Send dhcp-users mailing list submissions to
        dhcp-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
        dhcp-users-requ...@lists.isc.org

You can reach the person managing the list at
        dhcp-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."


Today's Topics:

   1. How to deny classless clients instead of unknown-clients.
      (Marcio Merlone)
   2. Re: How to deny classless clients instead of unknown-clients.
      (Simon Hobson)
   3. Re: How to deny classless clients instead of unknown-clients.
      (Chris Buxton)
   4. Re: How to deny classless clients instead of unknown-clients.
      (Marcio Merlone)


----------------------------------------------------------------------

Message: 1
Date: Tue, 18 Feb 2020 11:30:35 -0300
From: Marcio Merlone <marcio.merl...@a1.ind.br>
To: "dhcp-users@lists.isc.org" <dhcp-users@lists.isc.org>
Subject: How to deny classless clients instead of unknown-clients.
Message-ID: <a12cfdcb-6419-8722-7979-c95e4973a...@a1.ind.br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Hi,

I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless 
clients. Have tried "deny unknown-clients" but if I have not a host 
declaration then the host is unknown even if it has a subclass declaration.

To illustrate:

class "clsFoo" {
 ??? match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.0.0 netmask 255.255.255.0 {

pool {
 ?? deny unknown-clients;
 ?? allow members of "clsFoo";
 ?? range 192.168.0.30 192.168.0.200;
}
}

subclass "clsFoo" 1:xx:xx:xx:12:34:56;

In such config that clsFoo above gets denied. Is there how to consider a 
non-declared subclass an unknown host? Any workaround or other way to do 
it besides duplicate all subclass as hosts declarations?

Thanks, best regards.

-- 
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/a596b46f/attachment-0001.htm>

------------------------------

Message: 2
Date: Tue, 18 Feb 2020 18:19:59 +0000
From: Simon Hobson <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <d4d29758-df7c-4c46-875f-1674952b1...@thehobsons.co.uk>
Content-Type: text/plain; charset=us-ascii

Marcio Merlone <marcio.merl...@a1.ind.br> wrote:

> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless 
> clients. Have tried "deny unknown-clients" but if I have not a host 
> declaration then the host is unknown even if it has a subclass declaration.
> 
> To illustrate:
> 
> class "clsFoo" {
>     match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subnet 192.168.0.0 netmask 255.255.255.0 {
> 
> pool {
>    deny unknown-clients;
>    allow members of "clsFoo";
>    range 192.168.0.30 192.168.0.200;
> }
> }
> 
> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
> 
> In such config that clsFoo above gets denied. Is there how to consider a 
> non-declared subclass an unknown host? Any workaround or other way to do it 
> besides duplicate all subclass as hosts declarations?

So to be clear, you want members of clsFoo to get a lease, and other clients to 
be denied ?

The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be 
done, but the way it is processed is non-intuitive (and TBH I can't remember 
how it works) so is best avoided. Where there is an allow statement, anything 
not allowed by allow statement(s) in the pool will be denied - and similarly 
with deny statements and anything not denied is allowed.

So :
pool {
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be 
denied.

It gets trickier when you have more than one class, and want to have a pool for 
"anything else". In that case you would need :

pool {
  deny members of "a";
  deny members of "b";
  ...
  range ...
}

Simon



------------------------------

Message: 3
Date: Tue, 18 Feb 2020 11:35:30 -0800
From: Chris Buxton <cli...@buxtonfamily.us>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <22c82b30-fc6a-44a9-b9b2-90dca1ac3...@buxtonfamily.us>
Content-Type: text/plain;       charset=us-ascii

On Feb 18, 2020, at 10:19 AM, Simon Hobson <dh...@thehobsons.co.uk> wrote:
> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be 
> done, but the way it is processed is non-intuitive (and TBH I can't remember 
> how it works) so is best avoided. Where there is an allow statement, anything 
> not allowed by allow statement(s) in the pool will be denied - and similarly 
> with deny statements and anything not denied is allowed.

I've successfully mixed allow and deny statements in the same pool.

- Any client matching a deny statement is denied.
- Any client matching an allow statement (but no deny statement) is allowed.
- All other clients are denied.

Chris Buxton

------------------------------

Message: 4
Date: Tue, 18 Feb 2020 16:57:33 -0300
From: Marcio Merlone <marcio.merl...@a1.ind.br>
To: dhcp-users@lists.isc.org
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <11bd5dde-d9b0-c337-f709-837f6b423...@a1.ind.br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Em 18/02/2020 15:19, Simon Hobson escreveu:
> Marcio Merlone <marcio.merl...@a1.ind.br> wrote:
>> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless 
>> clients. Have tried "deny unknown-clients" but if I have not a host 
>> declaration then the host is unknown even if it has a subclass declaration.
>>
>> To illustrate:
>>
>> class "clsFoo" {
>>      match pick-first-value (option dhcp-client-identifier, hardware);
>> }
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>
>> pool {
>>     deny unknown-clients;
>>     allow members of "clsFoo";
>>     range 192.168.0.30 192.168.0.200;
>> }
>> }
>>
>> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>>
>> In such config that clsFoo above gets denied. Is there how to consider a 
>> non-declared subclass an unknown host? Any workaround or other way to do it 
>> besides duplicate all subclass as hosts declarations?
> So to be clear, you want members of clsFoo to get a lease, and other clients 
> to be denied ?

Yes, kind of, I plan on having another pool for unknown-clients, like this:

subnet ...{
pool {
    allow members of "clsFoo";
    range 192.168.0.30 192.168.0.200;
}
}

subnet ...{
pool {
    allow unknown-clients;
    range 10.0.0.30 10.0.0.200;
}
}


> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be 
> done, but the way it is processed is non-intuitive (and TBH I can't remember 
> how it works) so is best avoided.

Tks for the tip. But I usually have to add an explicit deny clause to 
avoid unwanted clients by experience.


> Where there is an allow statement, anything not allowed by allow statement(s) 
> in the pool will be denied - and similarly with deny statements and anything 
> not denied is allowed.

Not true on my experience, see below.


> So :
> pool {
>     allow members of "clsFoo";
>     range 192.168.0.30 192.168.0.200;
> }
> should be sufficient. Members of clsFoo will be allowed, anything else will 
> be denied.

I commented out all deny lines, keeping just allow for all pools. Yet, 
an unknown-client just got an IP from the clsFoo pool.

I cannot invert this logic, none of my clients are "known", but classy. 
Shouldn't a subclass definition make that a known host? Itching to open 
a feature request.


> It gets trickier when you have more than one class, and want to have a pool 
> for "anything else". In that case you would need :
>
> pool {
>    deny members of "a";
>    deny members of "b";
>    ...
>    range ...
> }

That's the case, I have 4 classes, one pool for each, plus another pool 
for unknown-clients. But no luck yet.


-- 
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/00579cc1/attachment-0001.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users


------------------------------

End of dhcp-users Digest, Vol 136, Issue 8
******************************************

Reply via email to