Date: Thu, 29 Nov 2018 01:24:20 +0000 (UTC) From: Eugene Grosbein <eugen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r341173 - stable/12/sbin/ipfw Message-ID: <201811290124.wAT1OKq0060592@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eugen Date: Thu Nov 29 01:24:20 2018 New Revision: 341173 URL: https://svnweb.freebsd.org/changeset/base/341173 Log: MFC r340978-340979: ipfw.8: new section to EXAMPLES: SELECTIVE MIRRORING Modified: stable/12/sbin/ipfw/ipfw.8 Directory Properties: stable/12/ (props changed) Modified: stable/12/sbin/ipfw/ipfw.8 ============================================================================== --- stable/12/sbin/ipfw/ipfw.8 Thu Nov 29 01:15:53 2018 (r341172) +++ stable/12/sbin/ipfw/ipfw.8 Thu Nov 29 01:24:20 2018 (r341173) @@ -4056,6 +4056,55 @@ option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset: .Pp .Dl "ipfw add setdscp be ip from any to any dscp af11,af21" +.Ss SELECTIVE MIRRORING +If your network has network traffic analyzer +connected to your host directly via dedicated interface +or remotely via RSPAN vlan, you can selectively mirror +some ethernet layer2 frames to the analyzer. +.Pp +First, make sure your firewall is already configured and runs. +Then, enable layer2 processing if not already enabled: +.Pp +.Dl "sysctl net.link.ether.ipfw=1" +.Pp +Next, load needed additional kernel modules: +.Pp +.Dl "kldload ng_ether ng_ipfw" +.Pp +Optionally, make system load these modules automatically +at startup: +.Pp +.Dl sysrc kld_list+="ng_ether ng_ipfw" +.Pp +Next, configure +.Xr ng_ipfw 4 +kernel module to transmit mirrored copies of layer2 frames +out via vlan900 interface: +.Pp +.Dl "ngctl connect ipfw: vlan900: 1 lower" +.Pp +Think of "1" here as of "mirroring instance index" and vlan900 is its +destination. +You can have arbitrary number of instances. +Refer to +.Xr ng_ipfw 4 +for details. +.Pp +At last, actually start mirroring of selected frames using "instance 1". +For frames incoming from em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 in recv em0" +.Pp +For frames outgoing to em0 interface: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 out xmit em0" +.Pp +For both incoming and outgoing frames while flowing through em0: +.Pp +.Dl "ipfw add ngtee 1 ip from any to 192.168.0.1 layer2 via em0" +.Pp +Make sure you do not perform mirroring for already duplicated frames +or kernel may hang as there is no safety net. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: @@ -4494,6 +4543,7 @@ can be changed in a similar way as for .Xr if_bridge 4 , .Xr ip 4 , .Xr ipfirewall 4 , +.Xr ng_ether 4 , .Xr ng_ipfw 4 , .Xr protocols 5 , .Xr services 5 , @@ -4501,6 +4551,7 @@ can be changed in a similar way as for .Xr kldload 8 , .Xr reboot 8 , .Xr sysctl 8 , +.Xr sysrc 8 , .Xr syslogd 8 .Sh HISTORY The
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811290124.wAT1OKq0060592>