HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 250

Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
5-30
You can also omit the host keyword to select a specific IP address:
ProCurve(config-std-nacl)# permit 192.168.115.80
ProCurve(config-std-nacl)# deny 192.168.115.80
Using Wildcard Bits. Finally, you can use wildcard bits to permit or deny a
range of IP addresses. Wildcard bits define which address bits the Secure
Router OS should match and which address bits it should ignore. Essentially,
you use the wildcard bits to specify the subnet to which you want the Secure
Router OS to match packets.
When you enter wildcard bits, you use a 0 to indicate that the Secure Router
OS should match the corresponding bit in the IP address. You use a 1 to
indicate that the Secure Router OS can ignore the corresponding bit in the IP
address. In other words, the Secure Router OS does not have to match a
packet's address to that bit.
For example, you might enter:
ProCurve(config-std-nacl)# deny 192.168.1.0 0.0.0.255
In this case, the Secure Router OS will not match any address bits in the fourth
octet of the IP address. The Secure Router OS will match incoming packets
destined to any address on the IP subnet 192.168.1.0 /24 (because it will not
match the bits in the fourth octet). (See Figure 5-8.)
192.168.1.25 0.0.0.0
192.168.1.0 0.0.0.31
192.168.1.0 0.0.0.255
Figure 5-8. Understanding Wildcard Bits
Implicit "deny any" Entry. Each ACL includes an implicit "deny any" entry
at the end of the list. If traffic does not match an entry in the ACL, the Secure
Router OS firewall does not perform the action specified by the related entry
in the ACP. Instead the firewall moves to the next entry in the ACP (if there
is one).
128 68 32 16 8 4 2
0 0 0 0 0 0 0
0 0 0 1 1 1 1
1 1 1 1 1 1 1
Check all address
1
bits (match all)
0
Ignore last five
1
address bits
1
Do not check
address bits in
the fourth octet