Host declarations in different ranges within the same subnet
Marcio Merlone
marcio.merlone at a1.ind.br
Wed Jun 13 16:44:21 UTC 2012
Em 13-06-2012 12:40, Simon Hobson escreveu:
> By doing it with classes, you don't need to bother with known/unknown.
> Just use an 'allow members of "foo"' in each pool where you want
> members of the class "foo" to be able to get an address and it'll do
> it for you. Members of the class will be given access, anything that's
> not a member will not.
>
> Whenever you use an allow (or deny), there is an implicit deny (or
> allow). So once you've allowed members of a class, then everything
> else is implicitly denied. Don't mix allow and deny - they don't work
> as most people expect, and I can't remember how it works even though
> it's been explained several times over the years !
>
> If you want a separate pool for all clients not in any of the classes,
> then yo do it like this :
>
> pool {
> range ...
> deny members of "foo";
> deny members of "bar";
> }
> You need to list all the classes you've allowed elsewhere in the deny
> list. Any not denied will be implicitly allowed.
Things are getting nicely clear now. In fact, I don't need two classes,
I just need to protect one range to some few selected hosts (subclass).
The remaining hosts should go to the other range. Everything put on
place, this should do:
class "classFirewallFullAccess" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
host closedFw3 {
hardware ethernet 00:00:00:00:00:03;
}
host closedFw4 {
hardware ethernet 00:00:00:00:00:04;
}
shared-network foo {
subnet 10.0.0.0 netmask 255.255.255.0 {
# GODS: Those have 'permit' on firewall
pool {
allow members of "classFirewallFullAccess";
option routers 10.0.0.100;
option blah;
range 10.0.0.1 10.0.0.10;
}
# Mortals: should use the proxy
pool {
deny unknown-clients;
option routers 10.0.0.200;
option argh;
range 10.0.0.11 10.0.0.20;
}
}
# This goes for external sales people, customers, visitors, whatever
subnet 10.1.1.0 netmask 255.255.255.0 {
....
allow unknown-clients;
....
}
}
I know, I know, this is not a safe/good way to restrict normal people on
the firewall, someone can manually setup an IP address within the GODs
range, but this is another issue. ;)
Thanks and best regards.
--
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120613/724093fa/attachment.html>
More information about the dhcp-users
mailing list