Lee Smallbone wrote:
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
4.0.0.0/8 or
The '8' in the above tells us that the first 8 bits of that dotted quad number form the network address, which in this case is just the 4 (each portion of the dotted quad number is 8 bits long). A mask of 16 would signify that the first two parts (half) represent the network.
4.4.4.4/12 how does this work?
This is where things get more complicated and you have to start writing out these numbers in binary form. This '12' says that the network mask here consists of the first quarter of the dotted quad (8 bits) plus the first 'half' of the second part of the dotted quad (4 bits). So all the IPs that had the first 12 bits of their IP the same would be seen as being in the same network.
Say I want 192.168.1.1 or 212.229.151.151, how would I work out the subnet's to those? It's baffling me.
Well, the first one's easy, since that is a standard class B private subnet (although it's frequently used with a class C subnet mask of 24). The network for the second one just depends (as do most addresses) on what the subnet mask is (this 212... address is actually a class C network, so will originally have had a subnet mask of 255.255.255.0, or 24 if we stick to the format that we're using here). Often ISPs may have been assigned a class B address range (mask 16), but internally they would split this up into many smaller subnets with different masks. For example, my (fixed) IP addess is officially a class B address (netmask 16), however, internally this has been split up into smaller subnets, so my actual netmask is 255.255.255.240, which is 11111111.11111111.11111111.11110000 in binary, or 28 in your format. This means that only computers with the first 28 bits of their IP addresses the same as mine are counted as being on my subnet. If this 212... address is one that you've been assigned, then you can run 'ifconfig' and it should tell you what the mask is currently set at, which will at most be 255.255.255.0 (due to it being a class C network), but possibly less. I hope you managed to follow that - it's a bit long winded... In short, given an IP address, it isn't always easy to tell which subnet it belongs to - in fact it's impossible to be certain. Hope that helps though, Chris -- Apologies to everyone who has been waiting for replies off me over the past few weeks - I've been away from my computer. I'll try to catch up with my email over the coming days, but don't be surprised if you get a reply in a month's time... __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/