pfSense rule to limit incoming connections to Cloudflare

 

 

 

pfSense for Cloudflare services on the perimeter

 

image-20240112-150328.png
Cloudflare Access Policies: it’s strongly recommended to limit connections to the origin to allow only Cloudflare IPs

 

Alias

pfSense allows you to use a alias (as part of the Pf functions)

% pfctl -sr | grep cflare pass in quick on em0 reply-to (em0 144.76.Y.X) inet proto tcp from <cflarev4> to 192.168.1.XXX port = http flags S/SA keep state label "USER_RULE: NAT http"

This alias will pull in a list of IPv4 addresses:

image-20240112-150107.png
Define an alias with pfSense that pulls in a list of Cloudflare’s network IPs

NAT with IP restriction

The alias cflarev4 (or similar) can be used for the Source Address field, for example when defining NAT rules.