ipfw Symbolic Substitution error for subnet 192.168.1.0/28

[JW0914]

Problem: Symbolic Substitution for an entire subnet returns errors, while all other Symbolic Substitutions apply without issue

• LAN="$192.168.1.0/28"

net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
ipfw: port list: invalid separator <.> in <92.168.200.0/26>
ipfw: missing ``to''
ipfw: port list: invalid separator <.> in <92.168.200.0/26>
ipfw: missing ``to''
Firewall rules loaded.
Firewall logging enabled.​

• LAN="${192.168.1.0/28}"

net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
/etc/rc.firewall: ${192....}: Bad substitution
Firewall rules loaded.
Firewall logging enabled.​

• LAN="${ 192.168.1.0/28 }"

net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
/etc/rc.firewall: ${ ...}: Bad substitution
Firewall rules loaded.
Firewall logging enabled.​

I've spent 5+ hours searching online, reading through the ipfw manpages, and either I missed where it addressed this or this is such basic knowledge it's not mentioned lol I've come across other Unix based OSs where individuals have encountered this same error, but the fix for Ubuntu and other Linux distros don't work on FreeNAS, nor does advice given for FreeBSD (which I found odd since FreeNAS is, for all intents and purposes, FreeBSD. I don't recall exactly what someone on the FreeBSD forums posted that worked for them, but I know I did try what was suggested with an error similar to the ones above.

 

[dlavigne]

What are you trying to accomplish and are you doing it on the system itself (don't!) or in a jail?

 

[JW0914]

It's the firewall script within FreeNAS {/conf/base/etc/rc.firewall which copies to /etc/ as a tempfs at boot]

I'm setting up the firewall to deny all by default and adding in specific rules to only allow specific traffic to and from the NAS server, one of which is access to and from my local network.

Network Layout: OpenWRT (strict firewall and running two VPN servers) --> local network (of which the FreeNAS server is apart of)

In another thread on a forum someone mentioned the same about using a jail for the firewall... I thought that was only if the server box itself was exposed directly to the internet? By default, I've denied all access to the server unless it comes via the local subnet (which is what's erroring) or the two VPN subnets.

EDIT: If I should be using a jail for the firewall, could you point me in the right direction on where to look for some more information about setting that up (the firewall within the jail, not the jail itself =] )

 

[dlavigne]

You shouldn't be using FreeNAS as a firewall, it's instead meant to be protected by a firewall in the network. IPFW is only included to provide support for NAT to jails.

 

[JW0914]

Could you point me in the right direction on where to look for information about setting up a firewall in a jail?

Also, do you by chance know why the error above is occurring?

 

[dlavigne]

This is for testing/learning purposes? You really don't want to protect your host system with a jail running on that system... Instead, setup a pfsense box on another system somewhere on the network or use the firewall rules on your network's router, assuming it provides that functionality.

Unfortunately, ipfw docs are about 10 years out of date. It is a known issue by the FreeBSD doc team and we're still looking for someone with the know-how and time to update that chapter of the Handbook. man ipfw is a bit better, but that's a lot of reading to wade through.

 

[JW0914]

Thanks! =]

 

[JW0914]

In case anyone happens upon this thread with the same issue, I found the causation of the error:

Symbolic Substitution name I was using was the same as the local domain name for OpenWRT.

Adding an additional, or additional, characters to the Symbolic Substitution name eliminated the error.