Firewall/NAT

Well, I know how to calculate netmasks and a /30 is four addresses, two of which are usable.

And as you said, the /31 rule he stared with should have worked but didn't.

But was it the /31 that failed, or the "not?"  I have had bad luck with "not" rules used like that...  A lot of it is that it is VERY easy to overlook, and get wrong.

I don't know what caused it to not work and I am not set up to test it. As I said, 1.8.x does not offer the netmask on a Single host or alias rule.

The "subnet mask problem" is just a glitch that happens if you turn off JavaScript.
The dropdown list itself is there to specify which ip net will be matched in a rule. That isn't needed if you want to match a single ip address.

The following is a piece of code from firewall_rules_edit.php which validates user input:

Code:

if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
$reqdfields[] = "srcmask";
$reqdfieldsn[] = "Source bit count";
}

This tells us that the subnet mask will be completely ignored as it isn't part of "required fields" if a single host is addressed.

I thought that's what Network is for, not Single host or alias.

The network is there to match multiple addresses (a whole network).
For example the network address 192.168.0.0/30 would match any address from 192.168.0.0 to 192.168.0.3

I know that. Why is a netmask presented for Single host or alias?

If you click on "Single host" a little JavaScript code will disable (i.e. "grey out") the network mask drop down list. Of course that doesn't work if you turn off JavaScript. That's all. 

Well, obviously, for Network, a netmask is required. And for a single host or alias, none is required, and none should be presented, even if it is meaningless. Might be something to add to the fix it list.

It's possible to tell the user to turn on JavaScript but I think that's all you can do, unless you want to overcomplicate this formular. There are a lot of elements that are disabled/enabled depending on what the user has selected.

A solution without JavaScript would be a "step-by-step" formular. And I have to say, I wouldn't like that.

Nevertheless, I'm with you that the current behaviour is a bit odd.

A /31 is two addresses and only makes sense in a point to point setup as you won't have a subnet id or broadcast address requirement. Rfc 3021

A /32 is used to match 1 address, bitwise operations will require an exact match.  Bitwise operations on a /31 will match two addresses.

The first recommendation to block smtp assumed there was a permit to allow the smtp server first I'm guessing , and there wasn't I'm guessing explaining the rest of the thread

The webui afaik sets the subnet to /24 by default. It's ignored if selecting a host or lan, and used when selecting a subnet. Any changes to it get ignored unless you have selected a subnet rule