How to restrict Windows XP DHCP clients to a specific subnet?

Chris Buxton clists at buxtonfamily.us
Thu Feb 13 17:30:44 UTC 2014 

If you mix allow and deny statements in the same scope, the following rules apply:

1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
3. Denied.

If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.

If no allow or deny statement is in effect, the client is allowed.

Obviously, mixing allow and deny is tricky and should only be done when necessary. I have seen a case or two where it is necessary, though.

Regards,
Chris Buxton

On Feb 13, 2014, at 6:55 AM, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> wrote:

> Simon Hobson dhcp1 at thehobsons.co.uk wrote:
>> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
>>  pool {
>>    allow members of "tom";
>>    allow members of "dick";
>>    allow members of "harry";
>>    range ...;
>>  }
>> which will allow members of those classes but nothing else.
>> 
>> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
> 
> I've been testing this now, and unfortunately it seems that you're right!  Mixing allow/deny statements within a pool breaks completely any logic which I can see.
> 
> Where might this strange allow/deny behavior be documented?  The DHCP Handbook 2nd ed. discusses on p. 344 various allow and deny statements, but has nothing to say about mixing them.
> 
> The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says quite the opposite from what you have explained:
>> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the  deny list will be allowed access.
> 
> Confusion is apparently abundant!
> 
> -- 
> Ole Holm Nielsen
> Department of Physics, Technical University of Denmark
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list