You'll find that there isn't—a longtime topic of discussion and debate here on the forum. Let's Encrypt does not encourage or facilitate whitelisting particular addresses by publishing the addresses that it currently uses for these validations.
If you can control your firewall from software somehow, you could make the Let's Encrypt client open port 80 on the firewall right before the challenge and close port 80 again afterward. With Certbot, you can use --pre-hook and --post-hook for this (to make it run commands before and after attempting the domain validation challenges).