Firewall allowing US geographic IPs allows some but blocks other US IPs?

griffin2 · October 5, 2020, 4:24pm

I have created a firewall rule to allow only four countries based on the IPs geographic location:

(ip.geoip.country ne “US”) or (ip.geoip.country ne “GB”) or (ip.geoip.country ne “CA”) or (ip.geoip.country ne “AU”)

Action: BLOCK

While the rule has the intended effect on my primary targets to block (Russian Federation, Ukaraine, China, etc.), there are many instances of US IPs being blocked. Ironically, the above firewall rule also blocks Cloudflare’s diagnostic tool, which reports certain errors when the rule is enabled (e.g., no HTTPS redirect). Testing the site with various diagnostics on mxtoolbox.com also shows that another known US-based IP is being blocked by the above rule.

So, what is wrong with the rule? Why is it blocking some US IPs and not others?

sdayman · October 5, 2020, 4:34pm

It’s blocked because it’s NOT GB, OR it’s NOT CA, OR it’s NOT AU.

You should use AND for those.

griffin2 · October 5, 2020, 5:21pm

Thanks, though I’m still puzzled why some US traffic was going through with the OR-based rule? The following logic seems correct, now that I’ve thought it through. However, the overview doesn’t seem to be updating to allow me to verify how the filter is working.

For a US visitor, I think the rule would be evaluated:
(NOT US? =FALSE; or NOT GB? =TRUE; or NOT AU? =TRUE; or NOT CA? =TRUE) --> net result is that there is at least one true among the four expressions, and therefore the rule blocks the traffic.

With the AND operator for a US visitor, then it should be evaluated as follows:
(NOT US? =FALSE; and NOT GB? =TRUE; and NOT AU? =TRUE; and NOT CA? =TRUE) --> net result is that it includes one false because the rule requires each expression to return as true before blocking, and therefore the rule allows the traffic.

sdayman · October 5, 2020, 5:27pm

I try not to overthink it because it just gets confusing.

You can try a “Not In” option, so if they’re not in your list of 4 countries, they’ll be blocked.

griffin2 · October 5, 2020, 5:33pm

That’s the goal, but when searching the knowledgebase for an example rule, I couldn’t find something that seemed to fit the bill. This expression might:

(not ip.geoip.country in {“US” “GB” “CA” “AU” “NZ”}) Action: Block

I’ll test and report back.