Send dhcp-users mailing list submissions to dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/dhcp-users or, via email, send a message with subject or body 'help' to dhcp-users-requ...@lists.isc.org You can reach the person managing the list at dhcp-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of dhcp-users digest..." Today's Topics: 1. How to deny classless clients instead of unknown-clients. (Marcio Merlone) 2. Re: How to deny classless clients instead of unknown-clients. (Simon Hobson) 3. Re: How to deny classless clients instead of unknown-clients. (Chris Buxton) 4. Re: How to deny classless clients instead of unknown-clients. (Marcio Merlone) ---------------------------------------------------------------------- Message: 1 Date: Tue, 18 Feb 2020 11:30:35 -0300 From: Marcio Merlone <marcio.merl...@a1.ind.br> To: "dhcp-users@lists.isc.org" <dhcp-users@lists.isc.org> Subject: How to deny classless clients instead of unknown-clients. Message-ID: <a12cfdcb-6419-8722-7979-c95e4973a...@a1.ind.br> Content-Type: text/plain; charset="utf-8"; Format="flowed" Hi, I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration. To illustrate: class "clsFoo" { ??? match pick-first-value (option dhcp-client-identifier, hardware); } subnet 192.168.0.0 netmask 255.255.255.0 { pool { ?? deny unknown-clients; ?? allow members of "clsFoo"; ?? range 192.168.0.30 192.168.0.200; } } subclass "clsFoo" 1:xx:xx:xx:12:34:56; In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations? Thanks, best regards. -- *Marcio Merlone* -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/a596b46f/attachment-0001.htm> ------------------------------ Message: 2 Date: Tue, 18 Feb 2020 18:19:59 +0000 From: Simon Hobson <dh...@thehobsons.co.uk> To: Users of ISC DHCP <dhcp-users@lists.isc.org> Subject: Re: How to deny classless clients instead of unknown-clients. Message-ID: <d4d29758-df7c-4c46-875f-1674952b1...@thehobsons.co.uk> Content-Type: text/plain; charset=us-ascii Marcio Merlone <marcio.merl...@a1.ind.br> wrote: > I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless > clients. Have tried "deny unknown-clients" but if I have not a host > declaration then the host is unknown even if it has a subclass declaration. > > To illustrate: > > class "clsFoo" { > match pick-first-value (option dhcp-client-identifier, hardware); > } > subnet 192.168.0.0 netmask 255.255.255.0 { > > pool { > deny unknown-clients; > allow members of "clsFoo"; > range 192.168.0.30 192.168.0.200; > } > } > > subclass "clsFoo" 1:xx:xx:xx:12:34:56; > > In such config that clsFoo above gets denied. Is there how to consider a > non-declared subclass an unknown host? Any workaround or other way to do it > besides duplicate all subclass as hosts declarations? So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ? The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided. Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed. So : pool { allow members of "clsFoo"; range 192.168.0.30 192.168.0.200; } should be sufficient. Members of clsFoo will be allowed, anything else will be denied. It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need : pool { deny members of "a"; deny members of "b"; ... range ... } Simon ------------------------------ Message: 3 Date: Tue, 18 Feb 2020 11:35:30 -0800 From: Chris Buxton <cli...@buxtonfamily.us> To: Users of ISC DHCP <dhcp-users@lists.isc.org> Subject: Re: How to deny classless clients instead of unknown-clients. Message-ID: <22c82b30-fc6a-44a9-b9b2-90dca1ac3...@buxtonfamily.us> Content-Type: text/plain; charset=us-ascii On Feb 18, 2020, at 10:19 AM, Simon Hobson <dh...@thehobsons.co.uk> wrote: > The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be > done, but the way it is processed is non-intuitive (and TBH I can't remember > how it works) so is best avoided. Where there is an allow statement, anything > not allowed by allow statement(s) in the pool will be denied - and similarly > with deny statements and anything not denied is allowed. I've successfully mixed allow and deny statements in the same pool. - Any client matching a deny statement is denied. - Any client matching an allow statement (but no deny statement) is allowed. - All other clients are denied. Chris Buxton ------------------------------ Message: 4 Date: Tue, 18 Feb 2020 16:57:33 -0300 From: Marcio Merlone <marcio.merl...@a1.ind.br> To: dhcp-users@lists.isc.org Subject: Re: How to deny classless clients instead of unknown-clients. Message-ID: <11bd5dde-d9b0-c337-f709-837f6b423...@a1.ind.br> Content-Type: text/plain; charset="utf-8"; Format="flowed" Em 18/02/2020 15:19, Simon Hobson escreveu: > Marcio Merlone <marcio.merl...@a1.ind.br> wrote: >> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless >> clients. Have tried "deny unknown-clients" but if I have not a host >> declaration then the host is unknown even if it has a subclass declaration. >> >> To illustrate: >> >> class "clsFoo" { >> match pick-first-value (option dhcp-client-identifier, hardware); >> } >> subnet 192.168.0.0 netmask 255.255.255.0 { >> >> pool { >> deny unknown-clients; >> allow members of "clsFoo"; >> range 192.168.0.30 192.168.0.200; >> } >> } >> >> subclass "clsFoo" 1:xx:xx:xx:12:34:56; >> >> In such config that clsFoo above gets denied. Is there how to consider a >> non-declared subclass an unknown host? Any workaround or other way to do it >> besides duplicate all subclass as hosts declarations? > So to be clear, you want members of clsFoo to get a lease, and other clients > to be denied ? Yes, kind of, I plan on having another pool for unknown-clients, like this: subnet ...{ pool { allow members of "clsFoo"; range 192.168.0.30 192.168.0.200; } } subnet ...{ pool { allow unknown-clients; range 10.0.0.30 10.0.0.200; } } > The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be > done, but the way it is processed is non-intuitive (and TBH I can't remember > how it works) so is best avoided. Tks for the tip. But I usually have to add an explicit deny clause to avoid unwanted clients by experience. > Where there is an allow statement, anything not allowed by allow statement(s) > in the pool will be denied - and similarly with deny statements and anything > not denied is allowed. Not true on my experience, see below. > So : > pool { > allow members of "clsFoo"; > range 192.168.0.30 192.168.0.200; > } > should be sufficient. Members of clsFoo will be allowed, anything else will > be denied. I commented out all deny lines, keeping just allow for all pools. Yet, an unknown-client just got an IP from the clsFoo pool. I cannot invert this logic, none of my clients are "known", but classy. Shouldn't a subclass definition make that a known host? Itching to open a feature request. > It gets trickier when you have more than one class, and want to have a pool > for "anything else". In that case you would need : > > pool { > deny members of "a"; > deny members of "b"; > ... > range ... > } That's the case, I have 4 classes, one pool for each, plus another pool for unknown-clients. But no luck yet. -- *Marcio Merlone* -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/00579cc1/attachment-0001.htm> ------------------------------ Subject: Digest Footer _______________________________________________ dhcp-users mailing list dhcp-users@lists.isc.org https://lists.isc.org/mailman/listinfo/dhcp-users ------------------------------ End of dhcp-users Digest, Vol 136, Issue 8 ******************************************