Cloudflare 100015 Block requests to all ports except 80 and 443


#1

With “Cloudflare Specials” enabled and this “100015 Block requests to all ports except 80 and 443” set to block, the rule/setting appear to do nothing? I still get a response from the other supported ports (i.e. https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-) and it looks like this has no effect or is not working? Is there a known conflict with other settings, or am I misinterpreting the description?


#2

What exactly do you mean by that? I havent used that feature yet, but I’d assume any connection attempts to the ports in question will simply not be forwared to your origin.


#3

I assume it would block the request at Cloudflare as a WAF would, similar to the other rules in the set. Cloudflare accepts the request, in addition to attempting to forward it to the origin. The origin server doesn’t allow it, and the connection eventually ends in a timeout.


#4

A firewall would likely drop the request on a network level. This is something Cloudflare cant do because the shared edges, but - as I mentioned - I’d imagine matching requests not to be forwarded at all but the user will still get a response from Cloudflare.


#5

I apologize my context was incorrect I’m referring to the WAF, where the rules currently reside. Edited the reply for clarity.


#6

Well, with WAF you usually have requests blocked on the edge if it triggers a block. I’d expect the same to happen here. If you configured to have non-80/443 connections blocked I’d assume Cloudflare wont forward them at all. Is that not the case with you? Do you still get requests to such ports even though you configured the rule?


#7

Correct Cloudflare is still attempting to connect to the origin through the same port. For the time this is ok since the origin doesn’t allow it, not sure if bug or conflicting rules.


#8

I’d probably open a support ticket in this case. Cloudflare’s support should be able to provide a definite answer here, respectively trace it if it is a bug.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.