Hi,
this is so called wild card mask. To make it as simple as possible, it is the opposite of the network mask.
Example:
if you want to deny this subnet: 192.168.1.0 255.255.255.0
you have to use this wild card mask: 0.0.0.255
The formula to calculate the wild card is:
255.255.255.255 - subnet mask = wild card mask
255.255.255.255 - 255.255.255.0 = 0.0.0.255
In subnet mask the 1 bit must match and 0 is ignored.
In wild card mask the 0 bit must match and 1 is ignored.