RFC1918 local addresses match GeoIP firewall rules

JeffWDH · November 20, 2023, 1:25pm

I haven’t seen any discussion about this or anything in the documentation. I currently use geoip matching such as this:

set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 action 'drop'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'us'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'ca'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip inverse-match
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 log

This works fine for catching traffic destined to locations outside of US and Canada, however it also catches RFC1918 IPs, which should have no fixed geo-location.

Any suggestions how to get around this?

When checking db-ip.com (which I believe is where the GeoIP data comes from), this is the result for a RFC1918 IP:



{
  "ipAddress": "10.10.10.10",
  "countryCode": "ZZ",
  "isp": "Private network",
  "usageType": "reserved",
  "organization": "Rfc 1918"
}

But if I try to use country code “ZZ”, it isn’t accepted:

# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code zz



  Invalid value
  Value validation failed
  Set failed

[edit]
# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code ZZ



  Invalid value
  Value validation failed
  Set failed

[edit]

I tried excluding 10.0.0.0/8 but you can’t combine GeoIP with an address:

# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination address !10.0.0.0/8
[edit]
# commit

Only one of address, fqdn or geoip can be specified

[[firewall]] failed

tjh · November 20, 2023, 4:01pm

rule 9 which explicitly allows RFC1918?

JeffWDH · November 20, 2023, 4:15pm

Here is a more complete example of what I’m trying to do:

set firewall ipv4 name XYZ-FORWARD-IPV4 default-action 'drop'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 action 'drop'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'us'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'ca'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip inverse-match
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 log
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 20 action 'accept'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 20 description 'Some device - Allow Internet access'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 20 destination group network-group '!Private_Addresses'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 20 source group address-group 'XYZ_SomeDevice'

Basically I want XYZ_SomeDevice to be able to access Internet, but not PrivateAddresses (group contains RFC1918 ranges). Anything in this zone should not be able to access anything outside US or Canada.

All other IPs not specifically mentioned in a rule are to get dropped.

For my specific problem, I guess I can just reorder my rules to put the rules that should allow access to RFC1918 addresses first, but it would be nice to have the option to exclude local addressing from the GeoIP match.