I need little help on wildcard masking
leishi85
Grand Rapids, MI Icrontian
can someone here explain me wildcard masking, how to do it, and stuff, i'm little confused.
0
Comments
This website is helpful in understanding how ACLs work.
It's an interactive exercise.
The bit disabled it means that that particular bit MUST MATCH.
Say for example, if we have an address 192.168.1.1
0.0.0.0 in wildcard masking would mean that the address must exactly match 192.168.1.1
255 means it can be any number. If I have 255.255.255.255, it means that you can have any old address satisfying your ACL.
This applies to individual bits as well:
00000001 means that all bits must match.
11111111 means that no bits must match.
00011000 means that 128, 64, and 32 must match -- 16 and 8 don't have to, but 4, 2 and 1 do.
So getting down to it, the ACL is designed to block a certain set of computers from accessing the lan, you know that.
ACLs are applied from the most specific requirements, to the most general requirements, as you want to eliminate as much traffic as possible before you get to the stuff you want to pass.
Remember that there is, unless otherwise specified, an implicit deny all at the end of an ACL.
Whatever class address you're in (If you're not using CIDR) determines the octets you'll be working with.
For example:
Class C: Last octet will hold your wildcard mask.
Class B: Last two octets will hold your wildcard mask.
Class A: Last three octets will hold your wildcard mask.
Once you establish the wild card mask value, you can fill in 255s or 0s appropriately to determine what bits must and must not match.
so for example:
access-list 4 deny 1.55.88.111 0.0.255.255
Address 1.55.88.111 - 00000001 00110011 01011000 01101111
Subnet mask 0.0.255.255 - 00000000 00000000 11111111 11111111
would deny all packets with source IP 1.55.x.x
With that IP and subnet mask, we've determined that the first two octets must match, because we've set 0s for them. The last two octets don't matter. The result of our ANDing process is as this:
1.55.x.x is blocked
Like I said, you pick your 0s and 255s after you've determined your mask. The first two octets have to match
If you want to limit a computer from another computer, that's also very easy. The easiest.
Access-list 1 deny 192.168.1.1 0.0.0.0 192.168.1.2 0.0.0.0
Would block 192.168.1.1 specifically from 192.168.1.1.
You can block ports and protocols with extended lists, but only IPs with standard. You'll want to use a lot of extended, because they're very very flexible.
Access-list 101 permit ip 192.168.1.0 0.0.0.255 host 210.35.86.54 eq 53
For example, would be the second extended ACL, would permit IP traffic from the 192.168.1.0 network to the 210.35.86.54 network on port 53.
permit < protocol > and eq < port > will have to be adjusted according to you.
Remember that these are the ACL numbers:
1-99 Standard Access List
100-199 Extended Access Lists
600-699 AppleTalk
800-899 IPX
900-999 Extended IPX
1000 - 1099 IPX Service Advertising Protocol
Is it a bigger bitch to block a range of IPs inside a network? **** yes it is.
So here's how you do that:
You take the first address you want to block, and the LAST address you want to block. 192.168.1.20 and 192.168.25 for example. There's 5 in between them. Not continuing with this example:
Now write out the value of your first address in binary. Then write out the value you ADD to the lowest to get the highest address in binary. Then do the boolean AND. 0 + 0 = 0. 0 + 1 = 1.
Remember that you will always inadvertently block an address, but you can undo this within the ACL.
So now once you OR that out, you place 0/1 values where the OR operation can result in either 0 or 1 to block the necessary values. You'll have to do this intuitively.
If you want to block 3 addresses, the octet to which you're applying the ACL must have 0/1.
000100(1/0)(1/0) would automatically block x.x.x.19, by accident.
But it would block x.x.x.18, x.x.x.17, and x.x.x.16.
Because 00010000 would be x.x.x.16, 00010010 would be .18, and 00010001 would be .17.
The binary positions that hold 0/1 are the spots that are allowed to shift between one and 0 to block addresses.
Here's another example:
192.168.1.35 is a lame-as-hell attacker. He also tries from .40 and .42.
Between 35 and 42 there are eight positions in binary. First digit is counted
00001000 is the binary for eight.
00100011 is the binary for 35.
0010(1/0)0(1/0)(1/0) because those last two bits can shift to allow us to pwn the idiot, as well as the 8 value place
What's 35? 00100011. Idiot blocked on 35.
What's 40? 00101000. Idiot blocked on 40.
What's 42? 00101010. Idiot blocked on 42.
What addresses are accidentally blocked?
Any addresses that fall into the range of the 8, 4, 2 and 1 bits. For example, x.x.x.32+8+4+2+1=47 is accidentally blocked.
Again, this can be fixed with work on ACLs.
I hope this helps you.
Do you know how to do a binary OR??? Lets say you want to mask 128.000.000.000 for an ACL. Use 127.255.255.255. If you had 128.128.1.10, true result would be satisfying a mask of 127.127.254.246, and false would be any other IP. Essentially, any octet value over zero, you take 255 minus that value for a true mask you want the rule to ACT on, and you can tell it scope with 255's for mask. So, if you wanted to exclude all segments with a major octet IP of 128, your truth satsifying mask would be 127.255.255.255 and the rule would be a DENY rule. Easier to set up ALLOW rules only fro what you do want, let a DENY ALL kill all else. So, admins are likely to change a connection of physical sort to permanently trash oine workstation, make it a segment the router does not allow at all.
How complex a setup are you considering, as a problem??? Can you limit the ACLs needed with a subnet setup in part??? Can you do so most of your rules are ALLOW and not DENY??? Sometimes part of the best answer is to redo parts of the subnet or change a physical hookup or pull a cable from one place and put it on another connect.
In essence, for mask, you take the binary inverse of the octet value, and only mask with wildcards what inside the scope of your subnet.
He is talking using IPs and IP ranges to limit access through a router, Thrax, and how to use an ACCESS CONTROL LIST MASK IP to get rule sets for valid inclusion and exclusion rules.
Leishi, it is easiest to do this:
Set up only what you have to include, as most routers will append one rule to the end of your rule set, figured out top-down and line by line. By default that rule is EXCLUDE all, and if no other rule matches the router excludes the connect. So write INCLUSIVE rules, then if much make last rule EXCLUDE ALL. since it is line by line, you need the rules in order you want them checked, specific IP rules last, scope of segments\subnets allowed first, and do it by router port if the router is that flexible. Essentially, falling through to EXCLUDE ALL will autoexclude things, so do not remove it unless router adds it back in.
John-- who DID happen to pass Cisco among other things.
Wildcard masking sucks. It's easier to flop around cables or to block certain kinds of traffic through their network adapter on the local computer. You could do that with several programs and built-in functions on either Linux or Windows.
Heh.
//EDIT:
Thank you John. I was already correcting it as you wrote your post. I told him how to block ranges, ports, protocols, and specifics.