Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. How to deny classless clients instead of unknown-clients.
(Marcio Merlone)
2. Re: How to deny classless clients instead of unknown-clients.
(Simon Hobson)
3. Re: How to deny classless clients instead of unknown-clients.
(Chris Buxton)
4. Re: How to deny classless clients instead of unknown-clients.
(Marcio Merlone)
----------------------------------------------------------------------
Message: 1
Date: Tue, 18 Feb 2020 11:30:35 -0300
From: Marcio Merlone <marcio.merl...@a1.ind.br>
To: "dhcp-users@lists.isc.org" <dhcp-users@lists.isc.org>
Subject: How to deny classless clients instead of unknown-clients.
Message-ID: <a12cfdcb-6419-8722-7979-c95e4973a...@a1.ind.br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi,
I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless
clients. Have tried "deny unknown-clients" but if I have not a host
declaration then the host is unknown even if it has a subclass declaration.
To illustrate:
class "clsFoo" {
??? match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.0.0 netmask 255.255.255.0 {
pool {
?? deny unknown-clients;
?? allow members of "clsFoo";
?? range 192.168.0.30 192.168.0.200;
}
}
subclass "clsFoo" 1:xx:xx:xx:12:34:56;
In such config that clsFoo above gets denied. Is there how to consider a
non-declared subclass an unknown host? Any workaround or other way to do
it besides duplicate all subclass as hosts declarations?
Thanks, best regards.
--
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/a596b46f/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 18 Feb 2020 18:19:59 +0000
From: Simon Hobson <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <d4d29758-df7c-4c46-875f-1674952b1...@thehobsons.co.uk>
Content-Type: text/plain; charset=us-ascii
Marcio Merlone <marcio.merl...@a1.ind.br> wrote:
> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless
> clients. Have tried "deny unknown-clients" but if I have not a host
> declaration then the host is unknown even if it has a subclass declaration.
>
> To illustrate:
>
> class "clsFoo" {
> match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subnet 192.168.0.0 netmask 255.255.255.0 {
>
> pool {
> deny unknown-clients;
> allow members of "clsFoo";
> range 192.168.0.30 192.168.0.200;
> }
> }
>
> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>
> In such config that clsFoo above gets denied. Is there how to consider a
> non-declared subclass an unknown host? Any workaround or other way to do it
> besides duplicate all subclass as hosts declarations?
So to be clear, you want members of clsFoo to get a lease, and other clients to
be denied ?
The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be
done, but the way it is processed is non-intuitive (and TBH I can't remember
how it works) so is best avoided. Where there is an allow statement, anything
not allowed by allow statement(s) in the pool will be denied - and similarly
with deny statements and anything not denied is allowed.
So :
pool {
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be
denied.
It gets trickier when you have more than one class, and want to have a pool for
"anything else". In that case you would need :
pool {
deny members of "a";
deny members of "b";
...
range ...
}
Simon
------------------------------
Message: 3
Date: Tue, 18 Feb 2020 11:35:30 -0800
From: Chris Buxton <cli...@buxtonfamily.us>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <22c82b30-fc6a-44a9-b9b2-90dca1ac3...@buxtonfamily.us>
Content-Type: text/plain; charset=us-ascii
On Feb 18, 2020, at 10:19 AM, Simon Hobson <dh...@thehobsons.co.uk> wrote:
> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be
> done, but the way it is processed is non-intuitive (and TBH I can't remember
> how it works) so is best avoided. Where there is an allow statement, anything
> not allowed by allow statement(s) in the pool will be denied - and similarly
> with deny statements and anything not denied is allowed.
I've successfully mixed allow and deny statements in the same pool.
- Any client matching a deny statement is denied.
- Any client matching an allow statement (but no deny statement) is allowed.
- All other clients are denied.
Chris Buxton
------------------------------
Message: 4
Date: Tue, 18 Feb 2020 16:57:33 -0300
From: Marcio Merlone <marcio.merl...@a1.ind.br>
To: dhcp-users@lists.isc.org
Subject: Re: How to deny classless clients instead of unknown-clients.
Message-ID: <11bd5dde-d9b0-c337-f709-837f6b423...@a1.ind.br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Em 18/02/2020 15:19, Simon Hobson escreveu:
> Marcio Merlone <marcio.merl...@a1.ind.br> wrote:
>> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless
>> clients. Have tried "deny unknown-clients" but if I have not a host
>> declaration then the host is unknown even if it has a subclass declaration.
>>
>> To illustrate:
>>
>> class "clsFoo" {
>> match pick-first-value (option dhcp-client-identifier, hardware);
>> }
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>
>> pool {
>> deny unknown-clients;
>> allow members of "clsFoo";
>> range 192.168.0.30 192.168.0.200;
>> }
>> }
>>
>> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>>
>> In such config that clsFoo above gets denied. Is there how to consider a
>> non-declared subclass an unknown host? Any workaround or other way to do it
>> besides duplicate all subclass as hosts declarations?
> So to be clear, you want members of clsFoo to get a lease, and other clients
> to be denied ?
Yes, kind of, I plan on having another pool for unknown-clients, like this:
subnet ...{
pool {
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
}
subnet ...{
pool {
allow unknown-clients;
range 10.0.0.30 10.0.0.200;
}
}
> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be
> done, but the way it is processed is non-intuitive (and TBH I can't remember
> how it works) so is best avoided.
Tks for the tip. But I usually have to add an explicit deny clause to
avoid unwanted clients by experience.
> Where there is an allow statement, anything not allowed by allow statement(s)
> in the pool will be denied - and similarly with deny statements and anything
> not denied is allowed.
Not true on my experience, see below.
> So :
> pool {
> allow members of "clsFoo";
> range 192.168.0.30 192.168.0.200;
> }
> should be sufficient. Members of clsFoo will be allowed, anything else will
> be denied.
I commented out all deny lines, keeping just allow for all pools. Yet,
an unknown-client just got an IP from the clsFoo pool.
I cannot invert this logic, none of my clients are "known", but classy.
Shouldn't a subclass definition make that a known host? Itching to open
a feature request.
> It gets trickier when you have more than one class, and want to have a pool
> for "anything else". In that case you would need :
>
> pool {
> deny members of "a";
> deny members of "b";
> ...
> range ...
> }
That's the case, I have 4 classes, one pool for each, plus another pool
for unknown-clients. But no luck yet.
--
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/00579cc1/attachment-0001.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 136, Issue 8
******************************************
