I think you want something like this: (!10.60.0.0; !10.60.0.255; 10.60.0.0/24)
First deny the two addresses you want not to be part of the ACL and then accept the whole network. First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected before the next <address_match_element> are tested. Thanks Sten > On 24 Aug 2022, at 16.05, Ondřej Surý <ond...@isc.org> wrote: > > >> On 24. 8. 2022, at 15:58, Elias Pereira <empbi...@gmail.com >> <mailto:empbi...@gmail.com>> wrote: >> >> hello Ondrej, >> >> Not completely wrong, because 255 is the broadcast. > > No, it's not. This is ACL specification, not a interface/network > configuration. > >> For a better understanding, then it would be Available range 10.60.0.1 to >> 10.60.1.254. > > No, I've already provided you with a correct answer what 10.60.0.0/23 means > in terms of range, why do you insist on this? > >> Correctly specified range (without address/host bits) does takes the whole >> range. >> >> Like this 10.60/23; ? > > I think others have already answered that, I would be just repeating their > answers. > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org <mailto:ond...@isc.org> > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > >> On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <ond...@isc.org >> <mailto:ond...@isc.org>> wrote: >> >> >>> On 24. 8. 2022, at 15:26, Elias Pereira <empbi...@gmail.com >>> <mailto:empbi...@gmail.com>> wrote: >>> >>> >>> Hello Greg, >>> >>> Why doesn't bind work with networks/subnets in the conventional way? >> >> It does. >> >>> If the private subnet is 10.60.0.0/23 <http://10.60.0.0/23>, then it means >>> that the address range is 10.60.0.1 to 10.60.1.254. >> >> That’s wrong. 10.60.0.0/23 <http://10.60.0.0/23> means 10.60.0.0 to >> 10.60.1.255 range. >> >>> How do I configure this ACL in named.conf.local so that it takes the whole >>> range? >> >> Correctly specified range (without address/host bits) does takes the whole >> range. >> >> Ondrej >> -- >> Ondřej Surý — ISC (He/Him) >> >> My working hours and your working hours may be different. Please do not feel >> obligated to reply outside your normal working hours. >> >>> On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <ana...@ripe.net >>> <mailto:ana...@ripe.net>> wrote: >>> On 24/08/2022 14:16, Elias Pereira wrote: >>> >>> Hi Elias, >>> >>> > Oh, sorry... :D >>> > >>> > here it is >>> > >>> > # cat named.conf.local >>> > # ACL das redes internas >>> > # Ultima modificação: 24/08/2022 >>> > >>> > acl "internal" { >>> > 10.60.0.1/23 <http://10.60.0.1/23>; >>> >>> This is the issue. The address part of the prefix should be the lowest >>> address in that prefix. If you change this to 10.60.0.0/23 >>> <http://10.60.0.0/23>, it will be >>> fine. The same goes for all the other prefixes in your list. Change the >>> 1's to 0's. >>> >>> > 10.10.1.1/24 <http://10.10.1.1/24>; >>> > 10.10.2.1/25 <http://10.10.2.1/25>; >>> > 10.10.3.1/25 <http://10.10.3.1/25>; >>> > 10.10.4.1/25 <http://10.10.4.1/25>; >>> > 10.10.5.1/25 <http://10.10.5.1/25>; >>> > 10.51.0.1/23 <http://10.51.0.1/23>; >>> > 10.10.6.1/25 <http://10.10.6.1/25>; >>> > 10.10.7.1/26 <http://10.10.7.1/26>; >>> > 172.20.0.1/26 <http://172.20.0.1/26>; >>> > 10.50.0.1/23 <http://10.50.0.1/23>; >>> > 10.40.0.1/22 <http://10.40.0.1/22>; >>> > 10.56.0.1/22 <http://10.56.0.1/22>; >>> > }; >>> >>> >>> -- >>> Elias Pereira >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users >>> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ <https://www.isc.org/contact/> >>> for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >>> https://lists.isc.org/mailman/listinfo/bind-users >>> <https://lists.isc.org/mailman/listinfo/bind-users> >> >> >> -- >> Elias Pereira > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
