Firewall rule to block ports?

Hello everyone,

I need to create a firewall rule blocking all ports Cloudflare utilizes except 22, 80, & 443. Would I use this expression not (cf.edge.server_port in {80 443}) to solve my problem?


22 isn’t on that list anyways - Cloudflare’s proxy only supports HTTP & HTTPS.

SSH has to go through something like Cloudflare Access or Cloudflare Spectrum.

Other than that, yeah, just use not (cf.edge.server_port in {80 443}).

They’ll still appear in port scans since Cloudflare is listening on them but it’d never make it to your server.


Will that expression allow me to use a wildcard (*)?

What are you wanting to use a wildcard for?

Post an example of the expression you’re going for.

My domain is a web app that has multiple subdomains which is why I need this firewall to be able to scale globally.

example: eq "*" and not cf.edge.server_port in {80 443}

The firewall rule would already apply to every domain/subdomain in your zone with just not (cf.edge.server_port in {80 443}).

Every inbound request is evaluated against this expression - your addition would only scope it down.

1 Like

Thank you friend!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.