Yes, you were spot on.  I realized not long after I sent this that the .0 was missing on the end.Thanks!-Brian Date: Tue, 15 Oct 2024 00:32:37 +0000 From: Evan Rempel <erempel@uvic.ca> To: "syslog-ng@lists.balabit.hu" <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] netmask filter issue Message-ID:     <YT4P288MB03355F0F965988C4C22978C0B9452@YT4P288MB0335.CANP288.PROD.OUTLOOK.COM>     Content-Type: text/plain; charset="iso-8859-1" First off, to write a CIDR address correctly you need to use something of the form w.x.y.z/M Your specification is missing the ".z" prtion of the ip address. I think there is also some confusion regarding how netmasks work. The ip address 192.168.128.0 (I assume you want a .0 at the end) written in binary is 11000000.10101000.10000000.00000000 The /17 subnet mask written in binary is  11111111.11111111.10000000.00000000 If we perform a binary AND of these two addresses we get  11000000.10101000.10000000.000000 written in decimal is 192.168.128.0 This means that the FIRST address of this range is 192.168.128.0 If we perform the binary NOT of the subnet mask we get 00000000.00000000.01111111.11111111 When we take the binary OR of this with the IP address (w.x.y.z) we get 11000000.10101000.11111111.1111111 in decimal is 192.168.255.255 which is the last address if the range. The result is that 192.168.1.0/17 means the range 192.168.128.0 -- 192.168.255.255 I hope that helps. -- Evan