pfSense rule to limit incoming connections to Cloudflare

Owned by Marius Ciepluch
Last updated: Jan 12, 2024
2 min read

 

 

 

pfSense for Cloudflare services on the perimeter

 

image-20240112-150328.png
Cloudflare Access Policies: it’s strongly recommended to limit connections to the origin to allow only Cloudflare IPs

 

Alias

pfSense allows you to use a alias (as part of the Pf functions)

% pfctl -sr | grep cflare pass in quick on em0 reply-to (em0 144.76.Y.X) inet proto tcp from <cflarev4> to 192.168.1.XXX port = http flags S/SA keep state label "USER_RULE: NAT http"

This alias will pull in a list of IPv4 addresses:

image-20240112-150107.png
Define an alias with pfSense that pulls in a list of Cloudflare’s network IPs

NAT with IP restriction

The alias cflarev4 (or similar) can be used for the Source Address field, for example when defining NAT rules.

 

Content by https://www.because-security.com/
📧 https://www.because-security.com/contact