How to restrict Windows XP DHCP clients to a specific subnet?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Thu Feb 13 14:55:16 UTC 2014
Simon Hobson dhcp1 at thehobsons.co.uk wrote:
> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
> pool {
> allow members of "tom";
> allow members of "dick";
> allow members of "harry";
> range ...;
> }
> which will allow members of those classes but nothing else.
>
> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
I've been testing this now, and unfortunately it seems that you're
right! Mixing allow/deny statements within a pool breaks completely any
logic which I can see.
Where might this strange allow/deny behavior be documented? The DHCP
Handbook 2nd ed. discusses on p. 344 various allow and deny statements,
but has nothing to say about mixing them.
The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says
quite the opposite from what you have explained:
> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the deny list will be allowed access.
Confusion is apparently abundant!
--
Ole Holm Nielsen
Department of Physics, Technical University of Denmark
More information about the dhcp-users
mailing list