Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol. They used for defining networking rules in e.g. routers and firewalls.

Every entity (server or client) communicating on the internet will have a unique Internet Protocol (IP) address. Most commonly, these addresses arewritten human-readable notation as follows: This describesand IP version 4 addess. (The internet is moving towards the IP version 6 standard to allow for more resources to be addressed).


An IP address is actually just a unique binary number - IPv4 allows for around4.3 billion addresses and one time, IPv6 expands the address space to3.4×1038 addresses.

In networking, it is convenient to talk about groups of addresses to help withnetworking. For instance, different internet providers will be awarded ‘chunks’of consecutive addresses, so internet routers need only read the start of eachIP address before deciding to pass TCP packets off to known network node.

A netmask is a shorthand for describing a range of IP addresses. A netmask maydescribe just a single IP address:

  • just the address

Or all possible IP addresses:

  • all 4.3 billion addresses from to

More usefully, it does something in between:

  • the IP addresses and

The left hand side of a netmask (e.g. specifies a the host IP address. The right hand side specifies (e.g. /32) how many digits of the host address are significant, when considered as a binary number. Non-significant bits in the binary form are treated as a wild-card.

For instance, in the netmask, the host address is can be written in binary as 11000000.10101000.11111111.00000001. Tomatch this netmask, an address must have match exactly 32 digits - i.e. have thesame binary digit in each position. This means only one address will be matched by this pattern.


The netmask states that the last binary digit is not significant, so will match two addresses: 11000000.10101000.11111111.00000000 and 11000000.10101000.11111111.00000001 (written more readably as and

Similarly states that the last two binary digits are not significant, so will match four different addresses.

