Trusted Solaris Administrator's Procedures

Wildcard Entry and Prefix Length

A wildcard IP address is the IP address of a subnetwork. A subnetwork is defined by its IP address and its netmask. The netmask determines the prefix that has to be common to all the addresses belonging to a subnetwork.

For example, the IP address is a wildcard with a netmask = The subnet is made up of all the IP addresses between and A optional Prefix Length can be specified in the form of an integer. The prefix length determines the size of the subnet and is the number of 1 bits in the netmask.

Table 7-2 Wildcard Address, Netmask, and Prefix Length

class A addresses: a.0.0.0, or a 

class B addresses: a.b.0.0, or a.b  

class C addresses: a.b.c.0, or a.b.c  

netmask = 

netmask = 

netmask = 

prefix length = 8  

prefix length = 16  

prefix length = 24 

With variable-length subnetting, the prefix length does not have to be a multiple of 8. For example, you can have the IP address, with a netmask =, and a prefix length = 27, covering the addresses between and IPv4 network addresses can have a prefix length between 1 and 32. IPv6 network addresses can have a prefix length between 1 and 128.

The trusted network software looks first for an entry that specifically assigns the host to a template, and if it does not find a specific entry, the software looks for the subnetwork entry that best matches the hosts's IP address (a subnetwork with the longest prefix length to which that address belongs).

If a computer's IP address cannot be matched to an entry, communication with that computer is not permitted.

A default entry matches all computers that are not otherwise matched by other entries.

Sites that need to strictly control remote access should remove the entry. They should also assess whether to use any wildcard addresses. For more information, see the tnrhdb(4) man page.)