> -----Original Message-----
> From: Stephen Angell [mailto:stephen dot angell at gbsd dot org]
> Sent: Monday, February 23, 2004 3:01 PM
> To: Brandon Holland
> Subject: Re: [m0n0wall] rules rule me
> "Brandon Holland" <brandon at cookssaw dot com> writes:
> >Opening a port in your firewall won't magically cause GRC to see that
> >the port is open.
> >A PASS rule bypasses the firewall. If there is a place for the
> >to go once it passes the firewall rule (to say your listening SMTP
> >server on port 25) then GRC will see the mail server and tell you the
> >port is open.
> >If however you have a rule to PASS with nothing to pass to (if you
> >haven't set NAT on the port or m0n0wall doesn't have the port open)
> >it'll hit the top stack and return a reset packet, telling GRC it's
> Sure enough, I started Netmeeting and GRC now says it open. Thanks for
> education. I am still unable to get it, Netmeeting, working but at
> know it is not the rule that is causing me a problem.
> >This is called Classless Interdomain Routing (CIDR) I believe it is
> >anyway, I'm not looking it up and I've heen out of cisco for a
> >At any rate, to keep things brief: 32 is a single host, 24 is
> >255.255.255.0, 16 is 255.255.0.0, 8 is 255.0.0.0, 0 is the world
> >The /number corresponds with the number of bits you want to use as
> >network number. (Leaving what's left as the host number)
> >For a 255.255.255.0 mask the first three octets are network numbers,
> >last is host. 255 is represented by 8 "on" bits and 8*3 equals 24
> >hence the /24 for the typical class C address.
> OK, gotta read up on this one. One question: Is this the mechanism to
> specify a range of IPs to apply a rule to instead of creating a rule
> each IP? A simple yes or now would suffice. If yes, I can then go and
> learn CIDR to figure it out. If no, I guess I have to specify a rule
> each IP.
> Thanks for your reply Brandon ... and your patience with a newbie such
No, it's the replacement for the "old fashioned" subnetting (allows for
more thorough use of the ipv4 space - since it's quickly being used up)
What you're talking about will happen when the new ipfilter comes out
(whenever that may be)
It's just another way of specifying either a host or a network (subnet)