tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal to apply mask to IP address set on rule



Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:

> Supposed we want to block or pass packets from a subnet 

Be careful between

  packet arriving on a particular interface

  packets with a source address from a particular IP prefix assigned to
  some ethernet

> Say 192.168.64 subnet.(24 bits masking)
>
> So if We 
> "pass from 192.168.64.7/24" on a rule.
>
> Is it ideal to also match all packets from 192.168.64 subnet ? As it would if we passed as 
> 192.168.64.0/24 on rule.

I don't follo "ideal" but I would find it super surprising if this
didn't already work.

Whether the masked portion is 0 or something I think shouldn't matter
and shouldn't get a warning.   I often leave that in a file while
blocking a /24, to record the offender and block the neighborhood.

What are you trying that you find doesn't work, or that code reading or
docs says won't?


Home | Main Index | Thread Index | Old Index