Firewall rules - How do they work?

firewall

#1

I am trying to understand how firewall works in Cloudflare.

For example, I currently have website registered and working without Cloudflare with allowed IP(s):

domain: example.com
allowed via LB: 200.0.0.0
value: 201.0.0.0

Now I want to move it to cloudflare for that I change it as:

domain: example.com
allowed via LB: CLOUDFLARE_IPS
value: 201.0.0.0
cloudflare firewall : Allowed IP 200.0.0.0

after that a random guys uses my DNS value in one of his domain/subdomain:

domain: subdomain.example1.com
value: 201.0.0.0
allowed via LB: ‘0.0.0.0/0’
cloudflare firewall: 0.0.0.0/0

This will allow anyone to access my domain, which I definitely don’t want. Can someone please clarify me what am I missing?


#3

If your webserver is configured to have a default site that just returns a 403, and then a specific site with server host ‘example.com’, wouldn’t that solve your problem?

(and I’m ignoring for a moment the fact that the attacker somehow needs to find out your LB IP - that once behind Cloudflare, is only known to Cloudflare, to outsiders they would see a Cloudflare IP)


#4

Not really. The idea here is more around the fact that AWS ELB allow all the requests from Cloudflare and it doesn’t care about the Cloudflare account making requests to origin server.


#5

Right (I think - someone would still need to know your ELB IP), but once they get to your server, they’ll just get a 403… no access to your actual website.

Isn’t this similar to domain fronting that was announced that Amazon would block: https://arstechnica.com/information-technology/2018/05/amazon-blocks-domain-fronting-threatens-to-shut-down-signals-account/ (I am aware it’s through CloudFront, and the equivalent will only be ALB and not NLB - OTOH once through Cloudflare you’re limited to HTTP(s) anyway)

I don’t think there’s a proper solution for that - after all a single IP may host multiple sites and multiple Cloudflare users can host on a single target IP, and in fact most websites today are hosted that way. To achieve what you want, it sounds like Cloudflare would have to have connections to your domain origin from specific IPs (in many regions in the world) which are a subset of their whole network and block other Cloudflare users from originating through them - and dedicated IPs cost money. If such a thing exists, I do not recall seeing it, and would bet it would be an Enterprise feature, where price is set based on a more tailor-made suite of services.

One Cloudflare service I can think of that may be proper for this, is to use Argo Tunnel (under “Traffic” tab). That costs money:


But that way requests will come from within your servers so no need to expose ELB to the outside…


#6

Thanks. I totally agree with you that I will need dedicated IP from Cloudflare. Worst part is you can easily find the ELB IP using services like https://censys.io/

For now I have harden and added page rules using ALB but other than that I don’t see a clear solution without it.


#7

From previous data, yes…

Nothing stops you from assigning a new, secret ELB, that once tested, you point your Cloudflare service through it and decommission the old one…