Host declarations in different ranges within the same subnet
Sten Carlsen
stenc at s-carlsen.dk
Wed Jun 13 17:11:42 UTC 2012
On 13/06/12 18:44, Marcio Merlone wrote:
> Em 13-06-2012 12:40, Simon Hobson escreveu:
>> By doing it with classes, you don't need to bother with
>> known/unknown. Just use an 'allow members of "foo"' in each pool
>> where you want members of the class "foo" to be able to get an
>> address and it'll do it for you. Members of the class will be given
>> access, anything that's not a member will not.
>>
>> Whenever you use an allow (or deny), there is an implicit deny (or
>> allow). So once you've allowed members of a class, then everything
>> else is implicitly denied. Don't mix allow and deny - they don't work
>> as most people expect, and I can't remember how it works even though
>> it's been explained several times over the years !
>>
>> If you want a separate pool for all clients not in any of the
>> classes, then yo do it like this :
>>
>> pool {
>> range ...
>> deny members of "foo";
>> deny members of "bar";
>> }
>> You need to list all the classes you've allowed elsewhere in the deny
>> list. Any not denied will be implicitly allowed.
>
> Things are getting nicely clear now. In fact, I don't need two
> classes, I just need to protect one range to some few selected hosts
> (subclass). The remaining hosts should go to the other range.
> Everything put on place, this should do:
>
> class "classFirewallFullAccess" {
> match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
>
> host closedFw3 {
> hardware ethernet 00:00:00:00:00:03;
> }
> host closedFw4 {
> hardware ethernet 00:00:00:00:00:04;
> }
>
> shared-network foo {
>
> subnet 10.0.0.0 netmask 255.255.255.0 {
> # GODS: Those have 'permit' on firewall
> pool {
> allow members of "classFirewallFullAccess";
> option routers 10.0.0.100;
> option blah;
> range 10.0.0.1 10.0.0.10;
> }
> # Mortals: should use the proxy
> pool {
> deny unknown-clients;
Here you probably also want to deny "classFirewallFullAccess". Or you
may wish to say: allow known-clients, that will exclude both your class
and the unknown clients.
> option routers 10.0.0.200;
> option argh;
> range 10.0.0.11 10.0.0.20;
> }
> }
>
> # This goes for external sales people, customers, visitors, whatever
> subnet 10.1.1.0 netmask 255.255.255.0 {
> ....
> allow unknown-clients;
> ....
> }
> }
>
> I know, I know, this is not a safe/good way to restrict normal people
> on the firewall, someone can manually setup an IP address within the
> GODs range, but this is another issue. ;)
>
> Thanks and best regards.
>
> --
> *Marcio Merlone*
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120613/68b01a56/attachment.html>
More information about the dhcp-users
mailing list