Atomicorp

If we want to allow only 1 or 2 countries in firewall we have to explicitly block all of the rest.

This creates a table with around 250.000 blocked IP networks.

Is there any chance in ASL to reverse this and only add which GEO IPs are allowed and block all the rest?

Kind of like "Only allow country XX" right?

Yes,

Instead of "Block these and allow the rest"...

It would be "Allow these and block the rest"...

In pratical terms it would be the same, the difference would be in performance since you would be loading for example 5.000 IP sets instead of 250.000 depending on how many countries would be on the list.

In the future ASL could even make this decision automatically taking in consideration how many IP sets would be on one option or the other.

For reference that is called an "Unless Allow, Deny" policy, and something we have planned for a future sprint. A great thing about ipsets in general is that you can load gigantic lists (billions definitely, trillions possibly?) in a few milliseconds, so far we really havent hit any kind of bottleneck with handling monster lists.