r/CloudFlare: Cloudflare Tunnels + UFW?
Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/wu4gb2/cloudflare_tunnels_ufw/
Question
Hey guys,
Is cloudflare-ufw (https://github.com/Paul-Reed/cloudflare-ufw) compatible when using Cloudflare Tunnels?
I have my UFW enabled on my Ubuntu server and I’ve run the cloudflare-UFW script to add all the Cloudflare IPS to the UFW. I’ve checked and they’re all there and the UFW is enabled.
However, when I try and access my server via a cloudflare tunnel I’m getting blocked (e.g. I attempt to access via subdomain.mydomain.com)
Am I missing a step here?
The rule that I have is essentially:
for cfip incat /tmp/cf_ips; do ufw allow proto tcp from $cfip comment 'Cloudflare IP'; done
Any suggestions would be appreciated. I basically want the server locked down so it can only be accessed via my local IP range or Cloudflare tunnel.
Answer
The purpose of Cloudflare Tunnel is to be able to block all incoming ports (via ufw / iptables) since the incoming connections will be made to the Cloudflare Edge and then forwarded to the right Cloudflare Tunnel instance.
The Cloudflare UFW script is counterproductive here since it could miss some IPs that the cloudflared-daemon needs for successful connection.
I suggest completely removing all incoming ufw rules and the Cloudflare Tunnel will be able to connect. Outgoing can be any or only specific ports, as you like. If you limit the outgoing ports, check the dev docs to see that you got all the needed ones for cloudflared.
Before deleting all incoming rules, be sure that you can still connect to your server or have another remote access to it. When in doubt, leave an SSH-in rule enabled.
And when you use Cloudflare Tunnel, your "local IP range" also has access since Tunnel lets everyone (WWW) in by default.
If you would want to limit the access you have to add Applications in the Cloudflare Access Dashboard to request authentication before granting access.
Comment 1 on Answer
So I can remove all the inbound cloudflare rules and just block all inbound traffic (except local host)?
My response to comment 1
Yes. And there are no ufw rules for localhost since the loopback interface 127.0.0.1 is not governed by any firewall. ufw and others only "guard" the physical interfaces with IPs that are not 127.0.0.1.
Comment 1.1 on Answer
So I removed all incoming traffic like you suggested, except for the stuff necessary for my Tailscale connection to work.
However now my Cloudflare tunnels are not working and are giving me an error 1033. Any ideas?
https://i.imgur.com/4xHudyp.png
My response to comment 1.1
What do your outbound rules look like? And I suggest removing your current tunnel and setting up a completely new one.
Comment 1.2 on Answer
Seem to have bigger issues now anyway… can’t SSH or ping the server from the network.
Not quite sure what I did, but even connecting via keyboard at my terminal and resetting iptables (flushing and clearing) and resetting and even uninstalling UFW, I still can’t get it working again.
May just restart and chalk this up as a learning exercise…
My response to comment 1.2
The reason you can't SSH in or ping the server is because you denied all incoming traffic, so these requests are being blocked. That's why I suggested leaving SSH open to test if the changes have the desired effects. But if even resetting the firewall on the OS level does not recover that, there is something wrong entirely. Is your server in your home or a datacenter and you have physical access to it? I assumed it was a cloud server with a public IP attached to it. If a router or other firewall is in front of it, so it does not have a public IP address directly connected to it, you can leave ufw the way it is on the server since the device in front will handle the access. Just make sure that the router/firewall allows the ports necessary for cloudflared.