We don’t have a great way to limit things to IPs, unfortunately. What you can do is:
- If you trust the clients, connect them to wireguard and have them speak UDP over the private network
- If you don’t, you could run some basic auth on Fly. You can actually run your own wireguard server if you want, or look at servers doing something like DTLS.
One thing about syslog: most people end up just running it over TCP with TLS, especially since log messages frequently span packets. There’s not a huge advantage to exposing UDP syslog in most cases.