.edge.server_port in {80 443})

cscharff · June 23, 2023, 8:19am

nc -zv app.healthcheck.live 2052 is checking to see if a port is open, not if the traffic is proxied to the origin.

eliot.harper · June 23, 2023, 8:23am

Thanks, is there any way to block incoming requests that don’t match a specific port?

cscharff · June 23, 2023, 8:28am

Besides the one that you’re using / @anon9246926 linked to? Is it an issue that Cloudflare is listening on that port if requests to the origin are blocked? If so, why?

eliot.harper · June 23, 2023, 8:29am

Good point. I’m just trying to pass penetration testing. I’ll call this out as a false positive.

Laudian · June 23, 2023, 8:34am

Penetration testing should really be done on your server, not on Cloudflare’s, otherwise it’s rather pointless.
You need to use your server’s IP or a domain that resolves to your server for the test, not a domain that resolves to Cloudflare.

system · June 26, 2023, 8:35am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.