diff options
| author | Eugene Grosbein <eugen@FreeBSD.org> | 2018-11-26 16:02:17 +0000 |
|---|---|---|
| committer | Eugene Grosbein <eugen@FreeBSD.org> | 2018-11-26 16:02:17 +0000 |
| commit | 3a498c2e8a70ecdf8a3f5f033311793796f0d398 (patch) | |
| tree | 158814378a72f67cc525a79d1c84bc095abf8052 /sbin/ipfw | |
| parent | f2dfec1ffb27139826225469f31fa7d577e29e75 (diff) | |
Notes
Diffstat (limited to 'sbin/ipfw')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6d95b955725b..b22335d690a6 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -4086,6 +4086,55 @@ option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset: .Pp .Dl "ipfw add setdscp be ip from any to any dscp af11,af21" +.Ss SELECTIVE MIRRORING +If your network has network traffic analyzer +connected to your host directly via dedicated interface +or remotely via RSPAN vlan, you can selectively mirror +some ethernet layer2 frames to the analyzer. +.Pp +First, make sure your firewall is already configured and runs. +Then, enable layer2 processing if not already enabled: +.Pp +.Dl "sysctl net.link.ether.ipfw=1" +.Pp +Next, load needed additional kernel modules: +.Pp +.Dl "kldload ng_ether ng_ipfw" +.Pp +Optionally, make system load these modules automatically +at startup: +.Pp +.Dl sysrc kld_list+="ng_ether ng_ipfw" +.Pp +Next, configure +.Xr ng_ipfw 4 +kernel module to transmit mirrored copies of layer2 frames +out via vlan900 interface: +.Pp +.Dl "ngctl connect ipfw: vlan900: 1 lower" +.Pp +Think of "1" here as of "mirroring instance index" and vlan900 is its +destination. +You can have arbitrary number of instances. +Refer to +.Xr ng_ipfw 4 +for details. +.Pp +At last, actually start mirroring of selected frames using "instance 1". +For frames incoming from em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 in recv em0" +.Pp +For frames outgoing to em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 out xmit em0" +.Pp +For both incoming and outgoing frames while flowing through em0: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 via em0" +.Pp +Make sure you do not perform mirroring for already duplicated frames +or kernel may hang as there is no safety net here. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: @@ -4524,6 +4573,7 @@ can be changed in a similar way as for .Xr if_bridge 4 , .Xr ip 4 , .Xr ipfirewall 4 , +.Xr ng_ether 4 , .Xr ng_ipfw 4 , .Xr protocols 5 , .Xr services 5 , @@ -4531,6 +4581,7 @@ can be changed in a similar way as for .Xr kldload 8 , .Xr reboot 8 , .Xr sysctl 8 , +.Xr sysrc 8 , .Xr syslogd 8 .Sh HISTORY The |