From owner-svn-src-head@freebsd.org Mon Nov 26 16:02:18 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E0E4113A86A; Mon, 26 Nov 2018 16:02:18 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C19AD7A0D5; Mon, 26 Nov 2018 16:02:17 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A3A676333; Mon, 26 Nov 2018 16:02:17 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAQG2HIc068060; Mon, 26 Nov 2018 16:02:17 GMT (envelope-from eugen@FreeBSD.org) Received: (from eugen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAQG2HUc068059; Mon, 26 Nov 2018 16:02:17 GMT (envelope-from eugen@FreeBSD.org) Message-Id: <201811261602.wAQG2HUc068059@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eugen set sender to eugen@FreeBSD.org using -f From: Eugene Grosbein Date: Mon, 26 Nov 2018 16:02:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r340978 - head/sbin/ipfw X-SVN-Group: head X-SVN-Commit-Author: eugen X-SVN-Commit-Paths: head/sbin/ipfw X-SVN-Commit-Revision: 340978 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C19AD7A0D5 X-Spamd-Result: default: False [1.50 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.66)[0.661,0]; NEURAL_SPAM_MEDIUM(0.61)[0.607,0]; NEURAL_SPAM_SHORT(0.23)[0.234,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 16:02:18 -0000 Author: eugen Date: Mon Nov 26 16:02:17 2018 New Revision: 340978 URL: https://svnweb.freebsd.org/changeset/base/340978 Log: ipfw.8: add new section to EXAMPLES: SELECTIVE MIRRORING If your network has network traffic analyzer connected to your host directly via dedicated interface or remotely via RSPAN vlan, you can selectively mirror some ethernet layer2 frames to the analyzer. ... Modified: head/sbin/ipfw/ipfw.8 Modified: head/sbin/ipfw/ipfw.8 ============================================================================== --- head/sbin/ipfw/ipfw.8 Mon Nov 26 15:46:46 2018 (r340977) +++ head/sbin/ipfw/ipfw.8 Mon Nov 26 16:02:17 2018 (r340978) @@ -4086,6 +4086,55 @@ option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset: .Pp .Dl "ipfw add setdscp be ip from any to any dscp af11,af21" +.Ss SELECTIVE MIRRORING +If your network has network traffic analyzer +connected to your host directly via dedicated interface +or remotely via RSPAN vlan, you can selectively mirror +some ethernet layer2 frames to the analyzer. +.Pp +First, make sure your firewall is already configured and runs. +Then, enable layer2 processing if not already enabled: +.Pp +.Dl "sysctl net.link.ether.ipfw=1" +.Pp +Next, load needed additional kernel modules: +.Pp +.Dl "kldload ng_ether ng_ipfw" +.Pp +Optionally, make system load these modules automatically +at startup: +.Pp +.Dl sysrc kld_list+="ng_ether ng_ipfw" +.Pp +Next, configure +.Xr ng_ipfw 4 +kernel module to transmit mirrored copies of layer2 frames +out via vlan900 interface: +.Pp +.Dl "ngctl connect ipfw: vlan900: 1 lower" +.Pp +Think of "1" here as of "mirroring instance index" and vlan900 is its +destination. +You can have arbitrary number of instances. +Refer to +.Xr ng_ipfw 4 +for details. +.Pp +At last, actually start mirroring of selected frames using "instance 1". +For frames incoming from em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 in recv em0" +.Pp +For frames outgoing to em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 out xmit em0" +.Pp +For both incoming and outgoing frames while flowing through em0: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 via em0" +.Pp +Make sure you do not perform mirroring for already duplicated frames +or kernel may hang as there is no safety net here. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: @@ -4524,6 +4573,7 @@ can be changed in a similar way as for .Xr if_bridge 4 , .Xr ip 4 , .Xr ipfirewall 4 , +.Xr ng_ether 4 , .Xr ng_ipfw 4 , .Xr protocols 5 , .Xr services 5 , @@ -4531,6 +4581,7 @@ can be changed in a similar way as for .Xr kldload 8 , .Xr reboot 8 , .Xr sysctl 8 , +.Xr sysrc 8 , .Xr syslogd 8 .Sh HISTORY The