Clarifying some "countries" in location groups

Greetings,

In location groups, there are a few “countries” listed that don’t correspond to actual countries (or ISO 3166-1). Hoping someone can clarify how a few country codes are defined.

  • Europe (EU): Does this represent all of the European Union, the European continent, or a miscellaneous type that only includes other European IPs not assigned to specific countries? The Wikipedia article on the standards mentions EU as being reserved, but doesn’t go into detail.

  • France, metropolitan (FX): According to ISO 3166-3, this code has been deprecated and merged into France proper. In the location database, do France and France, metropolitan overlap? Why is this code being used?

  • More generally, do some of these country codes represent a superset of several others, or are all of the country codes mutually exclusive?

I realize that the data for the location database originates elsewhere, and that probably has something to with the country classifications being used in IPFire.

Thanks for your insights.
Denis

Hi,

first: Welcome to the IPFire community. :slight_smile:

I know this answer is not really satisfying, but we do not know that. Networks are being flagged as “EU” because that country code appears in their RIR data, and we have absolutely no idea why the owner of that networks decided to put in this.

For most networks classified as “EU” I have seen so far, they were located somewhere in the European Union but could not be nailed down to a specific country. This happens, for example, for IP ranges of larger backbone providers.

Actually, the problem is worse as there is no exact definition about those country codes: Do they represent the physical location of a network or it’s jurisdiction?

This question was never clarified, which is why we cannot answer it either. In some cases, the jurisdiction matters, in some other scenarios, you care about the physical location. However, you will never know which is which, no matter which location database you are going to use.

Hm, at the moment, we are not aware of any networks with this country code, so it’s effectively a stub:

location=# SELECT * FROM networks WHERE country = 'FX';
 network | country 
---------+---------
(0 rows)

My expectation is that all networks located there have been subsequently merged into “FR”.

They are exclusive.

Yes, we are processing publicly available data from the five RIRs (AFRINIC, APNIC, ARIN, LACNIC, RIPE) and use custom override files to override locations for certain networks - for example, if the network owner tampers with those data - or flag them as being an anonymous proxy, a satellite network, or being used for anycast services.

Those override files can be accessed here.

Thanks, and best regards,
Peter Müller

3 Likes

Thank you for your detailed reply, Peter – very helpful. I’ll be adjusting my firewall rules (and other security measures) now that I understand the classification scheme and risks better. I’ll start using the location database query tool as well.

As a side note, kudos to you and the IPFire team for the tremendous work on the libloc project. libloc plus your many informative blog posts were what finally got me to investigate IPFire as a replacement for the current system.

Denis

Hi,

just to add an IPFire-specific detail here: Special networks mentioned above (anonymous proxies, satellite and anycast networks) are treated different by libloc than the IPFire GUI might suggest: They keep their country, but are flagged to indicate them being special:

[root@maverick ~]# location lookup 109.70.100.134
109.70.100.134:
  Network                 : 109.70.100.0/24
  Country                 : Austria
  Autonomous System       : AS208323 - Foundation for Applied Privacy
  Anonymous Proxy         : yes

To illustrate the difference, this is what a “normal” lookup result looks like:

[root@maverick ~]# location lookup 194.95.245.140
194.95.245.140:
  Network                 : 194.94.0.0/15
  Country                 : Germany
  Autonomous System       : AS680 - Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.

However, if you create firewall rules using the special A{1,3} groups, they do not overlap with their countries:

[root@maverick ~]# location list-networks-by-flags --anonymous-proxy | grep 109.70.100.0/24
109.70.100.0/24
[root@maverick ~]# location list-networks-by-cc AT | grep 109.70.100.0/24
[root@maverick ~]# 

So, as you suggested, they are all mutually exclusive.

Glad to see this is useful. :slight_smile:

Well, I am glad to hear that as well. For the sake of completeness, some IPFire users currently suffer from a combination of bugs related to libloc and xt_geoip - please refer to this post for further information.

So, it’s not all fine and completely seamless, but we are working on it. :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like

Got it: The country and associated flags are just separate fields in the database. However, the flagged entries and overrides are prioritized to create mutually exclusive classifications for use by IPFire.

I might suggest adding a note of clarification to the location(8) man page, because the operation of list-networks-by-cc is unexpected.

All 3 list-networks-by-* commands appear to be typical, single field database queries. That’s true only for list-networks-by-as and list-networks-by-flags. In contrast, list-networks-by-cc behaves differently, omitting networks that are flagged – which is not intuitively obvious. In an ideal world, an option (e.g. --exclude-flagged) would have be added to list-networks-by-cc to produce the current output.

Thanks again for the helpful insights.

Denis

That isn’t meant to happen at all.

Hi Michael,

I appreciate you responding to my post.

Does that mean that location list-networks-by-cc is going to output flagged networks in the future? In that case, A1-A3 and the country codes in IPFire would no longer be mutually exclusive (unless something else changes).

Or do you mean something else?

Thanks for clarifying.
Denis