How to restrict Windows XP DHCP clients to a specific subnet?

Sten Carlsen stenc at s-carlsen.dk
Thu Feb 13 19:29:28 UTC 2014 

On 13/02/14 18.30, Chris Buxton wrote:
> If you mix allow and deny statements in the same scope, the following rules apply:
>
> 1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
> 2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
> 3. Denied.
>
> If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.
>
> If no allow or deny statement is in effect, the client is allowed.
>
> Obviously, mixing allow and deny is tricky and should only be done when necessary. I have seen a case or two where it is necessary, though.
One more detail:
To me it looks like there are two separate sets of allow/deny - one for
hosts and another for classes.

I used "allow <some class>" and it turned out that this had no effect on
my host statements, so I had to add a "deny unknown hosts" as well to
get the desired result.
>
> Regards,
> Chris Buxton
>
> On Feb 13, 2014, at 6:55 AM, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> wrote:
>
>> Simon Hobson dhcp1 at thehobsons.co.uk wrote:
>>> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
>>>  pool {
>>>    allow members of "tom";
>>>    allow members of "dick";
>>>    allow members of "harry";
>>>    range ...;
>>>  }
>>> which will allow members of those classes but nothing else.
>>>
>>> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
>> I've been testing this now, and unfortunately it seems that you're right!  Mixing allow/deny statements within a pool breaks completely any logic which I can see.
>>
>> Where might this strange allow/deny behavior be documented?  The DHCP Handbook 2nd ed. discusses on p. 344 various allow and deny statements, but has nothing to say about mixing them.
>>
>> The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says quite the opposite from what you have explained:
>>> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the  deny list will be allowed access.
>> Confusion is apparently abundant!
>>
>> -- 
>> Ole Holm Nielsen
>> Department of Physics, Technical University of Denmark
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140213/93ddf5c9/attachment.html>

More information about the dhcp-users mailing list