#Block Port on subdomain

haven’t used spectrum before, but is there a way to route traffic thru spectrum on port 19132 too via subdomain1?

https://www.cloudflare.com/application-services/products/cloudflare-spectrum/

i see, looks like only enterprise plan can specify ports

Spectrum seems ridiculously limited if it’s only 2 application options are SSH and Minecraft…and then restricting it to Java port 25565.
So much conflicting info on this product.
Website says geyser isn’t supported.

Why would you run a Java server and not have geyser, may as well cut out 80% of the minecraft players on consoles and mobile.

If local firewall is an option, only way I can think of is to block incoming conections directed towards subdomain2:25565

I had thought of this but the point of DDOS protection is to block it before it hits my network. Otherwise I’m just being DDOSed at my security appliance which will crash my internet and sever anyways.

That's fair

Appreciate the response though.

Sure. Sorry i couldn't help further. Does seem like a conundrum

Im not sure if this resolves it but i added the following to the geyser config.yml
*Replace subdomain1 with your subdomain address

java:
address: subdomain1
port: 25565

What should happen is if a player uses a java client to connect to subdomain2 it should still push it through subdomain1 and use spectrum.

Spectrum non-enterprise is more of a trial/teaser of the product, espec at its pricing. MC uses a lot of data quick, can be pretty expensive with Spectrum

The easy answer here though is just a firewall like ufw https://github.com/Paul-Reed/cloudflare-ufw and allow all CF IPs to 25565 and nothing else, and then open up Geyser on port 19132 to the world
Modifying that script to something like:

for cfip in `curl -sw '\n' https://www.cloudflare.com/ips-v{4,6}`; do ufw allow proto tcp from $cfip to any port 25565 comment 'Cloudflare IP'; done

Then allow any to 19132 and default deny incoming. Be careful you allowlist through any other services you run, and/or adapt to this to your current firewall

This isn't possible with anything in Cloudflare/Cloudflare firewall as the traffic to your unproxied geyser domain literally isn't going through CF.

Having an unproxied geyser domain throws away most of your protections anyway, people still know your origin's real IP and could just ddos it that way. Silly attackers may not pay enough attention to notice that but if anyone actually cared enough to look at your setup first, they'd realize you have a huge security hole

Would a reverse proxy with firewall help in this regard?

Thankyou for sending me down the rabbit hole.

I now have a working solution which i want to share here for others wanting to protect their linux Minecraft server with Spectrum.

1. Add your DNS to Cloudflare

2. Create 2 subdomains, for the example i will have java.subdomain.com and bedrock.subdomain.com

3. Added java.subdomain.com to spectrum

4. Create an A record for bedrock.subdomain.com to the servers Public IP

5. Create a SVR, it would be something like _minecraft._udp.bedrock.subdomain.com pointing to bedrock.subdomain.com on 19132. Priority 0 and Weight 5

6. Setup your linux firewall to allow allow in port 25565 on TCP for all the cloudflare IPs as people will connect through cloudflare spectrum. Deny everywhere else on 25565. Deny 25565 for subdomain bedrock.subdomain.com and allow all for your bedrock port 19132

This might seem confusing but the idea here is people can connect on Minecraft java client using java.subdomain.com which is pushed though cloudflare spectrum servers. But players cannot be sneaky and connect on java clients through bedrock.subdomain.com on 25565
All connects through bedrock.subdomain.com is allowed on bedrock client as its pushed through geyser on 19132 only.

The trick here is linux looks at rules in order of number, you need to get this right.

I set deny to 25565 on bedrock.subdomain.com as rule 2 and then after that allowed all cloudflare ips. Then after that i denied 25565 to anywhere.

To add all the cloudflare ips to the firewall you can use a script like this

for cfip in $(curl -s https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6); do
sudo ufw allow proto tcp from $cfip to any port 25565 comment 'Cloudflare IP';
done

Im sure if you're doing this, you have enough knowledge to work out the firewall rules yourself and test it.

I also had to ping java.subdomain.com in cmd and then find the IP cloudflare was giving it and add it to the cloudlfare IPs as allow in the firewall.

Once i completed all this i found in the java client the server i added under java.subdomain.com was available but the server under bedrock.subdomain.com i added was not.
I could also connect to the server through bedrock without issue on bedrock.subdomain.com. java.subdomain.com wont work on default as geyser uses 19132.

Their isn't much information out there on this so i hope this guide helps you out.

Thanks for the writeup

bedrock.subdomain.com will still be exposed. People can lookup bedrock.subdomain.com and see your server IP and DDOS it but im told that can be fixed with CDN

I can see some people are trying to message me directly for help with firewall rules.
Im not apart of cloudflare support.

I used copilot to help me with this part and then tested in game by adding 2 servers in java under both domains and seeing how they behaved after changing firewall settings.

I would also advice disabling and enabling your linux firewall after you make changes before testing.

Yea. I'm also thinking if you set up a reverse proxy, then people can still ddos, but they'd just be ddossing a proxy rather than your actual server.