Re: Negation in view match-clients ACL doesn't work?

Thu, 06 Aug 2015 05:57:56 -0700 

On 04/08/2015 21:29, Darcy Kevin (FCA) wrote:
> The short answer is that that is how address-match-lists work: a non-negated 
> match allows access, a negated match denies access, and if there is *no* 
> match, access is denied. The only real reason to use a negated match, 
> therefore, is when what you're negating is a subset of something later in the 
> address-match-list.
> 
> You do realize, I hope, that you could just change the order of the views and 
> then you wouldn't need any form of negation (earlier one matches 127.0.0.1, 
> later one matches "any").
> 
>                                                                       - Kevin
> 
> -----Original Message-----
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN
> Sent: Tuesday, August 04, 2015 4:19 PM
> To: bind-users@lists.isc.org
> Subject: Negation in view match-clients ACL doesn't work?
> 
> Folks,
> 
>       This has been a real mystery and haven't been able to find a good 
> explanation for the behavior. For a simple example I have two views setup and 
> I want to differentiate access based on queries originating from 127.0.0.1.
> 
>       In my FIRST ATTEMPT I just negated the IP address, but that didn't 
> work.  The first view never matched.   In the SECOND ATTEMPT I simply added 
> "any" AFTER the negation  and that worked?
>       
>       I read the ARM, can someone explain?  Many Thanks!!!!!
> 
> FIRST ATTEMPT:  Fails - no clients can see external_zones.
> 
> view "default-test" {
>      match-clients { ! 127.0.0.1; };  // thought this would match anyone but 
> 127.0.0.1
> 
>      zone "." {
>         type hint;
>         file "db.cache";
>      };
>      zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "db.127.0.0.0";
>      };
> 
>      include "external_zones.txt";
> };
> 
> view "default" {
>      match-clients { any; };
> 
>      zone "." {
>         type hint;
>         file "db.cache";
>      };
>      zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "db.127.0.0.0";
>      };
> 
>      include "internal_zones.txt";  
> };
> 
> SECOND ATTEMPT: Succeeds, only external clients can see external_zones.
> 
> view "default-test" {
>      match-clients { ! 127.0.0.1;  any; };  // Why must I add any?
> ......
> 
Although it's dealing with a different question, this KB article might
help a bit with understanding ACLs:

https://kb.isc.org/article/AA-00723

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to