An expression of the form 'n.n.n.n/m.m.m.m´ is interpreted as a 'net/mask´ pair. An IPv4 host address is matched if 'net´ is equal to the bitwise AND of the address and the 'mask´. For example, the net/mask pattern '131.155.72.0/255.255.254.0´ matches every address in the range '131.155.72.0´ through '131.155.73.255´. Is there any reason why it must be written out as: 131.155.72.0/255.255.254.0 ... as opposed to using the shorter version: 131.155.72.0/23
At one point it was possible to create a non-contiguous mask. This would not be doable with the short / notation.
I've never actually used a non-contiguous mask, but there's a whole chapter on it in one of my earlier networking books.
On Thu, 2007-02-22 at 13:58 -0500, Kwan Lowe wrote:
An expression of the form 'n.n.n.n/m.m.m.m´ is interpreted as a 'net/mask´ pair. An IPv4 host address is matched if 'net´ is equal to the bitwise AND of the address and the 'mask´. For example, the net/mask pattern '131.155.72.0/255.255.254.0´ matches every address in the range '131.155.72.0´ through '131.155.73.255´. Is there any reason why it must be written out as: 131.155.72.0/255.255.254.0 ... as opposed to using the shorter version: 131.155.72.0/23At one point it was possible to create a non-contiguous mask. This would not be doable with the short / notation.
The "short / notation" is called "CIDR" (classless interdomain routing) notation.
I've never actually used a non-contiguous mask, but there's a whole chapter on it in one of my earlier networking books.
I have. It's a nightmare, but unfortunately many Asian ISPs use it to spam. Makes your iptables and firewall rules rather nasty.
---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens@vitalstream.com - - VitalStream, Inc. http://www.vitalstream.com - - - - Any sufficiently advanced technology is indistinguishable from a - - rigged demo. - ----------------------------------------------------------------------
Rick Stevens wrote:
I have. It's a nightmare, but unfortunately many Asian ISPs use it to spam. Makes your iptables and firewall rules rather nasty.
I'm not sure about 'nasty' more so than 'long'. Take for example the entire Korea network. When the request came down to block it, this is what came up when I looked up their range:
> netmask -s 222.96.0.0:222.122.255.255 222.96.0.0/255.240.0.0 222.112.0.0/255.248.0.0 222.120.0.0/255.254.0.0 222.122.0.0/255.255.0.0
That meant adding 4 lines to our router's access file. A file that's rather large as it is.
Ashley M. Kirchner wrote:
Rick Stevens wrote:
I have. It's a nightmare, but unfortunately many Asian ISPs use it to spam. Makes your iptables and firewall rules rather nasty.
I'm not sure about 'nasty' more so than 'long'. Take for example the entire Korea network. When the request came down to block it, this is what came up when I looked up their range:
netmask -s 222.96.0.0:222.122.255.255
222.96.0.0/255.240.0.0 222.112.0.0/255.248.0.0 222.120.0.0/255.254.0.0 222.122.0.0/255.255.0.0 That meant adding 4 lines to our router's access file. A file that's rather large as it is.
Korea is one of the most "wired" countries in the world. As such they need a substantial amount of address space. They do not pick their own space on the internet. It is assigned to them.
The fact that the majority of folks in Korea run MS-Windows and many have been hijacked as spam-bots is regrettable. It seems to have had the effect of ill informed folks labeling Koreans as spammers.
Rick Stevens wrote:
I have. It's a nightmare, but unfortunately many Asian ISPs use it to spam. Makes your iptables and firewall rules rather nasty.
You should not be using iptables or firewall rules to fight spam. That is a losing battle.
Also, you should not make ridiculous statements such as "Asian ISPs use (non-contiguous masks) to spam".
-
Ashley M. Kirchner -
Ed Greshko -
Kwan Lowe -
Rick Stevens