Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Configure Magic Transit firewall

Cloudflare’s Magic Transit firewall ruleset includes two components:

  • Recommended rules that reflect common amplification attack vectors
  • Custom rules requested by you

Cloudflare recommends these 11 firewall rules, which reflect known amplification attack vectors. They operate in addition to the distributed denial-of-service (DDoS) protection that Magic Transit provides.

Rule IDSource PortDestination PortProtocolAction
11900AnyUDPDrop
211211AnyUDPDrop
3389AnyUDPDrop
4111AnyUDPDrop
519AnyUDPDrop
61194AnyUDPDrop
73702AnyUDPDrop
810001AnyUDPDrop
90AnyUDPDrop
10Any32768-65535UDPAllow
11Any32768-65535TCPAllow

Custom firewall rules

To preserve flexibility, Cloudflare recommends that you restrict custom firewall rules to protocol filters that use the Allow or Deny action.

Example custom firewall rules

The policy defined in the Example Custom Firewall Rules table allows TCP, GRE, ICMP, IPSEC (ESP and AH), and PIM protocol packets. Packets that use any other protocols are dropped.

Rule IDProtocolAction
1TCPAllow
2GREAllow
3ICMPAllow
4ESPAllow
5AHAllow
6PIMAllow
7ALLDrop

Firewall rule guidelines

When specifying Magic Transit firewall rules, consider these guidelines:

  • Cloudflare executes firewall rules in order of first match, so lists of rules are order sensitive.

  • You can specify any of these protocols: ah, ax.25, dccp, ddp, egp, eigrp, encap, esp, etherip, fc, ggp, gre, hip, hmp, hopopt, icmp, idpr-cmtp, idrp, igmp, igp, ip, ipcomp, ipencap, ipip, ipv6, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, ipv6-route, isis, iso-tp4, l2tp, manet, mobility-header, mpls-in-ip, ospf, pim, pup, rdp, rohc, rspf, rsvp, sctp, shim6, skip, st, tcp, udp, udplite, vmtp, vrrp, wesp, xns-idp, xtp

  • To use any of the following parameters in a firewall rule, contact your account team:

    • Source IP/prefix
    • Destination IP/prefix
    • Source port
    • Destination port
    • Protocol
    • Packet length
    • Bit field match (Cloudflare is able to match on any part of an IP packet to apply, allow, or drop rules)