How to restrict Windows XP DHCP clients to a specific subnet?
Sten Carlsen
stenc at s-carlsen.dk
Thu Feb 13 19:29:28 UTC 2014
On 13/02/14 18.30, Chris Buxton wrote:
> If you mix allow and deny statements in the same scope, the following rules apply:
>
> 1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
> 2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
> 3. Denied.
>
> If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.
>
> If no allow or deny statement is in effect, the client is allowed.
>
> Obviously, mixing allow and deny is tricky and should only be done when necessary. I have seen a case or two where it is necessary, though.
One more detail:
To me it looks like there are two separate sets of allow/deny - one for
hosts and another for classes.
I used "allow <some class>" and it turned out that this had no effect on
my host statements, so I had to add a "deny unknown hosts" as well to
get the desired result.
>
> Regards,
> Chris Buxton
>
> On Feb 13, 2014, at 6:55 AM, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> wrote:
>
>> Simon Hobson dhcp1 at thehobsons.co.uk wrote:
>>> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
>>> pool {
>>> allow members of "tom";
>>> allow members of "dick";
>>> allow members of "harry";
>>> range ...;
>>> }
>>> which will allow members of those classes but nothing else.
>>>
>>> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
>> I've been testing this now, and unfortunately it seems that you're right! Mixing allow/deny statements within a pool breaks completely any logic which I can see.
>>
>> Where might this strange allow/deny behavior be documented? The DHCP Handbook 2nd ed. discusses on p. 344 various allow and deny statements, but has nothing to say about mixing them.
>>
>> The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says quite the opposite from what you have explained:
>>> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the deny list will be allowed access.
>> Confusion is apparently abundant!
>>
>> --
>> Ole Holm Nielsen
>> Department of Physics, Technical University of Denmark
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140213/93ddf5c9/attachment.html>
More information about the dhcp-users
mailing list