Or an easier, more accurate and safer way is to also use Cloudflare as your DNS provider and proxy.
They do publish the range of IPs for their servers and they’ll proxy your connection so nobody will know your private IP when resolving your domain. Then you can just block all connections not coming from those IPs on your router.
Benefit of this is that you’ll have their security as well like DDos, Rate Limiting, WAF, Access, User Agent Blocking, IP rules (block, challenge, bad browser), page rules, etc. In my case I have all of that set and Cloudflare Access so it requires 2FA to reach my HA instance.
On top of that can have full strict encryption by using their Cloudflare Origin CA, and you’ll also have DNSSEC.
I blocked bots, and medium to high threat scored IPs as some of my rules. 2FA required for all sites except for whitelisted stuff like Google Assistant (by URI since I don’t know their IP range, they also come from the US only), UpTime robot (by IP range), etc. Challenge sketchy IPs with lower threat score.
For Google Assistant to reach my HA I set it to bypass my rules by the URI used for Google Assistant calls:
https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant
Reverse Proxy kinda feels like helps since you need to know the domain name and I have locked certain pages by URI and for other I set an additional username/password as some of my apps didn’t require one like some add-ons or showed too much info even before logging in. Other calls that are routed through the reverse proxy are blocked, it can also block common script exploits.
Pfsense is good, adding this on top of it gives you something new to play with, in my case I feel my instance is safer now. Pfsense is great as an IPS, it makes a great addition to all of this.
I think most of the danger is bots and more than anything users installing malware on their computer.
Best thing to do is prevention when it comes to security, prevention starts by blocking websites known for malware and other shady places which brings to another a Cloudflare product: Cloudflare Gateway which is basically a Pi-Hole on the cloud.