<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
<br>
<div class="moz-cite-prefix">On 13/02/14 18.30, Chris Buxton wrote:<br>
</div>
<blockquote
cite="mid:A3B12368-8F9B-489B-862D-A143A6C48F15@buxtonfamily.us"
type="cite">
<pre wrap="">If you mix allow and deny statements in the same scope, the following rules apply:
1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
3. Denied.
If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.
If no allow or deny statement is in effect, the client is allowed.
Obviously, mixing allow and deny is tricky and should only be done when necessary. I have seen a case or two where it is necessary, though.</pre>
</blockquote>
One more detail:<br>
To me it looks like there are two separate sets of allow/deny - one
for hosts and another for classes.<br>
<br>
I used "allow <some class>" and it turned out that this had no
effect on my host statements, so I had to add a "deny unknown hosts"
as well to get the desired result.<br>
<blockquote
cite="mid:A3B12368-8F9B-489B-862D-A143A6C48F15@buxtonfamily.us"
type="cite">
<pre wrap="">
Regards,
Chris Buxton
On Feb 13, 2014, at 6:55 AM, Ole Holm Nielsen <a class="moz-txt-link-rfc2396E" href="mailto:Ole.H.Nielsen@fysik.dtu.dk"><Ole.H.Nielsen@fysik.dtu.dk></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Simon Hobson dhcp1 at thehobsons.co.uk wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Where you use an allow clause, anything not specifically allowed is denied, so you can do :
pool {
allow members of "tom";
allow members of "dick";
allow members of "harry";
range ...;
}
which will allow members of those classes but nothing else.
Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
</pre>
</blockquote>
<pre wrap="">
I've been testing this now, and unfortunately it seems that you're right! Mixing allow/deny statements within a pool breaks completely any logic which I can see.
Where might this strange allow/deny behavior be documented? The DHCP Handbook 2nd ed. discusses on p. 344 various allow and deny statements, but has nothing to say about mixing them.
The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says quite the opposite from what you have explained:
</pre>
<blockquote type="cite">
<pre wrap="">If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the deny list will be allowed access.
</pre>
</blockquote>
<pre wrap="">
Confusion is apparently abundant!
--
Ole Holm Nielsen
Department of Physics, Technical University of Denmark
_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>