mac_ifoff(4)
NAME
mac_ifoff - interface silencing policy
SYNOPSIS
To compile the interface silencing policy into your kernel,
place the
following lines in your kernel configuration file:
options MAC
options MAC_IFOFF
Alternately, to load the interface silencing policy module
at boot time,
place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_ifoff_load="YES"
DESCRIPTION
- The mac_ifoff interface silencing module allows administra
- tors to enable
and disable incoming and outgoing data flow on system net - work interfaces
via the sysctl(8) interface. - To disable network traffic over the loopback (lo(4)) inter
- face, set the
sysctl(8) OID security.mac.ifoff.lo_enabled to 0 (default - 1).
- To enable network traffic over other interfaces, set the
- sysctl(8) OID
security.mac.ifoff.other_enabled to 1 (default 0). - To allow BPF traffic to be received, even while other traf
- fic is disabled, set the sysctl(8) OID
- security.mac.ifoff.bpfrecv_enabled to 1 (default 0).
- Label Format
- No labels are defined.
SEE ALSO
- mac(4), mac_bsdextended(4), mac_lomac(4), mac_mls(4),
- mac_none(4),
mac_partition(4), mac_portacl(4), mac_seeotheruids(4), - mac_test(4),
mac(9)
HISTORY
- The mac_ifoff policy module first appeared in FreeBSD 5.0
- and was developed by the TrustedBSD Project.
AUTHORS
- This software was contributed to the FreeBSD Project by Net
- work Associates Labs, the Security Research Division of Network Associ
- ates Inc.
under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as - part of the
DARPA CHATS research program.
BUGS
- See mac(9) concerning appropriateness for production use.
- The TrustedBSD
MAC Framework is considered experimental in FreeBSD. - While the MAC Framework design is intended to support the
- containment of
the root user, not all attack channels are currently pro - tected by entry
point checks. As such, MAC Framework policies should not be - relied on,
in isolation, to protect against a malicious privileged us - er.
- BSD December 10, 2002