assistance with a CIDR issue

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

assistance with a CIDR issue

Joey J
Hello All,

I am using CIDR lookups and am getting some warnings when it doesn't like
certain IP blocks in my CIDR list.
I'm wondering if it doesn't like the 4th octet of the IP's being a zero.
Any help appreciated!

Here is a small piece of the log file:

-----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4151: non-null host address bits in
"194.149.65.0/23", perhaps you should use "194.149.64.0/23" instead:
skipping this rule
-----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4923: non-null host address bits in
"122.169.0.0/15", perhaps you should use "122.168.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4925: non-null host address bits in
"122.167.0.0/15", perhaps you should use "122.166.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4928: non-null host address bits in
"122.161.0.0/15", perhaps you should use "122.160.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4930: non-null host address bits in
"123.111.0.0/15", perhaps you should use "123.110.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4931: non-null host address bits in
"123.109.0.0/15", perhaps you should use "123.108.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4935: non-null host address bits in "122.47.0.0/15",
perhaps you should use "122.46.0.0/15" instead: skipping this rule
-----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4940: non-null host address bits in
"121.247.0.0/15", perhaps you should use "121.246.0.0/15" instead: skipping
this rule -----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4941: non-null host address bits in "121.35.0.0/15",
perhaps you should use "121.34.0.0/15" instead: skipping this rule
-----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 4943: non-null host address bits in "121.97.0.0/15",
perhaps you should use "121.96.0.0/15" instead: skipping this rule
-----------------[MsgHour:1326.32]------------------------------[
TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
/etc/postfix/CIDR, line 5395: non-null host address bits in "117.195.0.0/9",
perhaps you should use "117.128.0.0/9" instead: skipping this rule


Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Mark Blackman-4
Jack wrote:
> Hello All,
>
> I am using CIDR lookups and am getting some warnings when it doesn't like
> certain IP blocks in my CIDR list.

The error message seems reasonably clear. You shouldn't have any
non-zero bits after the bit position indicated by the network size (/23
below).

I.e. those CIDR entries are inconsistent with CIDR notation.


> /etc/postfix/CIDR, line 4151: non-null host address bits in
> "194.149.65.0/23", perhaps you should use "194.149.64.0/23" instead:
> skipping this rule
Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Brian Evans - Postfix List
In reply to this post by Joey J
On 11/17/2010 11:54 AM, Jack wrote:
> Hello All,
>
> I am using CIDR lookups and am getting some warnings when it doesn't like
> certain IP blocks in my CIDR list.
> I'm wondering if it doesn't like the 4th octet of the IP's being a zero.
> Any help appreciated!
>
> Here is a small piece of the log file:

The warnings are about your CIDR ignoring some values and postfix
considering them invalid.
> -----------------[MsgHour:1326.32]------------------------------[
> TMsg:21]---[GMsg:7 33%]---[TSpam:14 67%]-----[RunTime:57 seconds]-------
> INFO:  Nov 17 11:38:28 pluto postfix/smtpd[5974]: warning: cidr map
> /etc/postfix/CIDR, line 4151: non-null host address bits in
> "194.149.65.0/23", perhaps you should use "194.149.64.0/23" instead:
> skipping this rule
Example: This is saying "Network range - 194.149.64.0 - 194.149.65.255"

Do you mean 194.149.65.0/24 to just indicate the 194.149.65 subnet?

A great console tool for checking CIDRs is sipcalc at
http://www.routemeister.net/projects/sipcalc/

Reply | Threaded
Open this post in threaded view
|

RE: assistance with a CIDR issue

Joey J
In reply to this post by Mark Blackman-4
> I am using CIDR lookups and am getting some warnings when it doesn't
> like certain IP blocks in my CIDR list.

The error message seems reasonably clear. You shouldn't have any non-zero
bits after the bit position indicated by the network size (/23 below).

I.e. those CIDR entries are inconsistent with CIDR notation.

Hi Mark, thanks for your response, and I apologize if my brain is not
grasping what your saying.
If I am blocking 194.149.65.0/23 this is a standard format, it tells us that
the IP's are the 194.149.65.0-255 and 194.149.66.0-255.
Are we saying that the CIDR rule within postfix only wants 1 class C at a
time?

Thanks!


> /etc/postfix/CIDR, line 4151: non-null host address bits in
> "194.149.65.0/23", perhaps you should use "194.149.64.0/23" instead:
> skipping this rule

Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Michael Weissenbacher-2
Hi Jack!
> If I am blocking 194.149.65.0/23 this is a standard format, it tells us that
> the IP's are the 194.149.65.0-255 and 194.149.66.0-255.
This is where you've got it wrong, it means 94.149.64.0-255 and
94.149.65.0-255. If you need 65 and 66 you will need to specify two /24
CIDR entries: 194.149.65.0/24 and 194.149.66.0/24

cheers,
Michael
Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Brian Evans - Postfix List
In reply to this post by Joey J
On 11/17/2010 12:12 PM, Jack wrote:

>> I am using CIDR lookups and am getting some warnings when it doesn't
>> like certain IP blocks in my CIDR list.
> The error message seems reasonably clear. You shouldn't have any non-zero
> bits after the bit position indicated by the network size (/23 below).
>
> I.e. those CIDR entries are inconsistent with CIDR notation.
>
> Hi Mark, thanks for your response, and I apologize if my brain is not
> grasping what your saying.
> If I am blocking 194.149.65.0/23 this is a standard format, it tells us that
> the IP's are the 194.149.65.0-255 and 194.149.66.0-255.
> Are we saying that the CIDR rule within postfix only wants 1 class C at a
> time?

Unfortunately, you cannot just make up your own values in CIDR.
The bit values are fixed.

The valid values for 194.149.65.0 - 194.149.66.255 are 2 entries because
the bit masks say that
/23:
194.149.64.0 - 194.149.65.255
194.149.66.0 - 194.149.67.255

are valid only.

In this case, you must specify two /24 entries.

Brian
Reply | Threaded
Open this post in threaded view
|

RE: assistance with a CIDR issue

Joey J
In reply to this post by Michael Weissenbacher-2
Hi Jack!
> If I am blocking 194.149.65.0/23 this is a standard format, it tells
> us that the IP's are the 194.149.65.0-255 and 194.149.66.0-255.
This is where you've got it wrong, it means 94.149.64.0-255 and 94.149.65.0-255. If you need 65 and 66 you will need to specify two /24 CIDR entries: 194.149.65.0/24 and 194.149.66.0/24

cheers,
Michael

OK, yes I see my error, however it's still a valid range.
I do mean 94.149.64.0-255 and 94.149.65.0-255

These IP's come from a combination of places like http://www.okean.com ( they are down at the moment )
Or http://www.spamhaus.org/drop/drop.lasso

The lists provide straight numbers, I then have a script create all my lists then add the REJECT CIDR-BLOCK error etc... so an entry looks like this:
217.199.240.0/20                REJECT CIDR-BLOCK RUSSIA:217.199.240.0/20

So, I'm still confused as to why it doesn't like that.


Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Jimbo-3
In reply to this post by Joey J
On 11/17/2010 12:12 PM, Jack wrote:
> Hi Mark, thanks for your response, and I apologize if my brain is not
> grasping what your saying.
> If I am blocking 194.149.65.0/23 this is a standard format, it tells us that
> the IP's are the 194.149.65.0-255 and 194.149.66.0-255.
> Are we saying that the CIDR rule within postfix only wants 1 class C at a
> time?
The start of subnet 194.149.65.0/23 is 194.149.64.0.  194.149.64.0/23
encompasses 194.149.64.0 through 194.149.65.255.  You want
194.149.65.0/24 and 194.149.66.0/24.  Essentially, you've joined the
second /24 of a /23 network with the first /24 of the next /23 network.
  You can't do that.
Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Stan Hoeppner
In reply to this post by Joey J
Jack put forth on 11/17/2010 11:29 AM:

> So, I'm still confused as to why it doesn't like that.

This is because you have not educated yourself as to what Classless
Inter Domain Routing notation is.  To fully understand this you will be
required to convert these DECIMAL notations into BINARY notation.  Once
you have done so, you will see why 23 significant bits and 15
significant bits don't match the notation you are specifying for those
networks.

The decimal number after the "/" specifies the number of significant
bits in the mask of the BINARY representation of the network address.
Until you understand TCP/IP addresses and masking in BINARY form you
will never fully understand CIDR notation.  See:

http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Keep in mind that all computers speaking TCP/IP do so in binary format,
and your TCP/IP stack is processed internally in binary format.  Dotted
decimal notation is a convenience for humans to be able to comprehend
the addresses and masks.  CIDR is an attempt to make this even easier,
but to use it correctly, you have to understand a little of the binary
basics.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: assistance with a CIDR issue

Michael Weissenbacher-2
In reply to this post by Joey J
Hi again!
>
> OK, yes I see my error, however it's still a valid range.
> I do mean 94.149.64.0-255 and 94.149.65.0-255
It isn't valid CIDR notation. Maybe this little tool will help you:
http://www.subnet-calculator.com/cidr.php - key in your numbers and
you'll see that it will correct your range 194.149.65.0/23 to
194.149.64.0/23 which basically means 94.149.64.0 - 94.149.65.255 and
NOT 94.149.65.0 - 94.149.66.255 what you wanted. You MUST split this
definition in two CIDR entries to achieve what you want to achieve.

hth,
Michael