I have been reading and banging my head against the wall trying to find a simple elegant way of implementing a whitelist pass and reject all other for port 443. For example Cloudflare has list of IP space that I would like to accept along with the local LAN traffic and drop all other inbound. This is a single green NIC at 10.0.25.150/24 and is not responsible for router/firewall/dhcp.
Cloudflare IP Set
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
I’ve never really understood the NS firewall but my first basic approach would be to create firewall CIDR objects for each of the subnet items (14 with the example above) and then create a corresponding firewall allow rule for each defined firewall object. Is this a doable approach? My previous experience would have been to create an alias within PfSense with the above defined networks and then enable https traffic to pass with one rule. Can I simplify and group all of the network blocks in a similar way within Nethserver?