How can Cloudflare Tunnel work if I block all protocols and IPs to/from my VM?

Hi,

I added a pfSense firewall behind the VM that is running my web server.
In the Cloudflare Tunnel dashboard, I set the service to be the IP of the VM with port 80

so something like http://172.16.15.10

The only open port in my VM is port 80 and then everything else is blocked - all protocols, inbound/outbound, IPv4 and IPv6

But I can still go to my domain.

How? I was thinking maybe if Cloudflare Tunnel is based on something like Wireguard, then perhaps the reason it’s still working is because all that matters is the initial handshake from the VM to the tunnel, so if the ports were open at the time before I added the block rules, then it doesn’t matter anymore if I block them after, and then I can go to my domain because port 80 is open

Is that the case? Or maybe I have misconfigured my firewall and the tunnel always needs another port open?

Thanks