[Courses] [Security] Firewalls: Ipchains syntax and
implementation
Kai MacTane
kmactane at GothPunk.com
Mon Apr 8 14:02:29 EST 2002
At 4/8/02 01:28 PM , Malcolm-Rannirl wrote:
>It also never quite understood the "/n" part of a.b.c.d/n. It's probably
>fairly simple, but I've not seen an explanation.
This notation is "Classless Inter-Domain Routing", generally abbreviated
CIDR (pronounced like the stuff you get from apples, "cider"). The deal is
that it's a way of expressing a netmask along with a starting address. The
number after the slash runs on a scale from 0-23, and designates the number
of "1" bits in the netmask.
Except that this isn't exactly a normal netmask; it's how many leading bits
match that of the address specified before the slash. So, it acts just like
a normal netmask *if* the trailing quad(s) is/are 0.
To really deal with this, it may help to remember that an IP address, like
1.2.3.4, isn't really a sequence of decimal numbers; it's actually a
single, 32-bit number. So 1.2.3.4 is really 00000001000000100000001100000100.
Maybe this would work better if I gave a few examples. Consider
192.168.1.0, with netmask 255.255.255.0. (I.e., the Class C network
192.168.1.) In CIDR notation, it's 192.168.1.0/24. The first three bytes
(192, 168, and 1) must match. So effectively, what we're doing is
specifying a glob pattern that could also be thought of as 192.168.1.* .
IOW, an old-style Class C is equivalent to x.y.z.0/24. An old-style Class B
is x.y.0/16, and a Class A is x.0/8.
Now, the nifty thing about CIDR is that, unlike the old classful
addressing, you *don't* have to align on a standard subnet boundary. For
example, I have a static IP range from my DSL provider of 64.81.50.196/30.
Let's analyze this.
Since the /30 is greater than /24, obviously I have far less than a whole
Class C (or, to put it better, I have fewer than 256 IP addresses). In
fact, if you look at the fact that an IP address is 32 bytes, and look at
the /8, /16, and /24 sizes, you can determine that the following formula holds:
N = 2^(32 - X)
where N is the number of IP addresses contained in a /X. Let's quickly
verify that. For a /24 (which we know must be 256 IPs, as in a Class C),
32-24=8; 2^8=256. Yay! A /16 should be 65536 IPs, as in a Class B, and
32-16=16, and 2^16=65536. I'll leave verifying it for a /8 to the reader,
if anyone cares.
So, my /30 is 2^(32-30=2) = 4 IPs. At this point, you could just cut to the
chase and think of it as "the four IPs starting at 64.81.50.196 (i.e.:
.196, .197, .198 and .199)" -- and you'd have the right answer -- but as a
learning exercise it may also help to go through the real thing that's
happening.
64.81.50.196 is not a bunch of decimal numbers, it's one huge binary
number. Specifically, let me break it down by quads:
64 = 01000000
81 = 01010001
50 = 00110010
196 = 11000100
These can all be strung together as 01000000010100010011001011000100, but
really, we're just concerned with the final 11000100. The /30 does not
really mean "count four starting from there"; what it means is "match all
but the last two digits". IOW, match 110001??. So the options are 11000100
(the lowest one in the group), 11000101, 11000110, and 11000111.
Hope that's enough of an explanation to make sense without being too much
of an overload. Probably the really-brief version would be "when you see
/8, /16 and /24, think Classes A, B and C, respectively", because that will
get you through 90% or so of instances where you see CIDR.
--Kai MacTane
----------------------------------------------------------------------
"And when I squinted/The world seemed rose-tinted;
Angels appeared to descend..."
--Depeche Mode,
"Waiting for the Night"
More information about the Courses
mailing list