Post #36,676
4/27/02 10:16:24 PM
|
Re: What's a subnet mask, anyway...?
Subnet mask: Consider it as a bit pattern. When a bit is turned on (1) That bit in the IP address is part of the subnet or local network. When a bit is turned off (0) that bit is part of what identifies the computer within the subnet. So if your IP is 192.168.120.5, and your subnet mask is 255.255.255.0; all computers beginning with 192.168.120. would be on your local network. The 5 should identify the specific computer. With this in mind, a subnet mask of 255.0.0.0 would allow for a considerably larger network than 255.255.255.0; but unless you have more than 250 computers on your network, the second would be more appropriate.
Gateway address: This is the address of the computer or router that connects to a larger network or the internet. More specifically, it's the IP address of the network interface on that computer that's connected to the local network. Each of the other computers on the network need this to know where to send requests that are outside of the subnet defined with the subnet mask. The gateway computer then takes care of sending out the request and processing the reply. The gateway computer itself doesn't need to have this address.
Gateway computer: (No, not the one with the cow patterned box :) This is the computer that has the two network cards. The local network interface has an IP address consistant with the subnet (192.168.120.1 in the example above). The external (or internet) connection would have an IP address which does not match the subnet of the local network. It's IP would be consistant with the external networks subnet, or set up automatically by the external network or ISP.
I hope this helps some.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #36,683
4/28/02 12:25:32 AM
|
Think of it as a filter
it filters out all systems except those that you specify. The 255 has all the bits turned on and makes sure that the address matches the IP of the system in that position.
255.255.255.0 will mean that someone with the address 10.10.1.123 would not connect to your system, but 192.168.120.54 would. 255.255.0.0 means that 192.168.120.54 and 192.168.214.221 both would connect but 192.169.12.34 would not.
If they are using a proxy, have them give the proxy address, this might also be a Firewall address. The outside world sees the Proxy/Firewall address anyway. Most likely they have a Class C address on their machines and a Class A address on the Proxy/Firewall.
I hope I got this right, I took a three week crash course on DSL, TCP/IP, Windows 95/98/ME/2000/XP, etc back in Feb. They rushed in information as fast as they could.
I am free now, to choose my own destiny.
|
Post #36,693
4/28/02 2:05:57 AM
|
I guess the question shoulda been: What's a subnet?
When a bit is turned on (1) That bit in the IP address is part of the subnet or local network. When a bit is turned off (0) that bit is part of what identifies the computer within the subnet. So if your IP is 192.168.120.5, and your subnet mask is 255.255.255.0; all computers beginning with 192.168.120. would be on your local network. OK. Buth that begs the question, what is a "local network"? Is it a physical demarkation, such as those machines associated with a specific router or hub (or combination of hubs), or is it a purely abstract idea, such as all those computers with an IP address of 192.168.120 in the first 3 octets (even if one of the machines with that address in the first three octets is in Timbuktu)? Gateway computer: (No, not the one with the cow patterned box :) This is the computer that has the two network cards. So that would be my host in my original description. Therefore my FTP target host and the gateway computer are the same thing, so my target IP address and the "gateway address" would be the same thing. Also, from what you say, the gateway must be on the same subnet. This leads me to the following idea (hey, it's one in the morning here...I'm allowed a wierd idea at this time of day...er, night...)...Can I derive the subnet mask from the NAND of a box's IP address and the target host's IP address (suitably adjusted for octets)? For example, taking your addresses in your explanation, let's say the box is 192.168.120.5, and the FTP host is 192.168.120.1. I notice that the first 3 octets are identical, and that the last one is different, so I can derive a subnet mask of 255.255.255.0. Let's say the box address is 192.168. 121.5. I could derive a subnet mask of 255.255.0.0 or (better) 255.255.254.0. Would this work? I hope this helps some. You bet it does! Thanks! jb4
(Resistance is not futile...)
|
Post #36,696
4/28/02 5:46:01 AM
|
Re: I guess the question shoulda been: What's a subnet?
Here's the deal. Relative to your node, all other nodes are in one of two places: on the local network, or beyond the router.
"On the local network" means that you can send a packet onto the wire with the MAC address of the destination node and it'll get there.
When a node wants to send a packet to another node, it has two choices - either send the packet to the router, or slap the MAC address on it and bung it on the wire.
To do this, the sending node has to know whether the destination node is on the same bit of wire as itself.
It does this by using the subnet mask to work out if the destination network is the same as its own. If it is, the packet gets a MAC address on it. If not, the packet gets sent to the router.
Hope this helps.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
|
Post #36,701
4/28/02 7:46:16 AM
|
It's a logical view of a physical arrangement.
That is, when you have a set of PCs all on the one piece of Local Area Network, you put them all in the same subnet. A LAN doesn't need to route any of it's traffic because all the hosts on the network can talk directly to each other*. OTOH, to talk to hosts on any other subnet requires that the traffic be routed, which is a fancy way of saying that the traffic must go via at least one other host to get to where it's going**. So a local subnet is where all the IP addresses don't need routing to talk to each other.
Wade.
* Repeaters are a bit of a special case. They make all the hosts on two or more LANs look like they are all on the same single LAN.
** The vast majority of traffic on the Internet is routed. In fact, routing rules are the biggest problem in managing major Internet backbone links.
"All around me are nothing but fakes
Come with me on the biggest fake of all!"
|
Post #36,713
4/28/02 12:24:35 PM
|
One point to note.
If the firewall is poorly set up so that it just checks the IP address of an incoming packet to determine whether it's local or not, it can be "spoofed" by a computer on the external network claiming to be local. Class A, B, and C IP addresses are for use only with private networks. They should never be seen on the internet, so if your firewall receives a packet from a computer in one of these ranges, it's likely an attempt to hack it. This problem is easily defeated by configuring the firewall to ensure these IP addresses are only accepted on the local interface. Other addresses to watch for are Class D Multicast IP addresses, Class E Reserved Addresses, and the Loopback address. These shouldn't be accepted either. Note this is primarily a concern for connecting a private network to the internet. When connecting two friendly private networks you may not need to be this concerned.
| Class | Subnet Mask | IP Addresses |
|---|
| Class A | 255.0.0.0 | 10.0.0.0 to 10.255.255.255 | | Class B | 255.255.0.0 | 172.16.0.0 to 172.31.255.255 |
| Class C | 255.255.255.0 | 192.168.0.0 to 192.168.255.255 | | Class D | Multicast | 224.0.0.0 to 239.255.255.255 |
| Class E | Reserved | 240.0.0.0 to 247.255.255.255 |
| Loopback | localhost | 127.0.0.1 |
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #36,723
4/28/02 5:56:18 PM
|
Ah.. thanks, Steven
That nice list of categories makes the netmask logic more intelligible to even me - and adds a certain clue when I notice in the logs.. a repetitive address attempting several of the cockamamie &^#$^ countless ports, and its address is one of the suspect Class. This especially.. when they increment! This ain't about a misplaced query, but about snooping (I must suppose).
At which point I'm almost moved to do a look-up and pen a poison e-letter to the putative owner of the block, depending upon mood. Dunno if anyone reads such notes, of course - or acts on the info.
I can imagine that an annotated graphical map could be a boon for those learning from scratch. When I was possibly going to help a local non-profit put their private LAN (run by Win 2K-Server, fancy RAID hdwre etc.) on inet:
After I perused a recommended book on the OS, while I found lots of the cautions to be 'common sensical', I also discovered [what all of you already know]: that you'd damn well better be up to speed, not merely in the endless stream of patches from M/Sloth (and what each one might break, while 'fixing' something else) BUT - you must also be not just acquainted with.. but familiar with a large repertoire of modern sophisticated attacks.
I concluded: I was not up-to-speed and unlikely to become so. Fortunately they found a work-around to permit their (limited need) of internet access, which was kept separate from the LAN and its data. I believe this was a shrewd move on their part - after all, the ONLY version of "NT" in all its convoluted forms, to meet [some Color]-Book Certification - achieved that dubious honor, only when isolated from all I/O.
(Moving them to Open Source non-toy OS was of course, also beyond my competence and.. they had the present working system ~ 'free'.)
ie. Security ain't no job for amateurs, today! I watch with amusement as a friend attempts to get his small LAN 'safe' for exposure to the net, while playing with packet sniffers, then looking for FAQs about why he's seeing (say..) lots of NETBIOS queries appearing after a particular change is made. Yada yada ---> ad infinitum. He's learning of course, but..
A Net Policeman's life is not a happy lot..
Ashton
who can think of more entertaining means of self-flagellation than this :(
|
Post #36,728
4/28/02 8:24:08 PM
|
Some nits with A, B, C.
Classes A, B and C are a bit more than you mention...
Every IP address belongs to some network. Some portion of address denotes a network, the rest is address of host in that network.
The size of network portion depends on the bit pattern at the beginning of it:
>>>>>>>>>>>>>>>>>>>>>>>>>> (from [link|http://www.webopedia.com/DidYouKnow/2002/March/IPaddressing.html|Webopedia])
Class A Network -- binary address start with 0, therefore the decimal number can be anywhere from 1 to 126. The first 8 bits (the first octet) identify the network and the remaining 24 bits indicate the host within the network. An example of a Class A IP address is 102.168.212.226, where "102" identifies the network and "168.212.226" identifies the host on that network.
Class B Network -- binary addresses start with 10, therefore the decimal number can be anywhere from 128 to 191. (The number 127 is reserved for loopback and is used for internal testing on the local machine.) The first 16 bits (the first two octets) identify the network and the remaining 16 bits indicate the host within the network. An example of a Class B IP address is 168.212.226.204 where "168.212" identifies the network and "226.204" identifies the host on that network.
Class C Network -- binary addresses start with 110, therefore the decimal number can be anywhere from 192 to 223. The first 24 bits (the first three octets) identify the network and the remaining 8 bits indicate the host within the network. An example of a Class C IP address is 200.168.212.226 where "200.168.212" identifies the network and "226" identifies the host on that network.
Class D Network -- binary addresses start with 1110, therefore the decimal number can be anywhere from 224 to 239. Class D networks are used to support multicasting.
Class E Network -- binary addresses start with 1111, therefore the decimal number can be anywhere from 240 to 255. Class E networks are used for experimentation. They have never been documented or utilized in a standard way.
<<<<<<<<<<<<<<<<<<<<<<<<<<
So, as we see, all addresses on the Internet belong to an A, B or C network. Certain network inside A space (as well as others inside B and C space) are declared unroutable, never to appear on "real" internet. 10.x.x.x is a class A network that's reserved for this purpose. Another A network, 127.x.x.x is reserved for loopback addresses (so you can have 127.0.0.1 as well as 127.0.0.2 and so on)
However, as Internet grew, it turned out that the smallest network, class C, is not small enough, and there are not enough of them. On the other hand, class A was too big, and there are too many of them.
That's how the concept of subnet was born. We create a bit mask that tells us to interpret some part of host number in IP address as a subnet. Say, we have a class B address 168.20.x.x . Normally, our hosts would have to assume that any host with the address that follows this pattern is on local network. But, since a LAN with 64K devices on it is unwieldy, we introduce 256 subnets, 256 devices each. Now, our netmask is 255.255.255. Each device has to know its netmask to determine whether to send a packet to a gateway or put it directoy on the wire.
Note that subnet masks are not arbitrary. For example, with addresses like 168.20.x.x, you cannot have a mask of 255.0.0.0 . Those addresses are class B, so first 2 octets have to be a network for the benefit of "big" internet routers (they keep tracks of routes to networks according to class A, B and C, they don't know anything about subnets).
|
Post #36,789
4/29/02 12:42:37 PM
|
My error
I had learned about these classes from the private network perspective, so I'd always thought of them by their private networking ranges only. But I guess they extend to public (internet) IP networks as well. Of course it's just the IPs from the private ranges that you have to watch for on the internet.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
