is it possible to invert/negate a match in the firewall rules?
like this in
iptables: iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 80 -J DROP
Destination / Invert
Use this option to invert the sense of the match.
you cannot invert something in a single rule.
Generally the way to go is to have a default policy that drops everything and then create a rule that allows certain traffic.
This is a lot more explicit and safer to create rules and makes mistakes less likely.
How to implement this principle in IPFire: https://blog.ipfire.org/post/firewall-configuration-recommendations-for-ipfire-users