Improve company productivity with a Business Account.Sign Up


Block a range of IP addresses

Posted on 2004-08-16
Medium Priority
Last Modified: 2007-12-19

I am trying to add some IP addresses to an IP block list on my smoothwall firewall.

Firstly I do a whois lookup to return a range of IP's

So if I get a bunch of portscans from
I get info about the source network
Which returns a network range -

Now sometimes I get an IP range represented like this
this is easy to then block the entire nework by entering  into ipblock

What I want to know: Is there anyway to or any software around that can represent the range returned in the format that I can enter into IPBLOCK GUI

So enter start address and end address ( - get a result that encapsulates the range like:       <<<<<< I know this range is too broad, thats what I need to know how to calculate.

Do you know what I mean???

Question by:Alan Warren
  • 6
  • 4
  • 3
  • +3
LVL 58

Expert Comment

by:Pete Long
ID: 11808367

or if you prefer the short notation
LVL 58

Expert Comment

by:Pete Long
ID: 11808382
or if you support wildcard masking


wil block that first IP range your concerned with
LVL 26

Author Comment

by:Alan Warren
ID: 11808396
Hi Pete

how did you derive this address:

thats my question
and is there any sofware out there that will derive it for me?

thanks for the response

Alan :)
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!


Expert Comment

ID: 11808580
Solarwinds has a good, free subnet calculator here:

Todd Lammle wrote an excellent chapter on subnetting IP in his Sybex CCNA book. If you can pick that up, it is good reading. If not, try this:


Expert Comment

ID: 11809034 .... subnet, have mask, i.e.

255         .255        .255         .128
|<---------  25 bits '1' --------->|

(is /25, not /26; /26 is .192)


Expert Comment

ID: 11809077 is

NET : 202         .124         .0            .0
Mask: 11111111.11111111.11110000.00000000

i.e. mask

LVL 28

Expert Comment

ID: 11809100
Why don't you block ALL incoming addresses? Your outgoing traffic will be let back in in any case.
If you want to allow a certain computer in you can just enable that address.
Much easier and MUCH more effective than collecting intruder addresses.

LVL 26

Author Comment

by:Alan Warren
ID: 11809118
Hi gnegrota,

sorry for seeming so dumb here but how doing that?
are you subtracting one from the other?

I dont get it ... :)

LVL 26

Author Comment

by:Alan Warren
ID: 11809129
hey Peter

tell me more...

LVL 26

Author Comment

by:Alan Warren
ID: 11809146
Hi EmpKent

downloaded solarwinds but I cant find anywhere to imput a range and return an address I can use to block a range

LVL 26

Author Comment

by:Alan Warren
ID: 11809179
The Intrusion detection logs show stuff like this:

Date: 08/16 21:23:48 Name: spp_portscan: portscan status from 1 connections across 1 hosts: TCP(1), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

so I do a whois: and get stuff like:

SSL Cert:  No valid SSL on this Host, Get Secure
Record Type:  IP Address
IP Location:   Australia - Victoria - Melbourne - Australia On Line
Reverse IP:  No websites hosted using this IP address

% [ node-2]
% Whois data copyright terms

inetnum: -
netname:      AOL2-AU
descr:        Australia On Line

So what do I type in the IP Block GUI, and how do I get that from the above range.

Dont mean to be difficult, just dont get it.... LOL



Expert Comment

ID: 11809299
You can try mask   ( that mean your interval; and is /21 ), but if you receive an error....leave alone IP Subneting and block :

203.23.x.x is a Class C network and a valid mask is 255.255.255.x , but if theAOL" are using something like superneting....:-)

Anyway, you have the solution. The rest is TCP/IP theory and some CISCO stuff.


Expert Comment

ID: 11813983
I migtht be reading Alan's question wrong, but it looks like he's simply asking for an explanation of CIDR notation or how to convert from a range to format.  Perhaps and can make it a tad clearer for you.  Sorry if that's not what you were confused about.
LVL 58

Expert Comment

by:Pete Long
ID: 11814509
as peakpeak says above

your firewall should be blocking everything (inbound) never try to work out what to block - block everything then you can work out what you want to let in

remember statefull firewall will let your clients out (if you let them) and will let the same traffic back in implicitly

if you get stuck with subnetting theres an online subnet calculator here

LVL 26

Author Comment

by:Alan Warren
ID: 11816815

this is the deal.

1... I believe that all inbound traffic is blocked by default for any SmoothWall Express 2.0 installation.
2... Each day I check the Intrusion Detection System logs(IDS) for attempts to gain access.
  Date: 08/17 01:13:57 Name: WEB-CLIENT javascript URL host spoofing attempt
  Priority: 1 Type: Attempted User Privilege Gain
  IP info: ->
  References: 1  

3... To confirm that the intruder was not succesfull, I check for the IP address in the Firewalling log.
4... If the firewalling log has no record matching the IDS log then something is fishy, possible breach, hmmm.
  oOOH cant find it in the firewalling log!

5... So then I lookup the Net Range of the IP that was detected by IDS
  NetRange: -
  NetName:    A-YAHOO-U23

6... Sometimes the CIDR notation is returned by the lookup    CIDR:
   I believe that if I add this CIDR address to the IP Blocklist then the entire NetRange: - will be  explicitely blocked.
   How am I doing so far?

7... Sometimes I dont get a CIDR: I only get a NetRange: -  hmmmm??? This is the problem.
  How do I derive the CIDR that encapsulates the entire netrange.

Got a glimmer of insight from converting the upper range to binary octecs 01000010 11011010 01011111 11111111 then counting the 1's  but there are 21 1's not 19 as the CIDR notation suggests

Working on this best guess theory LOL I then take the base address and append /21 to the end of it.

Is this making any sense at all?
Still dont know how /19 was derived arrggghhhhhh!!!!!

Unless there are 2 reserved; one for base address and one for broadcast address, 21 - 2 = 19.
Bloody guessing here now.

I did some cisco certification a few years ago, but it's all a black hole to me now.



Accepted Solution

gnegrota earned 2000 total points
ID: 11818137
:-) Ok... /19 means the MASK 11111111.11111111.11100000.00000000 i.e. You can count 19 of "1" in mask so .... It's more clear, now ? And, yes, is a network range - (with some exclusions; anyway, there are 2046 subnets definible)
For me, the attack seams a simple spoofing to gain access in a victim mailbox, and it is "normal" to receive something like this. After all, Yahoo is not responsible for that.Not at the first sight...for the free accounts.But this is another ...
Rules about the subneting:
1) IP (AND) Mask = Broadcast address ( AND logical, in binary)
2) IP (OR) ! Mask = Network address ( OR logical in binari, !Mask is the NOT Mask )


Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question