Cloudflared WAF & port showing open

Question

Hello everyone, 
 Me and also a friend have the same issue with a waf rule. 
 We both have a cloudflare proxied domain name (lets say system.somedns.com) that points to our wan IP. Since it's cloudflare proxied, the ip of the domain name points to cloudflare. 
 So we created a WAF rule with HTTPS and redirect to HTTPS, added the web server (the internal IP), enabled path specific routing and added all the cloudflare IPs on the allowed client networks and enabled All IPv4 on the blocked networks. Saved and it's working. 
 Problem is, on a port scan, both 80 and 443 seem open with our personal WAN IPs. I'm guessing it shouldn't since it's not coming from cloudflare and if I remember correctly, on a DNAT rule it doesn't show as open. 
 Any ideas on that?

Prism · Accepted Answer

Hello! 
 Panagiotis Vakerlis said: Problem is, on a port scan, both 80 and 443 seem open with our personal WAN IPs. I'm guessing it shouldn't since it's not coming from cloudflare and if I remember correctly, on a DNAT rule it doesn't show as open. 
 The WAF doesn't act in the same way a Firewall & NAT Rules does. 
 It will indeed show as open on both 80/443 but will give an "403 Forbidden" for any IPv4 that isn't on the allow list. (Not on the Cloudflare IPv4 list.) 
 One way to fix this is by creating a Blackhole DNAT Rule, you can check here for more information => Create a black hole DNAT rule - Sophos Firewall 
 Also, if you're using solely using Cloudflare you don't need to enable the "Redirect to HTTPS" option. (Leaving on HTTPS only (443) is enough.) 
 Thanks!

Cloudflared WAF & port showing open

Top Replies