On Mon, 20 Jan 2003 [EMAIL PROTECTED] wrote: > I'm wanting to restrict web access, using squid's acl, on two machines in > the local network here - 192.168.100.20 and 192.168.100.30 > > My theory on netmask addresses is poor, and I've been specifying the > addresses and netmask as 192.168.100.20-192.168.100.30/255.255.255.0 > > This is wrong - squid reports the error: > > aclParseIpData: WARNING: Netmask masks away part of the specified IP in > '192.168.100.20-192.168.100.30/255.255.255.0' > > The result is that this blocks more than the intended IP addresses. :( > > What should I be specifying as a netmask, and how do I calculate > appropriate netmasks.
Oooh, netmasks. Interesting things. netmasks. If you can get them right, then you'll never have a problem with IP again. However, the explaination is somewhat involved, so if you want more detail, feel free to email me off list - I'll just answer your question and be done with it. The short answer is - you can't filter the IP addresses you specify. You have to filter based on bit boundaries in the binary conversion of the address, and for a block that small, they exist at 192.168.100.0 - 192.168.100-15 192.168.100.16 - 192.168.100.31 192.168.100.32 - 192.168.100.47 192.168.100.48 - 192.168.100.63 You can see the progression. So, basically, the smallest block you can filter on which includes the range you want is the addresses from 192.168.100.16 through 192.168.100.31 To do this, you need the following network definition 192.168.100.16, netmask 255.255.255.240 This gives you the following definitions Network address - 192.168.100.16 Broadcast address - 192.168.100.31 Host addresses - 192.168.100.17 through 192.168.100.30 That covers most of what you want - however, be aware that if you use this definition on only the Squid setup, strange things might happen - I'm not sure exactly HOW Squid parses this information internally - but that's definitely the netmask you need to use to enclose only that block of addresses. You should note that you'll also block 192.168.100.18, 18 & 19 as well as the ten addresses you want - but you can't do it any other way. DaZZa -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
