search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.41k stars 732 forks source link

🐛 Random Ports being opened by cloudflared tunnel is an auditing nightmare #977

Open c0deright opened 1 year ago

c0deright commented 1 year ago

Describe the bug When cloudflared tunnel is running the process opens 5 random high ports: 1 tcp port, 4 udp ports.

This is a nightmare for an org that has to monitor open ports on all it's machines (it doesn't matter if the machines are firewalled and the ports not reachable. Simply having an undocumented open port might be a big issue for itself).

To Reproduce Steps to reproduce the behavior:

  1. Configure a cloudflared tunnel
  2. Start the tunnel: systemctl start cloudflared.service
  3. See netstat output: 
    % netstat -lenptu | grep cloudflared
tcp        0      0 127.0.0.1:40775         0.0.0.0:*               LISTEN      0          16510      421/cloudflared     
udp6       0      0 :::40451                :::*                                0          16945      421/cloudflared     
udp6       0      0 :::59726                :::*                                0          16909      421/cloudflared     
udp6       0      0 :::58035                :::*                                0          17651      421/cloudflared     
udp6       0      0 :::42068                :::*                                0          17495      421/cloudflared
  4. Restart the tunnel: systemctl start cloudflared.service
  5. See netstat output: 
    % netstat -lenptu | grep cloudflared
tcp        0      0 127.0.0.1:38071         0.0.0.0:*               LISTEN      0          34901      4170/cloudflared    
udp6       0      0 :::56805                :::*                                0          34408      4170/cloudflared    
udp6       0      0 :::32889                :::*                                0          34946      4170/cloudflared    
udp6       0      0 :::53945                :::*                                0          34439      4170/cloudflared    
udp6       0      0 :::37706                :::*                                0          34960      4170/cloudflared

Notice the high ports opened by cloudflared being completely different than from the start before.

Expected behavior

  1. The TCP port is used for the metrics server and can be configured via --metrics option. That's GOOD.
  2. The 4 UDP ports should not be opened if not needed for operation
  3. If the UDP ports are needed for operation it should be stated in the documentation and logging output what they are needed for
  4. If the UDP ports are needed for operation they should be configurable so they don't change with every restart of the cloudflare tunnel
obezuk commented 1 year ago

Hi there,

The UDP ports are needed for cloudflared's normal operation as it establishes an outbound QUIC connection to Cloudflare.

I recommend locking down the cloudflared host to only reach https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/ports-and-ips/, as well as the internal services you need to reach externally.

I see your point about how random UDP ports is difficult to audit. We'll consider options for adding more control/visibility the port selection.