The ip block I want to filter is as follows

xxx.156.130.1 to xxx.156.191.255

You know, this is typical TCP/IP networking course homework stuff you should be doing yourself, but let's see what we can do. x.156.130.1 ... x.156.191.255 1st netblock: x.156.130.0/23 = x.156.130.0...x.156.131.255 2nd netblock: x.156.132.0/22 = x.156.132.0...x.156.135.255 3rd netblock: x.156.136.0/21 = x.156.136.0...x.156.143.255 4th netblock: x.156.144.0/20 = x.156.144.0...x.156.159.255 5th netblock: x.156.160.0/19 = x.156.160.0...x.156.191.255 This is the shortest way to describe the IP range you mean. Note that the IP address x.156.130.0 is in the first netblock, though you said to start at .1. I assumed that was a slipup on your behalf. If not, you'll need another eight definitions. Or, which is probably more practical, use a permit rule for that single IP address to precede all deny/reject rules for the subnets above. Tobias