Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cloudflared WAF & port showing open

Panagiotis Vakerlis

Hello everyone,

Me and also a friend have the same issue with a waf rule.

We both have a cloudflare proxied domain name (lets say system.somedns.com) that points to our wan IP. Since it's cloudflare proxied, the ip of the domain name points to cloudflare.

So we created a WAF rule with HTTPS and redirect to HTTPS, added the web server (the internal IP), enabled path specific routing and added all the cloudflare IPs on the allowed client networks and enabled All IPv4 on the blocked networks. Saved and it's working.

Problem is, on a port scan, both 80 and 443 seem open with our personal WAN IPs. I'm guessing it shouldn't since it's not coming from cloudflare and if I remember correctly, on a DNAT rule it doesn't show as open.

Any ideas on that?



This thread was automatically locked due to age.
Parents
  • +1

    Hello!

    Panagiotis Vakerlis said:
    Problem is, on a port scan, both 80 and 443 seem open with our personal WAN IPs. I'm guessing it shouldn't since it's not coming from cloudflare and if I remember correctly, on a DNAT rule it doesn't show as open.

    The WAF doesn't act in the same way a Firewall & NAT Rules does.

    It will indeed show as open on both 80/443 but will give an "403 Forbidden" for any IPv4 that isn't on the allow list. (Not on the Cloudflare IPv4 list.)

    One way to fix this is by creating a Blackhole DNAT Rule, you can check here for more information => Create a black hole DNAT rule - Sophos Firewall

    Also, if you're using solely using Cloudflare you don't need to enable the "Redirect to HTTPS" option. (Leaving on HTTPS only (443) is enough.)

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • +1

    Hello!

    Panagiotis Vakerlis said:
    Problem is, on a port scan, both 80 and 443 seem open with our personal WAN IPs. I'm guessing it shouldn't since it's not coming from cloudflare and if I remember correctly, on a DNAT rule it doesn't show as open.

    The WAF doesn't act in the same way a Firewall & NAT Rules does.

    It will indeed show as open on both 80/443 but will give an "403 Forbidden" for any IPv4 that isn't on the allow list. (Not on the Cloudflare IPv4 list.)

    One way to fix this is by creating a Blackhole DNAT Rule, you can check here for more information => Create a black hole DNAT rule - Sophos Firewall

    Also, if you're using solely using Cloudflare you don't need to enable the "Redirect to HTTPS" option. (Leaving on HTTPS only (443) is enough.)

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
Unfiltered HTML