Firewall IP Geo and Named lists

[bmertens-datum]

Summary

We need support for two related but distinct capabilities: IP geo lookups for firewall rules and named lists of IP ranges. Both improve security and configuration ergonomics, but they serve different use cases and likely require different data pipelines.

Problem

Right now, there is no unified way to:

1. Create reusable, named IP lists (e.g., known-bad IPs, vendor ranges, partner networks).
2. Apply geo-based filtering in firewall policies with clear expectations for accuracy and granularity.

This limits how cleanly users can manage network controls across projects and organizations.

Feature Request

1. Named IP Lists

Support creating and referencing named lists of IP addresses or CIDRs. These lists should be able to exist at three scopes:

• Project-specific
  Local to a single project.

• Organization-wide
  Shared across all projects for consistent enforcement.

• Global / system-provided
  Examples could include:

  • Known bad actors
  • Bot networks
  • Cloud provider ranges
  • Tor exit nodes

This allows teams to centralize definitions and reuse them across firewall, proxy, WAF, and routing policies.

2. IP Geo Lookups

Add the ability to filter traffic based on geolocation. Open questions we should define:

• Granularity

  • Country only?
  • Region / state?
  • City-level? (Higher cost, lower reliability)

• Accuracy Targets
  Decide what level of precision we want to support and document the expected error rate or resolution boundaries.

• Type of List
  Do we treat geo lookups like dynamic IP lists (e.g., “US-only”) or as inline match conditions in firewall policies?

Why This Matters

• Improves security posture with consistent, reusable configuration patterns.
• Reduces duplication of IP lists across projects and users.
• Enables more advanced access control use cases, such as:
  • Blocking traffic from high-risk countries.
  • Allowlisting business partners.
  • Automatically applying global deny lists for all customers.
• Ensures users have predictable behavior when configuring geo-targeted rules.

Optional Future Enhancements

• Auto-refreshing lists sourced from third parties (Spamhaus, AbuseIPDB, etc.).
• UI for browsing global lists and org-wide lists.
• Audit logs for changes to shared IP lists.