Firewall rule to block ports?

Hello everyone,

I need to create a firewall rule blocking all ports Cloudflare utilizes except 22, 80, & 443. Would I use this expression not (cf.edge.server_port in {80 443}) to solve my problem?

Resources:
https://developers.cloudflare.com/fundamentals/get-started/reference/network-ports/

22 isn’t on that list anyways - Cloudflare’s proxy only supports HTTP & HTTPS.

SSH has to go through something like Cloudflare Access or Cloudflare Spectrum.

Other than that, yeah, just use not (cf.edge.server_port in {80 443}).

They’ll still appear in port scans since Cloudflare is listening on them but it’d never make it to your server.

1 Like

Will that expression allow me to use a wildcard (*)?

What are you wanting to use a wildcard for?

Post an example of the expression you’re going for.

My domain is a web app that has multiple subdomains which is why I need this firewall to be able to scale globally.

example:
http.host eq "*.example.com" and not cf.edge.server_port in {80 443}

The firewall rule would already apply to every domain/subdomain in your zone with just not (cf.edge.server_port in {80 443}).

Every inbound request is evaluated against this expression - your addition would only scope it down.

Thank you friend!