I'm trying to allow one network to only have access to some IPs in another network. For some reason this isn't as intuitive as I thought as this is blocking the exact opposite of what I would expect. I'm experimenting with an OpenIKED server. The rules in question:
In essence, with the <allowedlocal> rules gone I can communicate with my internal network as well as reach out to the internet. But, once I put those two rules in I can communicate with every 192.168.10.0 IP EXCEPT the ones listed in the table. So why is it doing the opposite?
Code:
intra = "bge0"
table <allowedlocal> { 192.168.10.6, 192.168.10.40, 192.168.10.42, 192.168.10.43, 192.168.10.49, 192.168.10.50 }
set reassemble yes
set block-policy return
set loginterface egress
set skip on { lo }
match in all scrub (no-df random-id max-mss 1440)
block in quick from urpf-failed label uRPF
block return log
pass out all modulate state
pass in on egress proto { ah, esp }
pass in on egress proto udp to (egress) port { isakmp, ipsec-nat-t }
pass out on egress from 10.0.1.0/24 to any nat-to (egress)
pass out on $intra from 10.0.1.0/24 to $intra:network nat-to ($intra)
pass in on $intra from <allowedlocal> to 10.0.1.0/24
pass out on $intra from 10.0.1.0/24 to <allowedlocal>
pass in quick inet proto icmp icmp-type { echoreq, unreach }
In essence, with the <allowedlocal> rules gone I can communicate with my internal network as well as reach out to the internet. But, once I put those two rules in I can communicate with every 192.168.10.0 IP EXCEPT the ones listed in the table. So why is it doing the opposite?