<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
<br>
<br>
On 13/06/12 18:44, Marcio Merlone wrote:
<blockquote cite="mid:4FD8C365.1080606@a1.ind.br" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Em 13-06-2012 12:40, Simon Hobson escreveu:<br>
<blockquote
cite="mid:p06240868cbfe621eb438@simon.thehobsons.co.uk"
type="cite">By doing it with classes, you don't need to bother
with known/unknown. Just use an 'allow members of "foo"' in each
pool where you want members of the class "foo" to be able to get
an address and it'll do it for you. Members of the class will be
given access, anything that's not a member will not. <br>
<br>
Whenever you use an allow (or deny), there is an implicit deny
(or allow). So once you've allowed members of a class, then
everything else is implicitly denied. Don't mix allow and deny -
they don't work as most people expect, and I can't remember how
it works even though it's been explained several times over the
years ! <br>
<br>
If you want a separate pool for all clients not in any of the
classes, then yo do it like this : <br>
<br>
pool { <br>
range ... <br>
deny members of "foo"; <br>
deny members of "bar"; <br>
} <br>
You need to list all the classes you've allowed elsewhere in the
deny list. Any not denied will be implicitly allowed. <br>
</blockquote>
<br>
Things are getting nicely clear now. In fact, I don't need two
classes, I just need to protect one range to some few selected
hosts (subclass). The remaining hosts should go to the other
range. Everything put on place, this should do:<br>
<br>
<pre wrap="">class "classFirewallFullAccess" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
host closedFw3 {
hardware ethernet 00:00:00:00:00:03;
}
host closedFw4 {
hardware ethernet 00:00:00:00:00:04;
}
shared-network foo {
subnet 10.0.0.0 netmask 255.255.255.0 {
# GODS: Those have 'permit' on firewall
pool {
allow members of "classFirewallFullAccess";
option routers 10.0.0.100;
option blah;
range 10.0.0.1 10.0.0.10;
}
# Mortals: should use the proxy
pool {
deny unknown-clients;</pre>
</blockquote>
Here you probably also want to deny "classFirewallFullAccess". Or
you may wish to say: allow known-clients, that will exclude both
your class and the unknown clients.<br>
<blockquote cite="mid:4FD8C365.1080606@a1.ind.br" type="cite">
<pre wrap="">
option routers 10.0.0.200;
option argh;
range 10.0.0.11 10.0.0.20;
}
}
# This goes for external sales people, customers, visitors, whatever
subnet 10.1.1.0 netmask 255.255.255.0 {
....
allow unknown-clients;
....
}
}
</pre>
<br>
I know, I know, this is not a safe/good way to restrict normal
people on the firewall, someone can manually setup an IP address
within the GODs range, but this is another issue. ;)<br>
<br>
Thanks and best regards.<br>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
#a1AssinaturaEmail { font-family: Tahoma, Verdana, Arial; font-size: 10px; }
#a1AssinaturaEmail * { font-family: Tahoma, Verdana, Arial; font-size: 10px; }
#a1AssinaturaEmail a { text-decoration: none; color: #FF9900; }
</style>
<div id="a1AssinaturaEmail"> <span style="font-size: 12px;"><b>Marcio
Merlone</b></span><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>