On Wed, 12 Apr 2000, Lee Smallbone wrote:
Hi,
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
An IP address is 32 bits. It's usually expressed as four decimal numbers each from 0 to 255 (expressing 8 bits), dot delimited, but that's for human use. Within any logical subnet, all machines have some number of bits, on the left end of the address, in common. For example, on my home network all machine addresses start with 192.168.1. By convention - for human readability, it really doesn't matter - when you are referring to the subnet, the bits that CAN vary from machine to machine are zeroed. That would make my subnet 192.168.1.0. However, we aren't quite there yet. We also have to tell the IP stack how many bits are part of the subnet address. There are two ways to do this: * The old way: create another 32-bit string - called the subnet mask - where all the significant bits are 1 and all the non-significant bits are 0. This is where we get subnets like 192.168.1.0/255.255.255.0 This standard would actually be sensible, if the definition of a subnet didn't require that all the 1 bits in the subnet mask be on the left and all the zero bits on the right, i.e. it can't have a zero bit followed by a 1 bit. * The new way: just state the number of significant bits. The same sample is 192.168.1.0/24 which means that the leftmost 24 bits of the address are the subnet and the remaining 8 bits are the host specifier. If you do NOT specify what bits are significant, the usual assumption is that all of them are: you are referring to a host, not a subnet. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/