Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 470
  • Last Modified:

Subnet Mask

Hi.
I need to let a range of 10 IP addresses through my firewall, but currently I only know how to let one through at a time.

The interface is browser based and has has the following fields (dummy data used ! ):

  IP-Address           |  Subnet-Mask               |  Operator  |  Start-Port  |  End-Port
  111.111.111.005   |  255.255.255.255(/32)  | =             |                  |

My question is:
If I want to allow through 10 IPs in the range the range from 111.111.111.001 to 111.111.111.010, can I do this by changing the subnet mask?

Thanks.
0
gjok
Asked:
gjok
  • 8
  • 8
  • 4
  • +4
4 Solutions
 
neteducationCommented:
if you put a mask of 255.255.255.240 you are letting through .0 up to .15
if you put a mask of 255.255.255.248 you are letting through 0 up to 7

these are the only possibilities you have with the subnet mask
0
 
CaltorCommented:
Hi gjok,
A subnet mask of 255.255.255.224(/27) will let through 16 addresses (less 2 for network ip and broadcast=14) giving you 14 addresses. The option before that (255.255.255.240/28) would only give you 8 address (6 usable).

Cheers!
0
 
CaltorCommented:
gjok,
Yikes. Sorry I am wrong neteducation is right. Dodgy arithmetic.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
rafael_accCommented:
Well  ... let's see:
1 - 10 in binnary is ...

0000 0001 to
0000 1010

As you can see you've got the first 4 bits in common. Therefore, your subnet mask should have the last byte 1111 000 which is 240. Concluding, your subnet mask is: 255.255.255.240.

Of course, you are also including the address range (in binary) from 0000 1011 (11) to 0000 1111 (15). But then, nothing you can do about it unless you block the last range of addresses, one by one!

The idea is that you can block addr blocks of 2^2, 2^3, 2^4, 2^5, ... etc. addresses only.

Cheers.
0
 
SoyYopCommented:
Why don't you use 255.255.255.0 and leave 250+ IP's available?
0
 
Pete LongTechnical ConsultantCommented:
you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using

0
 
rafael_accCommented:
:D ... I haven't even noticed that!!! Excelent!
Cheers.
0
 
gjokAuthor Commented:
Wow lots of feedback!
I am just asking my client for the exact range. Give me a half hour or so....
0
 
harbor235Commented:
If you wanted to be precise and only allow those address then you cannot use a one line policy entry, you would need to add several. If they are the only deices that need that access then thats what I would allow.


111.111.111.0 255.255.255.248 for addresses 0-7
111.111.111.8 255.255.255.255 for address 8
111.111.111.9 255.255.255.255 for address 9
and
111.111.111.10 255.255.255.254 for addressess 10 and 11.

The only other way to include them would be to open up a larger portion of the IP address range then needed, i.e
255.255.255.240 which includes address 0-15.

harbor235


0
 
CaltorCommented:
PeteLong: what do you mean by this?
"you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using "
If he changes the subnet mask then it won't be a 32 bit subnet anymore will it?
Are you saying he might not own the addresses he wants to let through?
0
 
rafael_accCommented:
He is saying that the example the author gave is wrong. I'll copy&paste it for you:

"The interface is browser based and has has the following fields (dummy data used ! ):

  IP-Address           |  Subnet-Mask               |  Operator  |  Start-Port  |  End-Port
  111.111.111.005   |  255.255.255.255(/32)  | =             |                  |"

Check the subnet mask used!

Cheers.
0
 
CaltorCommented:
Still not getting it. I take that (255.255.255.255/32) to mean only let this specific address through.
0
 
rafael_accCommented:
Yes. That's why PeteLong was saying this is not appropiate for subneting! Well ... I'll let PeteLong explain that ...
Sorry PeteLong for that.

Cheers
0
 
CaltorCommented:
But the asker was saying the subnet mask wants changing anyway so I can't see it's an issue.
0
 
gjokAuthor Commented:
The subnet mask has never been changed. Whats there is the default when creating a new entry.

Anyway, the client has come back and said they cant supply a range because "the servers are segregated into VLANS." (whatever that means), so I cant supply an actual range to demonstrate with.

0
 
gjokAuthor Commented:
Although my question no longer need answering, I can still use this information for future reference.

I need to work out who to give the points to - to be honest I really dont understand enough about this stuff to know who to award them too ?!?!? :(

Please bear with me...
0
 
CaltorCommented:
I would say that neteducation & harbor235 deserve the points.
0
 
rafael_accCommented:
If I may ... I believe some of us left here usefull information, ... others just repeated it!
I believe it's fair enough just to split the points among all of us who realy contributed ...

Cheers.
0
 
CaltorCommented:
Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here.
As I see it neteducation gave a workable answer to the original question.
rafael_acc gave an explanation in binary.
Then harbor235 gave an expansion to allow just the 10 addresses. Down to the asker in the end I guess.
just my 2% of a dollar
0
 
rafael_accCommented:
Ah ????

So why are you sorry ??? I saw your post after I submitted mine ... So, my post is not related to yours or whatever ... I don't get what's your point on the ...

"Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here"

Cheers
0
 
CaltorCommented:
I suggested neteducation & harbor235 and thought your post was objecting to my suggestion. I was saying sorry in case I had offended you by not including you in my suggestion.
0
 
rafael_accCommented:
Don't worry! Is good to get some points but that's not my main objective being here! Thanks for the consideration anyway.
Cheers.
0
 
gjokAuthor Commented:
Hi.
Well that was hard work. I ended up splitting the point 50 each to the guys I thought helpd me most (especially rafael_acc for explaining it in great detail)
I chose harbor235 as the main answer as he demonstrated how to allow exactly 10 which was what I (originally) needed.

I hope you are all OK with this.
Many thanks to all.
0
 
rafael_accCommented:
Thanks. Good Luck!
Cheers.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 8
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now