The original problem was that BIND 9.16 now requires use of CIDR blocks rather
than using IP addresses in CIDR notation. Using arbitrary IP address to specify
CIDR block doesn’t make much sense and is prone to errors - when you see
10.10.1.0/23 it’s quite hard to tell what was the original intention and
whether it’s a typo in the network or in the bits - did the origin author meant
10.10.0.0-10.10.1.255 or 10.20.1.0-10.10.1.255 or something completely else
(like 10.10.1.0-10.10.2.255 based on wrong assumption?)
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 24. 8. 2022, at 17:34, Sten Carlsen <st...@s-carlsen.dk> wrote:
>
>
>
>>> On 24 Aug 2022, at 16.52, Greg Choules
>>> <gregchoules+bindus...@googlemail.com> wrote:
>>>
>>> Hi Sten.
>>> That is absolutely what you do *not* want to do.
>>>
>>> Writing it out in binary might help. /23 means the following:
>>> 11111111 11111111 11111110 00000000
>>>
>>> '1' bits mean, test an incoming address against the corresponding bit from
>>> the address in the mask.
>>> '0' bits mean, don't test an incoming address against the corresponding bit
>>> from the address in the mask.
>>>
>>> The ACL 10.60.0.0/23 will match *any* address from 10.60.0.0 to 10.60.1.255
>>> *inclusive*.
>>>
>>> There is no concept of network address and broadcast address here. It is
>>> just pattern matching.
>>
>> Yes, I was (incorrectly) thinking in terms of a /24 network and assumed that
>> removing the ..0 and ..255 addresses was the issue. The proposal would do
>> that by first rejecting (! - means reject) the offending addresses (all have
>> to be listed separately) before doing the above pattern matching.
>>
>>
>> Cheers, Greg
>>
>>> On Wed, 24 Aug 2022 at 15:40, Sten Carlsen <st...@s-carlsen.dk> wrote:
>>> I think you want something like this:
>>>
>>> (!10.60.0.0; !10.60.0.255; 10.60.0.0/24)
>>>
>>> First deny the two addresses you want not to be part of the ACL and then
>>> accept the whole network.
>>>
>>> First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected
>>> before the next <address_match_element> are tested.
>>>
>>> Thanks
>>>
>>> Sten
>>>
>>>>> On 24 Aug 2022, at 16.05, Ondřej Surý <ond...@isc.org> wrote:
>>>>>
>>>>>
>>>>>> On 24. 8. 2022, at 15:58, Elias Pereira <empbi...@gmail.com> wrote:
>>>>>>
>>>>>> hello Ondrej,
>>>>>>
>>>>>> Not completely wrong, because 255 is the broadcast.
>>>>>
>>>>> No, it's not. This is ACL specification, not a interface/network
>>>>> configuration.
>>>>>
>>>>> For a better understanding, then it would be Available range 10.60.0.1 to
>>>>> 10.60.1.254.
>>>>
>>>> No, I've already provided you with a correct answer what 10.60.0.0/23
>>>> means in terms of range, why do you insist on this?
>>>>
>>>>>> Correctly specified range (without address/host bits) does takes the
>>>>>> whole range.
>>>>>
>>>>> Like this 10.60/23; ?
>>>>
>>>> I think others have already answered that, I would be just repeating their
>>>> answers.
>>>>
>>>> Ondrej
>>>> --
>>>> Ondřej Surý (He/Him)
>>>> ond...@isc.org
>>>>
>>>> My working hours and your working hours may be different. Please do not
>>>> feel obligated to reply outside your normal working hours.
>>>>
>>>>
>>>>>> On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <ond...@isc.org> wrote:
>>>>>>
>>>>>>
>>>>>>>> On 24. 8. 2022, at 15:26, Elias Pereira <empbi...@gmail.com> wrote:
>>>>>>>>
>>>>>>>
>>>>>>> Hello Greg,
>>>>>>>
>>>>>>> Why doesn't bind work with networks/subnets in the conventional way?
>>>>>>
>>>>>> It does.
>>>>>>
>>>>>>> If the private subnet is 10.60.0.0/23, then it means that the address
>>>>>>> range is 10.60.0.1 to 10.60.1.254.
>>>>>>
>>>>>> That’s wrong. 10.60.0.0/23 means 10.60.0.0 to 10.60.1.255 range.
>>>>>>
>>>>>>> How do I configure this ACL in named.conf.local so that it takes the
>>>>>>> whole range?
>>>>>>
>>>>>> Correctly specified range (without address/host bits) does takes the
>>>>>> whole range.
>>>>>>
>>>>>> Ondrej
>>>>>> --
>>>>>> Ondřej Surý — ISC (He/Him)
>>>>>>
>>>>>> My working hours and your working hours may be different. Please do not
>>>>>> feel obligated to reply outside your normal working hours.
>>>>>>
>>>>>>>> On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <ana...@ripe.net> wrote:
>>>>>>>> On 24/08/2022 14:16, Elias Pereira wrote:
>>>>>>>>
>>>>>>>> Hi Elias,
>>>>>>>>
>>>>>>>> > Oh, sorry... :D
>>>>>>>> >
>>>>>>>> > here it is
>>>>>>>> >
>>>>>>>> > # cat named.conf.local
>>>>>>>> > # ACL das redes internas
>>>>>>>> > # Ultima modificação: 24/08/2022
>>>>>>>> >
>>>>>>>> > acl "internal" {
>>>>>>>> > 10.60.0.1/23;
>>>>>>>>
>>>>>>>> This is the issue. The address part of the prefix should be the lowest
>>>>>>>> address in that prefix. If you change this to 10.60.0.0/23, it will be
>>>>>>>> fine. The same goes for all the other prefixes in your list. Change
>>>>>>>> the
>>>>>>>> 1's to 0's.
>>>>>>>>
>>>>>>>> > 10.10.1.1/24;
>>>>>>>> > 10.10.2.1/25;
>>>>>>>> > 10.10.3.1/25;
>>>>>>>> > 10.10.4.1/25;
>>>>>>>> > 10.10.5.1/25;
>>>>>>>> > 10.51.0.1/23;
>>>>>>>> > 10.10.6.1/25;
>>>>>>>> > 10.10.7.1/26;
>>>>>>>> > 172.20.0.1/26;
>>>>>>>> > 10.50.0.1/23;
>>>>>>>> > 10.40.0.1/22;
>>>>>>>> > 10.56.0.1/22;
>>>>>>>> > };
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Elias Pereira
>>>>>>> --
>>>>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>>>>>> from this list
>>>>>>>
>>>>>>> ISC funds the development of this software with paid support
>>>>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>>>>>> information.
>>>>>>>
>>>>>>>
>>>>>>> bind-users mailing list
>>>>>>> bind-users@lists.isc.org
>>>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>>
>>>>>
>>>>> --
>>>>> Elias Pereira
>>>>
>>>> --
>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>>> from this list
>>>>
>>>> ISC funds the development of this software with paid support
>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>>> information.
>>>>
>>>>
>>>> bind-users mailing list
>>>> bind-users@lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>>> this list
>>>
>>> ISC funds the development of this software with paid support subscriptions.
>>> Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
