Re: Blocking sub-range of IP addresses
Bill wrote:
> I want to block all ip's ending in 224 to 255 but not 220 and others
> searching the net I found I need to add "/27" to end of the ip.
> I understand /8 /16 /24 /32 somewhat but...
Netmasks work using a binary logical AND operation. A few years ago, you
would be using something like 255.255.255.224 which is binary
11111111.11111111.11111111.11100000 and would mean "this subnet uses all
8 bits of the first number, the second number, the third number and the
most significant 3 bits of the fourth number", all four of those numbers
being 8-bit unsigned integers.
If you count the "1"s you will find there are 27 of them in a row.
> My question: what makes /27 significant
> X.Y.Z.224 - X.Y.Z.255
> deny from 63.148.99.224/27
This is the same as deny from 63.148.99.224/255.255.255.224 (is this
still legal?), any address will be checked if (W.X.Y.Z) AND
(255.255.255.224) is 63.148.99.224. Here, the interesting part is that
for any Z between 224 and 255, and for those only, (Z AND 224) will be
224 (binary numbers from 11100000 to 11111111).
> P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ???
23 = binary 00010111
55 = binary 00110111
Since those two do not follow the scheme of [same bit]^N[0]^M and [same
bit]^N[1]^M, you could not use the short form, you would have to block
most of them individually.
HTH
Frank
Reply to: