5.2.11. IPv4 Network Object

Figure 5.55. The Network Object

The Network Object

The network object describes an IP network or subnet. Use main menu Net Object / New Network item to create objects of this type. The Network object dialog object provides the following entry fields:

  • Name:

    Network Object Name

  • Address:

    The IPv4 address of the network.

  • Netmask:

    The netmask, in combination with an address, defines the subnet. You can enter either a string octet representation of the mask or its bit length here; however the program always converts it to the octet representation. The netmask in the network object is always entered in the "natural" way, such as "255.255.255.0", even if the object is going to be used to build Cisco IOS access lists which require reversed "bit mask" presentation instead (e.g., "0.0.0.255" for the netmask above). The Firewall Builder policy compiler automatically makes the required conversion.

  • Comment:

    This is a free-form text field used for comments.

Let's use the network object shown above in a policy rule compiled for different target platforms.

Figure 5.56. IPv4 Network Object Used in a Rule

IPv4 Network Object Used in a Rule

Here is what we get for iptables:

$IPTABLES -A FORWARD -p tcp -m tcp  -s 172.16.22.0/24  --dport 80  -m state \
--state NEW  -j ACCEPT 

Here is the output produced for PF:

pass in   quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state
pass out  quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state

Here is how the output looks like when the rule is compiled into Cisco IOS access lists. (This is one of the generated access lists.)

ip access-list extended outside_out
  permit tcp 172.16.22.0 0.0.0.255 any  eq 80 
exit
          

Here is what we get when the rule is compiled into Cisco ASA (PIX) configuration. Note how the compiler uses netmask 255.255.255.0 for PIX, while for IOS it was converted to 0.0.0.255. Also, the interface "inside" was configured with network zone 172.16.0.0/12, which matched network object used in the source element of the rule. Because of that, the compiler put the rule only into the access list attached to interface "inside."

access-list inside_acl_in permit tcp 172.16.22.0 255.255.255.0 any eq 80 
access-group inside_acl_in in interface inside
          
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.