Hello everyone,
I need to create a firewall rule blocking all ports Cloudflare utilizes except 22, 80, & 443. Would I use this expression not (cf.edge.server_port in {80 443}) to solve my problem?
Resources:
22 isn’t on that list anyways - Cloudflare’s proxy only supports HTTP & HTTPS.
SSH has to go through something like Cloudflare Access or Cloudflare Spectrum.
Other than that, yeah, just use not (cf.edge.server_port in {80 443}).
They’ll still appear in port scans since Cloudflare is listening on them but it’d never make it to your server.
2 Likes
Will that expression allow me to use a wildcard (*)?
What are you wanting to use a wildcard for?
Post an example of the expression you’re going for.
My domain is a web app that has multiple subdomains which is why I need this firewall to be able to scale globally.
example:
http.host eq "*.example.com" and not cf.edge.server_port in {80 443}
The firewall rule would already apply to every domain/subdomain in your zone with just not (cf.edge.server_port in {80 443}).
Every inbound request is evaluated against this expression - your addition would only scope it down.
1 Like
Thank you friend!
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.