pfSense rule to limit incoming connections to Cloudflare
pfSense for Cloudflare services on the perimeter
Cloudflare Access Policies: it’s strongly recommended to limit connections to the origin to allow only Cloudflare IPs
Alias
pfSense allows you to use a alias (as part of the Pf functions)
% pfctl -sr | grep cflare
pass in quick on em0 reply-to (em0 144.76.Y.X)
inet proto tcp from <cflarev4> to 192.168.1.XXX
port = http flags S/SA keep state label "USER_RULE: NAT http"
This alias will pull in a list of IPv4 addresses:
Define an alias with pfSense that pulls in a list of Cloudflare’s network IPs
NAT with IP restriction
The alias cflarev4
(or similar) can be used for the Source Address field, for example when defining NAT rules.