1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
<table class="head">
<tr>
<td class="head-ltitle">MAC_IFOFF(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC_IFOFF(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac_ifoff</code> —
<span class="Nd">interface silencing policy</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">To compile the interface silencing policy into your kernel, place
the following lines in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code>
<br/>
<code class="Cd">options MAC_IFOFF</code></div>
<p class="Pp">Alternately, to load the interface silencing policy module at boot
time, place the following line in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div>
<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p>
<div class="Bd Pp Bd-indent Li">
<pre>mac_ifoff_load="YES"</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">mac_ifoff</code> interface silencing module
allows administrators to enable and disable incoming and outgoing data flow
on system network interfaces via the <a class="Xr">sysctl(8)</a>
interface.</p>
<p class="Pp">To disable network traffic over the loopback
(<a class="Xr">lo(4)</a>) interface, set the <a class="Xr">sysctl(8)</a> OID
<var class="Va">security.mac.ifoff.lo_enabled</var> to 0 (default 1).</p>
<p class="Pp">To enable network traffic over other interfaces, set the
<a class="Xr">sysctl(8)</a> OID
<var class="Va">security.mac.ifoff.other_enabled</var> to 1 (default 0).</p>
<p class="Pp">To allow BPF traffic to be received, even while other traffic is
disabled, set the <a class="Xr">sysctl(8)</a> OID
<var class="Va">security.mac.ifoff.bpfrecv_enabled</var> to 1 (default
0).</p>
<section class="Ss">
<h2 class="Ss" id="Label_Format"><a class="permalink" href="#Label_Format">Label
Format</a></h2>
<p class="Pp">No labels are defined.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac_bsdextended(4)</a>,
<a class="Xr">mac_lomac(4)</a>, <a class="Xr">mac_mls(4)</a>,
<a class="Xr">mac_none(4)</a>, <a class="Xr">mac_partition(4)</a>,
<a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_seeotheruids(4)</a>,
<a class="Xr">mac_test(4)</a>, <a class="Xr">mac(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">mac_ifoff</code> policy module first appeared
in <span class="Ux">FreeBSD 5.0</span> and was developed by the TrustedBSD
Project.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This software was contributed to the
<span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
CHATS research program.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1>
<p class="Pp">While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently
protected by entry point checks. As such, MAC Framework policies should not
be relied on, in isolation, to protect against a malicious privileged
user.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">July 25, 2015</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
