can't get acl to work!

Alexander Stade alex at wego.com
Mon Feb 12 01:30:17 UTC 2001 

I'm not too proficient with this, but I have it working. First of all I
would say that you should upgrade to 8.2.3 for obvious reasons. Second of
all, I don't understand why you have a ! (negation?) in front of your IP
block. Third, I think you should define all four octets, say if 1.2.3/24
needs to be the only one able to query, then you should define 1.2.3.0/24.

But then again, maybe what you have done is legal... Maybe "any;" should be
0.0.0.0/0? Perhaps define it something like this:

acl can_query { 0.0.0.0/0; };
acl cant_query { 1.2.3.0/24; };

And use both acl's when appropriate? Just some food for thought. Sorry I
couldn't contribute with more.

Alex

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of andreas at netbank.com.br
Sent: Sunday, July 16, 2000 12:18 PM
To: bind-users at isc.org
Subject: can't get acl to work!



Hi all,

this is driving me nuts...
With bind-8.2.2P5 the following doesn't work:

options {
(...)
notify no;
acl can_query { !1.2.3/24; any; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
(...)
listen-on {
	127.0.0.1;
	192.168.1.2;
};
(...)
};

If I then restart the server, I get:

Jul 16 16:23:18 mail named[21656]: /etc/named.conf:5: syntax error near acl
Jul 16 16:23:18 mail named[21656]: /etc/named.conf:6: syntax error near
allow-query
(...)
Jul 16 16:23:18 mail named[21656]: listening on [127.0.0.1].53 (lo)
Jul 16 16:23:18 mail named[21656]: listening on [192.168.1.2].53 (eth0)
Jul 16 16:23:18 mail named[21656]: listening on [xxx.xxx.xxx.xx].53 (ppp0)
Jul 16 16:23:18 mail named[21656]: Forwarding source address is
[0.0.0.0].1053
(...)

So, the "acl" directive wasn't understood and, even worse, the listen-on
part
wasn't used (probably because of the error, but I thought the server
wouldn't
start if it found an error, or, at least, would keep processing the .conf
file).
I've also tried using "can_query" and even other names, but with no success.
The
list archives also didn't help, nothing about this subject was found.
Any ideas?

More information about the bind-users mailing list