Open c0deright opened 1 year ago
Hi there,
The UDP ports are needed for cloudflared's normal operation as it establishes an outbound QUIC connection to Cloudflare.
I recommend locking down the cloudflared host to only reach https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/ports-and-ips/, as well as the internal services you need to reach externally.
I see your point about how random UDP ports is difficult to audit. We'll consider options for adding more control/visibility the port selection.
Describe the bug When
cloudflared tunnel
is running the process opens 5 random high ports: 1 tcp port, 4 udp ports.This is a nightmare for an org that has to monitor open ports on all it's machines (it doesn't matter if the machines are firewalled and the ports not reachable. Simply having an undocumented open port might be a big issue for itself).
To Reproduce Steps to reproduce the behavior:
systemctl start cloudflared.service
systemctl start cloudflared.service
Notice the high ports opened by cloudflared being completely different than from the start before.
Expected behavior
--metrics
option. That's GOOD.