ISC DHCP Users

How to deny classless clients instead of unknown-clients.

classic Classic list List threaded Threaded
5 messages Options
Marcio Merlone
Reply | Threaded
Open this post in threaded view
|

How to deny classless clients instead of unknown-clients.

Marcio Merlone

Hi,

I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.

To illustrate:

class "clsFoo" {
    match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.0.0 netmask 255.255.255.0 {

pool {
   deny unknown-clients;
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
}

subclass "clsFoo" 1:xx:xx:xx:12:34:56;

In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?

Thanks, best regards.

--
Marcio Merlone

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: How to deny classless clients instead of unknown-clients.

Simon Hobson
Marcio Merlone <[hidden email]> wrote:

> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.
>
> To illustrate:
>
> class "clsFoo" {
>     match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subnet 192.168.0.0 netmask 255.255.255.0 {
>
> pool {
>    deny unknown-clients;
>    allow members of "clsFoo";
>    range 192.168.0.30 192.168.0.200;
> }
> }
>
> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>
> In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?

So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?

The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided. Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.

So :
pool {
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be denied.

It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :

pool {
  deny members of "a";
  deny members of "b";
  ...
  range ...
}

Simon

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Chris Buxton
Reply | Threaded
Open this post in threaded view
|

Re: How to deny classless clients instead of unknown-clients.

Chris Buxton
On Feb 18, 2020, at 10:19 AM, Simon Hobson <[hidden email]> wrote:
> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided. Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.

I've successfully mixed allow and deny statements in the same pool.

- Any client matching a deny statement is denied.
- Any client matching an allow statement (but no deny statement) is allowed.
- All other clients are denied.

Chris Buxton
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Marcio Merlone
Reply | Threaded
Open this post in threaded view
|

Re: How to deny classless clients instead of unknown-clients.

Marcio Merlone
In reply to this post by Simon Hobson
Em 18/02/2020 15:19, Simon Hobson escreveu:
Marcio Merlone [hidden email] wrote:

I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.

To illustrate:

class "clsFoo" {
    match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.0.0 netmask 255.255.255.0 {

pool {
   deny unknown-clients;
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
}

subclass "clsFoo" 1:xx:xx:xx:12:34:56;

In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?

So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?

Yes, kind of, I plan on having another pool for unknown-clients, like this:

subnet ...{
pool {
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
} 

subnet ...{
pool {
   allow unknown-clients;
   range 10.0.0.30 10.0.0.200;
}
} 



The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided.

Tks for the tip. But I usually have to add an explicit deny clause to avoid unwanted clients by experience.


Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.

Not true on my experience, see below.


So :
pool {
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be denied.

I commented out all deny lines, keeping just allow for all pools. Yet, an unknown-client just got an IP from the clsFoo pool.

I cannot invert this logic, none of my clients are "known", but classy. Shouldn't a subclass definition make that a known host? Itching to open a feature request.


It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :

pool {
  deny members of "a";
  deny members of "b";
  ...
  range ...
}

That's the case, I have 4 classes, one pool for each, plus another pool for unknown-clients. But no luck yet.


--
Marcio Merlone

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: How to deny classless clients instead of unknown-clients.

Simon Hobson
Marcio Merlone <[hidden email]> wrote:

>> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided.
>>
> Tks for the tip. But I usually have to add an explicit deny clause to avoid unwanted clients by experience.

I've never had to do this.


>> So :
>> pool {
>>    allow members of "clsFoo";
>>    range 192.168.0.30 192.168.0.200;
>> }
>> should be sufficient. Members of clsFoo will be allowed, anything else will be denied.
>>
> I commented out all deny lines, keeping just allow for all pools. Yet, an unknown-client just got an IP from the clsFoo pool.
>
> I cannot invert this logic, none of my clients are "known", but classy. Shouldn't a subclass definition make that a known host? Itching to open a feature request.

You need to post both your full config file (obfuscate any public IPs if you need to) and log entries when it's "not working properly". What you are seeing is not correct operation.

Simon

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Free forum by Nabble Edit this page