diff options
Diffstat (limited to 'sbin/ipfw/ipfw.8')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 60 |
1 files changed, 55 insertions, 5 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6d95b955725b..79b874c3b00e 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 13, 2018 +.Dd December 4, 2018 .Dt IPFW 8 .Os .Sh NAME @@ -310,10 +310,9 @@ i.e., omitting the "ip from any to any" string when this does not carry any additional information. .It Fl d When listing, show dynamic rules in addition to static ones. -.It Fl e -When listing and -.Fl d -is specified, also show expired dynamic rules. +.It Fl D +When listing, show only dynamic states. +When deleting, delete only dynamic states. .It Fl f Run without prompting for confirmation for commands that can cause problems if misused, i.e., @@ -4086,6 +4085,55 @@ option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset: .Pp .Dl "ipfw add setdscp be ip from any to any dscp af11,af21" +.Ss SELECTIVE MIRRORING +If your network has network traffic analyzer +connected to your host directly via dedicated interface +or remotely via RSPAN vlan, you can selectively mirror +some ethernet layer2 frames to the analyzer. +.Pp +First, make sure your firewall is already configured and runs. +Then, enable layer2 processing if not already enabled: +.Pp +.Dl "sysctl net.link.ether.ipfw=1" +.Pp +Next, load needed additional kernel modules: +.Pp +.Dl "kldload ng_ether ng_ipfw" +.Pp +Optionally, make system load these modules automatically +at startup: +.Pp +.Dl sysrc kld_list+="ng_ether ng_ipfw" +.Pp +Next, configure +.Xr ng_ipfw 4 +kernel module to transmit mirrored copies of layer2 frames +out via vlan900 interface: +.Pp +.Dl "ngctl connect ipfw: vlan900: 1 lower" +.Pp +Think of "1" here as of "mirroring instance index" and vlan900 is its +destination. +You can have arbitrary number of instances. +Refer to +.Xr ng_ipfw 4 +for details. +.Pp +At last, actually start mirroring of selected frames using "instance 1". +For frames incoming from em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 in recv em0" +.Pp +For frames outgoing to em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 out xmit em0" +.Pp +For both incoming and outgoing frames while flowing through em0: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 via em0" +.Pp +Make sure you do not perform mirroring for already duplicated frames +or kernel may hang as there is no safety net. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: @@ -4524,6 +4572,7 @@ can be changed in a similar way as for .Xr if_bridge 4 , .Xr ip 4 , .Xr ipfirewall 4 , +.Xr ng_ether 4 , .Xr ng_ipfw 4 , .Xr protocols 5 , .Xr services 5 , @@ -4531,6 +4580,7 @@ can be changed in a similar way as for .Xr kldload 8 , .Xr reboot 8 , .Xr sysctl 8 , +.Xr sysrc 8 , .Xr syslogd 8 .Sh HISTORY The |