> On 24 Aug 2022, at 16.52, Greg Choules <gregchoules+bindus...@googlemail.com> > wrote: > > Hi Sten. > That is absolutely what you do *not* want to do. > > Writing it out in binary might help. /23 means the following: > 11111111 11111111 11111110 00000000 > > '1' bits mean, test an incoming address against the corresponding bit from > the address in the mask. > '0' bits mean, don't test an incoming address against the corresponding bit > from the address in the mask. > > The ACL 10.60.0.0/23 <http://10.60.0.0/23> will match *any* address from > 10.60.0.0 to 10.60.1.255 *inclusive*. > > There is no concept of network address and broadcast address here. It is just > pattern matching.
Yes, I was (incorrectly) thinking in terms of a /24 network and assumed that removing the ..0 and ..255 addresses was the issue. The proposal would do that by first rejecting (! - means reject) the offending addresses (all have to be listed separately) before doing the above pattern matching. > > Cheers, Greg > > On Wed, 24 Aug 2022 at 15:40, Sten Carlsen <st...@s-carlsen.dk > <mailto:st...@s-carlsen.dk>> wrote: > I think you want something like this: > > (!10.60.0.0; !10.60.0.255; 10.60.0.0/24 <http://10.60.0.0/24>) > > First deny the two addresses you want not to be part of the ACL and then > accept the whole network. > > First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected > before the next <address_match_element> are tested. > > Thanks > > Sten > >> On 24 Aug 2022, at 16.05, Ondřej Surý <ond...@isc.org >> <mailto:ond...@isc.org>> wrote: >> >> >>> On 24. 8. 2022, at 15:58, Elias Pereira <empbi...@gmail.com >>> <mailto:empbi...@gmail.com>> wrote: >>> >>> hello Ondrej, >>> >>> Not completely wrong, because 255 is the broadcast. >> >> No, it's not. This is ACL specification, not a interface/network >> configuration. >> >>> For a better understanding, then it would be Available range 10.60.0.1 to >>> 10.60.1.254. >> >> No, I've already provided you with a correct answer what 10.60.0.0/23 >> <http://10.60.0.0/23> means in terms of range, why do you insist on this? >> >>> Correctly specified range (without address/host bits) does takes the whole >>> range. >>> >>> Like this 10.60/23; ? >> >> I think others have already answered that, I would be just repeating their >> answers. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> ond...@isc.org <mailto:ond...@isc.org> >> >> My working hours and your working hours may be different. Please do not feel >> obligated to reply outside your normal working hours. >> >> >>> On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <ond...@isc.org >>> <mailto:ond...@isc.org>> wrote: >>> >>> >>>> On 24. 8. 2022, at 15:26, Elias Pereira <empbi...@gmail.com >>>> <mailto:empbi...@gmail.com>> wrote: >>>> >>>> >>>> Hello Greg, >>>> >>>> Why doesn't bind work with networks/subnets in the conventional way? >>> >>> It does. >>> >>>> If the private subnet is 10.60.0.0/23 <http://10.60.0.0/23>, then it means >>>> that the address range is 10.60.0.1 to 10.60.1.254. >>> >>> That’s wrong. 10.60.0.0/23 <http://10.60.0.0/23> means 10.60.0.0 to >>> 10.60.1.255 range. >>> >>>> How do I configure this ACL in named.conf.local so that it takes the whole >>>> range? >>> >>> Correctly specified range (without address/host bits) does takes the whole >>> range. >>> >>> Ondrej >>> -- >>> Ondřej Surý — ISC (He/Him) >>> >>> My working hours and your working hours may be different. Please do not >>> feel obligated to reply outside your normal working hours. >>> >>>> On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <ana...@ripe.net >>>> <mailto:ana...@ripe.net>> wrote: >>>> On 24/08/2022 14:16, Elias Pereira wrote: >>>> >>>> Hi Elias, >>>> >>>> > Oh, sorry... :D >>>> > >>>> > here it is >>>> > >>>> > # cat named.conf.local >>>> > # ACL das redes internas >>>> > # Ultima modificação: 24/08/2022 >>>> > >>>> > acl "internal" { >>>> > 10.60.0.1/23 <http://10.60.0.1/23>; >>>> >>>> This is the issue. The address part of the prefix should be the lowest >>>> address in that prefix. If you change this to 10.60.0.0/23 >>>> <http://10.60.0.0/23>, it will be >>>> fine. The same goes for all the other prefixes in your list. Change the >>>> 1's to 0's. >>>> >>>> > 10.10.1.1/24 <http://10.10.1.1/24>; >>>> > 10.10.2.1/25 <http://10.10.2.1/25>; >>>> > 10.10.3.1/25 <http://10.10.3.1/25>; >>>> > 10.10.4.1/25 <http://10.10.4.1/25>; >>>> > 10.10.5.1/25 <http://10.10.5.1/25>; >>>> > 10.51.0.1/23 <http://10.51.0.1/23>; >>>> > 10.10.6.1/25 <http://10.10.6.1/25>; >>>> > 10.10.7.1/26 <http://10.10.7.1/26>; >>>> > 172.20.0.1/26 <http://172.20.0.1/26>; >>>> > 10.50.0.1/23 <http://10.50.0.1/23>; >>>> > 10.40.0.1/22 <http://10.40.0.1/22>; >>>> > 10.56.0.1/22 <http://10.56.0.1/22>; >>>> > }; >>>> >>>> >>>> -- >>>> Elias Pereira >>>> -- >>>> Visit https://lists.isc.org/mailman/listinfo/bind-users >>>> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from >>>> this list >>>> >>>> ISC funds the development of this software with paid support >>>> subscriptions. Contact us at https://www.isc.org/contact/ >>>> <https://www.isc.org/contact/> for more information. >>>> >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >>>> https://lists.isc.org/mailman/listinfo/bind-users >>>> <https://lists.isc.org/mailman/listinfo/bind-users> >>> >>> >>> -- >>> Elias Pereira >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users >> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this >> list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ <https://www.isc.org/contact/> >> for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >> https://lists.isc.org/mailman/listinfo/bind-users >> <https://lists.isc.org/mailman/listinfo/bind-users> > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this > list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ <https://www.isc.org/contact/> for > more information. > > > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users>
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
