R: R: RPZ and client matching
Mukund Sivaraman
muks at isc.org
Fri May 15 15:16:28 UTC 2015
Hi Job
On Fri, May 15, 2015 at 04:56:07PM +0200, Job wrote:
> Hello,
>
> very interesting feature:
>
> >>We have prepared a branch that adds an "rpz-skipzone." policy action
> >>that, when matched by the trigger, behaves as if the current policy zone
> >>is disabled, and proceeds to the next one. It is still in the early
> ><stages, but it may be released in 9.11.
>
> But, actually there is a feature called "rpz-passthru".
> It is similar or something different?
rpz-passthru. skips further RPZ processing when that trigger matches.
rpz-skipzone. skips to the next policy zone in order.
So, for example, you could have a zone that looks like this:
zone1:
; move these specific clients to the next policy zone
32.z.y.x.w.rpz-client-ip IN CNAME rpz-skipzone.
32.d.c.b.a.rpz-client-ip IN CNAME rpz-skipzone.
; pass through all other addresses
0.0.0.0.0.rpz-client-ip IN CNAME rpz-passthru.
zone2:
; Handle clients that were moved here
0.0.0.0.0.rpz-client-ip IN ...
Right now the branch has not been reviewed yet. Once it is reviewed,
I'll let you know and you can try it from the master branch of BIND.
(It will not be backported to 9.10 as it's a new feature that's not
essential for DNS.)
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150515/03a09684/attachment.bin>
More information about the bind-users
mailing list