Host declarations in different ranges within the same subnet
Glenn Satchell
glenn.satchell at uniq.com.au
Thu Jun 14 03:29:11 UTC 2012
In that second pool you could have:
deny members of "classFirewallFullAccess";
rather than
deny unknown-clients;
and do away with the host statements. As it is you need to add your
special hosts to a host statement *and* the subclass. Easier to just do it
once.
regards,
-glenn
> Em 13-06-2012 12:40, Simon Hobson escreveu:
>> By doing it with classes, you don't need to bother with known/unknown.
>> Just use an 'allow members of "foo"' in each pool where you want
>> members of the class "foo" to be able to get an address and it'll do
>> it for you. Members of the class will be given access, anything that's
>> not a member will not.
>>
>> Whenever you use an allow (or deny), there is an implicit deny (or
>> allow). So once you've allowed members of a class, then everything
>> else is implicitly denied. Don't mix allow and deny - they don't work
>> as most people expect, and I can't remember how it works even though
>> it's been explained several times over the years !
>>
>> If you want a separate pool for all clients not in any of the classes,
>> then yo do it like this :
>>
>> pool {
>> range ...
>> deny members of "foo";
>> deny members of "bar";
>> }
>> You need to list all the classes you've allowed elsewhere in the deny
>> list. Any not denied will be implicitly allowed.
>
> Things are getting nicely clear now. In fact, I don't need two classes,
> I just need to protect one range to some few selected hosts (subclass).
> The remaining hosts should go to the other range. Everything put on
> place, this should do:
>
> class "classFirewallFullAccess" {
> match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
>
> host closedFw3 {
> hardware ethernet 00:00:00:00:00:03;
> }
> host closedFw4 {
> hardware ethernet 00:00:00:00:00:04;
> }
>
> shared-network foo {
>
> subnet 10.0.0.0 netmask 255.255.255.0 {
> # GODS: Those have 'permit' on firewall
> pool {
> allow members of "classFirewallFullAccess";
> option routers 10.0.0.100;
> option blah;
> range 10.0.0.1 10.0.0.10;
> }
> # Mortals: should use the proxy
> pool {
> deny unknown-clients;
> option routers 10.0.0.200;
> option argh;
> range 10.0.0.11 10.0.0.20;
> }
> }
>
> # This goes for external sales people, customers, visitors, whatever
> subnet 10.1.1.0 netmask 255.255.255.0 {
> ....
> allow unknown-clients;
> ....
> }
> }
>
>
> I know, I know, this is not a safe/good way to restrict normal people on
> the firewall, someone can manually setup an IP address within the GODs
> range, but this is another issue. ;)
>
> Thanks and best regards.
>
> --
> *Marcio Merlone*
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list