Hi, let's say that I need to build an ACL where I block all the IPv4 traffic from Sweden. I considered following solutions: 1) RIR statistics files(ftp://ftp.ripe.net/ripe/stats/RIR-Statistics-Exchange-Format.txt) accessible for example at ftp://ftp.apnic.net/pub/stats/. However, those files contain allocations and assignment made by the registry producing the file and not any sub-assignments by other agencies(for example NIR, LIR). This means that this information is not very accurate. Another problem which I found out is that in case of inetnum object has many country fields, the first one is used. In addition, even the RIR statistics exchange format document says that: cc = ISO 3166 2-letter country code, and the enumerated variances of {AP,EU,UK} These values are not defined in ISO 3166 but are widely used. The cc value identifies the country. However, it is not specified if this is the country where the addresses are used. There are no rules defined for this value. It therefore cannot be used in any reliable way to map IP addresses to countries 2) MaxMind products. Those should rely on user input(for example MaxMind purchases user data from ISP's or content providers) and based on personal experience defaults to RIR data if no other more accurate source is available. If anyone has something to specify here, then please do so. 3) Use iptables geoip module, but turned out, that it uses MaxMind database: root@VM-host:~# grep -Hsi maxmind $(dpkg -L xtables-addons-common) /usr/lib/xtables-addons/xt_geoip_build:# Converter for MaxMind CSV database to binary, for xt_geoip /usr/lib/xtables-addons/xt_geoip_dl: http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \ /usr/lib/xtables-addons/xt_geoip_dl: http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip; root@VM-host:~# 4) In theory geofeeds(http://tools.ietf.org/html/draft-google-self-published-geofeeds-02) would be a nice solution, but as I understand the RFC, it would work for my example only in case all the IP address users would provide their geofeed and there is a centralized database to query. 5) Use prefix AS path. However, there seems to be no reliable way to determine source country based on information in BGP routing tables. Are there any other possibilities to geolocate IPv4 addresses with higher accuracy? regards, Martin