How to block ports with Cloudflare
If you are utilizing Cloudflare as a reverse proxy service for your backend webserver, you may desire to have Cloudflare block certain ports back to your webserver. Cloudlfare passes along more ports than just 80 and 443 by default as they have expanded their supported ports which means “ports they can pass traffic through” basically. Below are the ports they support:
The problem with the way their proxy works, is that there is no way for you to select which ports you want them to pass onto you. Unfortunately, there appears to be no way to do this if you are using the free plan as you have very few options under their security panel.
However, if you are at least a Pro plan, there is a way to block ports coming to you from Cloudflare other than 80 and 443.
The following WAF ruleset is found under the Security page and then WAF. You will see an option for Cloudflare Rule Set.
When you select that option, you will have roughly 4 pages of rules. All the way at the end, there is the rule – Block requests on non standard ports. The rule language is a little non intuitive, however, you need to set the Mode to Block which sets the rule to active. In my testing, this blocks everything besides 80 and 443. Even WHM and cPanel ports look to be blocked with this rule.
This is especially useful if you utilize Cloudflare and want to restrict these other ports at the cloud level instead of having to deal with it at the server level. The problem with thinking about having to restrict at the server level is that Cloudflare works as a reverse proxy, so traffic appears to come to you from the Cloudflare IPs so it makes restriction tricky to say the least when trying to differentiate legitimate from illegitimate traffic.