Host declarations in different ranges within the same subnet

Glenn Satchell glenn.satchell at uniq.com.au
Thu Jun 14 03:29:11 UTC 2012


In that second pool you could have:

deny members of "classFirewallFullAccess";

rather than

deny unknown-clients;

and do away with the host statements. As it is you need to add your
special hosts to a host statement *and* the subclass. Easier to just do it
once.

regards,
-glenn

> Em 13-06-2012 12:40, Simon Hobson escreveu:
>> By doing it with classes, you don't need to bother with known/unknown.
>> Just use an 'allow members of "foo"' in each pool where you want
>> members of the class "foo" to be able to get an address and it'll do
>> it for you. Members of the class will be given access, anything that's
>> not a member will not.
>>
>> Whenever you use an allow (or deny), there is an implicit deny (or
>> allow). So once you've allowed members of a class, then everything
>> else is implicitly denied. Don't mix allow and deny - they don't work
>> as most people expect, and I can't remember how it works even though
>> it's been explained several times over the years !
>>
>> If you want a separate pool for all clients not in any of the classes,
>> then yo do it like this :
>>
>> pool {
>>   range ...
>>   deny members of "foo";
>>   deny members of "bar";
>> }
>> You need to list all the classes you've allowed elsewhere in the deny
>> list. Any not denied will be implicitly allowed.
>
> Things are getting nicely clear now. In fact, I don't need two classes,
> I just need to protect one range to some few selected hosts (subclass).
> The remaining hosts should go to the other range. Everything put on
> place, this should do:
>
> class "classFirewallFullAccess" {
>      match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
>
> host closedFw3 {
>      hardware ethernet 00:00:00:00:00:03;
> }
> host closedFw4 {
>      hardware ethernet 00:00:00:00:00:04;
> }
>
> shared-network foo {
>
>       subnet 10.0.0.0 netmask 255.255.255.0 {
>           # GODS: Those have 'permit' on firewall
>           pool {
>               allow members of "classFirewallFullAccess";
>               option routers 10.0.0.100;
>               option blah;
>               range 10.0.0.1 10.0.0.10;
>           }
>           # Mortals: should use the proxy
>           pool {
>               deny unknown-clients;
>               option routers 10.0.0.200;
>               option argh;
>               range 10.0.0.11 10.0.0.20;
>           }
>      }
>
>      # This goes for external sales people, customers, visitors, whatever
>      subnet 10.1.1.0 netmask 255.255.255.0 {
>          ....
>          allow unknown-clients;
>          ....
>      }
> }
>
>
> I know, I know, this is not a safe/good way to restrict normal people on
> the firewall, someone can manually setup an IP address within the GODs
> range, but this is another issue. ;)
>
> Thanks and best regards.
>
> --
> *Marcio Merlone*
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users




More information about the dhcp-users mailing list