cloudflared
cloudflared copied to clipboard
Published
20 hours ago •
cloudflare
cloudflare
🐛 Random Ports being opened by cloudflared tunnel is an auditing nightmare
Describe the bug
When cloudflared tunnel is running the process opens 5 random high ports: 1 tcp port, 4 udp ports.
This is a nightmare for an org that has to monitor open ports on all it's machines (it doesn't matter if the machines are firewalled and the ports not reachable. Simply having an undocumented open port might be a big issue for itself).
To Reproduce Steps to reproduce the behavior:
- Configure a cloudflared tunnel
- Start the tunnel:
systemctl start cloudflared.service - See netstat output:
% netstat -lenptu | grep cloudflared
tcp 0 0 127.0.0.1:40775 0.0.0.0:* LISTEN 0 16510 421/cloudflared
udp6 0 0 :::40451 :::* 0 16945 421/cloudflared
udp6 0 0 :::59726 :::* 0 16909 421/cloudflared
udp6 0 0 :::58035 :::* 0 17651 421/cloudflared
udp6 0 0 :::42068 :::* 0 17495 421/cloudflared
- Restart the tunnel:
systemctl start cloudflared.service - See netstat output:
% netstat -lenptu | grep cloudflared
tcp 0 0 127.0.0.1:38071 0.0.0.0:* LISTEN 0 34901 4170/cloudflared
udp6 0 0 :::56805 :::* 0 34408 4170/cloudflared
udp6 0 0 :::32889 :::* 0 34946 4170/cloudflared
udp6 0 0 :::53945 :::* 0 34439 4170/cloudflared
udp6 0 0 :::37706 :::* 0 34960 4170/cloudflared
Notice the high ports opened by cloudflared being completely different than from the start before.
Expected behavior
- The TCP port is used for the metrics server and can be configured via
--metricsoption. That's GOOD. - The 4 UDP ports should not be opened if not needed for operation
- If the UDP ports are needed for operation it should be stated in the documentation and logging output what they are needed for
- If the UDP ports are needed for operation they should be configurable so they don't change with every restart of the cloudflare tunnel
