homeNode

I Closed All My Firewall Ports. Here’s What I Do for Security Instead.

Written by

homenode

in

Learn how to replace traditional firewall rules and open ports with Cloudflare Zero Trust for your homelab. A simpler, more secure approach to self-hosting.
I have a confession to make. For years, my homelab setup was a patchwork of open ports, dynamic DNS scripts, and a constant, low-level anxiety. Every service I wanted to access from outside my home—be it Plex, a file server, or a new app I was testing—meant punching another hole in my firewall.

Each hole felt like a tiny, unlocked window. I’d tell myself it was fine, that the services were secure. But I was always aware that I was exposing my home network to the entire internet, hoping no one would jiggle the handle. The constant IP address changes from my ISP didn’t help, adding another layer of clunky fixes to the mix.

Then I switched to Cloudflare Zero Trust, and I closed every single one of those ports. Forever. The relief was immediate. No more open ports. No more dynamic DNS headaches. It just worked.

But after the initial honeymoon phase, a new question popped up. If my firewall isn’t managing the traffic anymore, how do I set up the rules I used to rely on? You know, the basics like blocking traffic from certain countries or only allowing specific connections.

I hit a wall. It seemed like everyone had a different opinion or a slightly different method. It turns out, the solution isn’t about recreating your old firewall; it’s about adopting a new, simpler mindset.

The Big Wins: Why This is Better Than an Old-School Firewall

First, let’s just touch on why this move is so great. It boils down to two things for me.

  • No More Open Ports: This is the big one. With a Cloudflare Tunnel, you’re not opening any inbound ports on your router or firewall. Instead, a lightweight service runs on your server and creates a secure, outbound-only connection to Cloudflare’s network. Nothing on your home network is exposed. It’s like having a secure, private bridge that only you know how to access, instead of leaving your front door unlocked.

  • Dynamic IPs Don’t Matter Anymore: My ISP can change my home’s IP address daily, and I wouldn’t even notice. Because the connection is made from my server to Cloudflare, my public IP address is irrelevant. Cloudflare handles everything, giving my services a stable, consistent address.

This is a fundamentally more secure and robust way to expose services. But it does leave that one big question: What about the rules?

Recreating Firewall Rules: The Zero Trust Way

Here’s the mental shift you have to make: You’re no longer managing traffic at the network level (like with a firewall). You’re now managing access at the application level.

Instead of a blanket rule like “block all traffic from outside the US,” you set a rule that says “only people in the US can access this specific application.” It’s more granular, and ultimately, more secure.

Here’s a simple way to think about setting this up.

1. Start with “Block All”

By default, Cloudflare Zero Trust blocks everything. No one can access the applications you’ve set up through your tunnel unless you explicitly allow them. This is the core principle of “Zero Trust”—trust no one by default.

2. Add Your Access Policies

For each application (like your dashboard, your file server, etc.), you create an “Access Policy.” This is where you define who is allowed in. This is your new “firewall rules” dashboard.

Inside a policy, you can get very specific. Want to block traffic from outside your country? Easy.

  • Create a policy for your application.
  • Set the “Action” to Allow.
  • In the “Include” rules, add a “Countries” selector and choose your country.

That’s it. Now, only traffic originating from your selected country can even see the login page for that application. You can just as easily use an “Exclude” rule to block specific countries you’re worried about.

3. It’s About “Who,” Not Just “Where”

But you can go so much further. This is where it gets really powerful. You can add rules that require a user to log in with a specific email address, use a hardware security key (like a Yubikey), or be on a specific IP address (like your work office).

A typical policy might look like this:

  • Allow traffic if ALL of the following are true:
    • The request is from the United States.
    • The user’s email ends in @my-personal-domain.com.
    • The user successfully authenticates with their Github account.

You’re no longer just checking an IP address. You’re verifying the person and the context of their request.

What About Port Ranges?

This is one of the biggest differences. In the old world, you might open a range of ports. With Zero Trust, you don’t think about ports anymore.

You create a tunnel for a specific service running on a specific internal port. For example, http://localhost:8080`. You then assign a public hostname to it, likemy-dashboard.my-domain.com`.

The security policy is applied to that hostname, not the port. The port is never exposed to the internet. If you want to secure another service on another port, you just add it as a new hostname and create a new policy for it. You never have to think about “allowing a port range” again, because the concept is obsolete in this model.

It’s a Shift, But It’s Worth It

Moving from a traditional firewall to a Zero Trust model felt like a step into the future. It simplified my setup, removed a ton of security anxiety, and ultimately gave me more meaningful control over who can access my stuff.

There’s a small learning curve, and it requires you to change how you think about access. You move from broad network rules to specific application rules. But once it clicks, you’ll wonder why you ever did it the old way. You haven’t lost your firewall rules; you’ve replaced them with something much better.

More posts