Encountering issues with passing the TCP source port through the firewall

I’m experiencing difficulty in blocking open ports in Cloudflare using WAF. I’ve attempted to address this by adding a custom rule under Security > WAF and including the following code:

When an incoming request matches the condition:
not (cf.edge.server_port in {53 24567})

And the take action is being blocked.


THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.

IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that
unauthorized users can use to bypass your firewall.

SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be
configured to block all TCP SYN packets going to this port, regardless of the source port.

RESULT:
The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP
SYN probes sent to the same destination port using a random source port.

You can’t control the ports that are open on the Cloudflare edge since the IP address is shared amongst all customers, and only the following (unless using Cloudflare Spectrum) are of any effect if blocked in the WAF anyway…

1 Like

It doesn’t. This finding is a false positive,

1 Like