Block a range of IP addresses

Posted on 2004-08-16
Medium Priority
Last Modified: 2007-12-19

I am trying to add some IP addresses to an IP block list on my smoothwall firewall.

Firstly I do a whois lookup to return a range of IP's

So if I get a bunch of portscans from
I get info about the source network http://www.whois.sc/
Which returns a network range -

Now sometimes I get an IP range represented like this
this is easy to then block the entire nework by entering  into ipblock

What I want to know: Is there anyway to or any software around that can represent the range returned in the format that I can enter into IPBLOCK GUI

So enter start address and end address ( - get a result that encapsulates the range like:       <<<<<< I know this range is too broad, thats what I need to know how to calculate.

Do you know what I mean???

Question by:Alan Warren
  • 6
  • 4
  • 3
  • +3
LVL 58

Expert Comment

by:Pete Long
ID: 11808367

or if you prefer the short notation
LVL 58

Expert Comment

by:Pete Long
ID: 11808382
or if you support wildcard masking


wil block that first IP range your concerned with
LVL 26

Author Comment

by:Alan Warren
ID: 11808396
Hi Pete

how did you derive this address:

thats my question
and is there any sofware out there that will derive it for me?

thanks for the response

Alan :)
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Expert Comment

ID: 11808580
Solarwinds has a good, free subnet calculator here: http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm

Todd Lammle wrote an excellent chapter on subnetting IP in his Sybex CCNA book. If you can pick that up, it is good reading. If not, try this:



Expert Comment

ID: 11809034 .... subnet, have mask, i.e.

255         .255        .255         .128
|<---------  25 bits '1' --------->|

(is /25, not /26; /26 is .192)


Expert Comment

ID: 11809077 is

NET : 202         .124         .0            .0
Mask: 11111111.11111111.11110000.00000000

i.e. mask

LVL 28

Expert Comment

ID: 11809100
Why don't you block ALL incoming addresses? Your outgoing traffic will be let back in in any case.
If you want to allow a certain computer in you can just enable that address.
Much easier and MUCH more effective than collecting intruder addresses.

LVL 26

Author Comment

by:Alan Warren
ID: 11809118
Hi gnegrota,

sorry for seeming so dumb here but how doing that?
are you subtracting one from the other?

I dont get it ... :)

LVL 26

Author Comment

by:Alan Warren
ID: 11809129
hey Peter

tell me more...

LVL 26

Author Comment

by:Alan Warren
ID: 11809146
Hi EmpKent

downloaded solarwinds but I cant find anywhere to imput a range and return an address I can use to block a range

LVL 26

Author Comment

by:Alan Warren
ID: 11809179
The Intrusion detection logs show stuff like this:

Date: 08/16 21:23:48 Name: spp_portscan: portscan status from 1 connections across 1 hosts: TCP(1), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

so I do a whois: http://www.whois.sc/ and get stuff like:

SSL Cert:  No valid SSL on this Host, Get Secure
Record Type:  IP Address
IP Location:   Australia - Victoria - Melbourne - Australia On Line
Reverse IP:  No websites hosted using this IP address

% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum: -
netname:      AOL2-AU
descr:        Australia On Line

So what do I type in the IP Block GUI, and how do I get that from the above range.

Dont mean to be difficult, just dont get it.... LOL



Expert Comment

ID: 11809299
You can try mask   ( that mean your interval; and is /21 ), but if you receive an error....leave alone IP Subneting and block :

203.23.x.x is a Class C network and a valid mask is 255.255.255.x , but if theAOL" are using something like superneting....:-)

Anyway, you have the solution. The rest is TCP/IP theory and some CISCO stuff.


Expert Comment

ID: 11813983
I migtht be reading Alan's question wrong, but it looks like he's simply asking for an explanation of CIDR notation or how to convert from a xxx.xxx.xxx.xxx-xxx.xxx.xxx.yyy range to xxx.xxx.xxx.xxx/yy format.  Perhaps http://infocenter.guardiandigital.com/manuals/IDDS/node9.html and http://itadmin.appfa.auckland.ac.nz/FAQ/Network/IP-CIDR.htm can make it a tad clearer for you.  Sorry if that's not what you were confused about.
LVL 58

Expert Comment

by:Pete Long
ID: 11814509
as peakpeak says above

your firewall should be blocking everything (inbound) never try to work out what to block - block everything then you can work out what you want to let in

remember statefull firewall will let your clients out (if you let them) and will let the same traffic back in implicitly

if you get stuck with subnetting theres an online subnet calculator here http://www.telusplanet.net/public/sparkman/netcalc.htm

LVL 26

Author Comment

by:Alan Warren
ID: 11816815

this is the deal.

1... I believe that all inbound traffic is blocked by default for any SmoothWall Express 2.0 installation.
2... Each day I check the Intrusion Detection System logs(IDS) for attempts to gain access.
  Date: 08/17 01:13:57 Name: WEB-CLIENT javascript URL host spoofing attempt
  Priority: 1 Type: Attempted User Privilege Gain
  IP info: ->
  References: 1  

3... To confirm that the intruder was not succesfull, I check for the IP address in the Firewalling log.
4... If the firewalling log has no record matching the IDS log then something is fishy, possible breach, hmmm.
  oOOH cant find it in the firewalling log!

5... So then I lookup the Net Range of the IP that was detected by IDS
  NetRange: -
  NetName:    A-YAHOO-U23

6... Sometimes the CIDR notation is returned by the lookup    CIDR:
   I believe that if I add this CIDR address to the IP Blocklist then the entire NetRange: - will be  explicitely blocked.
   How am I doing so far?

7... Sometimes I dont get a CIDR: I only get a NetRange: -  hmmmm??? This is the problem.
  How do I derive the CIDR that encapsulates the entire netrange.

Got a glimmer of insight from converting the upper range to binary octecs 01000010 11011010 01011111 11111111 then counting the 1's  but there are 21 1's not 19 as the CIDR notation suggests

Working on this best guess theory LOL I then take the base address and append /21 to the end of it.

Is this making any sense at all?
Still dont know how /19 was derived arrggghhhhhh!!!!!

Unless there are 2 reserved; one for base address and one for broadcast address, 21 - 2 = 19.
Bloody guessing here now.

I did some cisco certification a few years ago, but it's all a black hole to me now.



Accepted Solution

gnegrota earned 2000 total points
ID: 11818137
:-) Ok... /19 means the MASK 11111111.11111111.11100000.00000000 i.e. You can count 19 of "1" in mask so .... It's more clear, now ? And, yes, is a network range - (with some exclusions; anyway, there are 2046 subnets definible)
For me, the attack seams a simple spoofing to gain access in a victim mailbox, and it is "normal" to receive something like this. After all, Yahoo is not responsible for that.Not at the first sight...for the free accounts.But this is another ...
Rules about the subneting:
1) IP (AND) Mask = Broadcast address ( AND logical, in binary)
2) IP (OR) ! Mask = Network address ( OR logical in binari, !Mask is the NOT Mask )


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question