diff --git a/etc/rc.d/ipfw_netflow b/etc/rc.d/ipfw_netflow
index 9ef14997e954..b9523db9eb5a 100755
--- a/etc/rc.d/ipfw_netflow
+++ b/etc/rc.d/ipfw_netflow
@@ -54,7 +54,7 @@ ipfw_netflow_status()
 ipfw_netflow_start()
 {
 	ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
-	ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any
+	ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any ${ipfw_netflow_fib:+fib ${ipfw_netflow_fib}}
 	ngctl -f - <<-EOF
 	mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
 	name ipfw:${ipfw_netflow_hook} netflow
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 44484f9e780a..a03f4de5cb95 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -602,12 +602,12 @@ By default a ipfw rule is inserted and all packets are duplicated with
 the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow
 port using protocol version 5.
 .It Va ipfw_netflow_hook
-.Pq Vt str
+.Pq Vt int
 netflow hook name, must be numerical
 (default
 .Pa 9995 ) .
 .It Va ipfw_netflow_rule
-.Pq Vt str
+.Pq Vt int
 ipfw rule number
 (default
 .Pa 1000 ) .
@@ -617,13 +617,18 @@ Destination server ip for receiving netflow data
 (default
 .Pa 127.0.0.1 ) .
 .It Va ipfw_netflow_port
-.Pq Vt str
+.Pq Vt int
 Destination server port for receiving netflow data
 (default
 .Pa 9995 ) .
 .It Va ipfw_netflow_version
-.Pq Vt str
+.Pq Vt int
 Do not set for using version 5 of the netflow protocol, set it to 9 for using version 9.
+.It Va ipfw_netflow_fib
+.Pq Vt int
+Only match packet in FIB
+.Pa ipfw_netflow_fib
+(default is undefined meaning all FIBs).
 .It Va natd_program
 .Pq Vt str
 Path to