I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?
The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?
I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?
Every IP, except a choice few, are banned before any request reaches my router.
I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.
But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.
The ports are closed, the only way to reach the services is to go through the domain name, the firewall and the tunnel, in probably that order.
They can't, but does it matter? They can connect the domain name to your server (through the tunnel).
> or infer what services I run
Why not? The port is open on Cloudflare's side, it's exactly the same.
The one thing you get from Cloudflare is that probably Cloudflare has a list of blocked IPs and they will prevent them from reaching your server. Though I'm sure there are public lists of "bad IPs" and it shouldn't be too hard to have a firewall that uses them. And anyway in your case you have a list of allowed IPs, so it's not a concern at all.