/share/man/man4/mac_ifoff.4
https://bitbucket.org/freebsd/freebsd-head/ · Forth · 133 lines · 133 code · 0 blank · 0 comment · 3 complexity · b06fc15cae1649b39156c16e03a57b87 MD5 · raw file
- .\" Copyright (c) 2002 Networks Associates Technology, Inc.
- .\" All rights reserved.
- .\"
- .\" This software was developed for the FreeBSD Project by Chris Costello
- .\" at Safeport Network Services and Network Associates Laboratories, the
- .\" Security Research Division of Network Associates, Inc. under
- .\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- .\" DARPA CHATS research program.
- .\"
- .\" Redistribution and use in source and binary forms, with or without
- .\" modification, are permitted provided that the following conditions
- .\" are met:
- .\" 1. Redistributions of source code must retain the above copyright
- .\" notice, this list of conditions and the following disclaimer.
- .\" 2. Redistributions in binary form must reproduce the above copyright
- .\" notice, this list of conditions and the following disclaimer in the
- .\" documentation and/or other materials provided with the distribution.
- .\"
- .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
- .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
- .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- .\" SUCH DAMAGE.
- .\"
- .\" $FreeBSD$
- .\"
- .Dd December 10, 2002
- .Dt MAC_IFOFF 4
- .Os
- .Sh NAME
- .Nm mac_ifoff
- .Nd "interface silencing policy"
- .Sh SYNOPSIS
- To compile the interface silencing policy into your kernel,
- place the following lines in your kernel
- configuration file:
- .Bd -ragged -offset indent
- .Cd "options MAC"
- .Cd "options MAC_IFOFF"
- .Ed
- .Pp
- Alternately, to load the interface silencing policy module at boot time,
- place the following line in your kernel configuration file:
- .Bd -ragged -offset indent
- .Cd "options MAC"
- .Ed
- .Pp
- and in
- .Xr loader.conf 5 :
- .Bd -literal -offset indent
- mac_ifoff_load="YES"
- .Ed
- .Sh DESCRIPTION
- The
- .Nm
- interface silencing module allows administrators to enable and disable
- incoming and outgoing data flow on system network interfaces
- via the
- .Xr sysctl 8
- interface.
- .Pp
- To disable network traffic over the loopback
- .Pq Xr lo 4
- interface, set the
- .Xr sysctl 8
- OID
- .Va security.mac.ifoff.lo_enabled
- to 0 (default 1).
- .Pp
- To enable network traffic over other interfaces,
- set the
- .Xr sysctl 8
- OID
- .Va security.mac.ifoff.other_enabled
- to 1 (default 0).
- .Pp
- To allow BPF traffic to be received,
- even while other traffic is disabled,
- set the
- .Xr sysctl 8
- OID
- .Va security.mac.ifoff.bpfrecv_enabled
- to 1 (default 0).
- .Ss Label Format
- No labels are defined.
- .Sh SEE ALSO
- .Xr mac 4 ,
- .Xr mac_bsdextended 4 ,
- .Xr mac_lomac 4 ,
- .Xr mac_mls 4 ,
- .Xr mac_none 4 ,
- .Xr mac_partition 4 ,
- .Xr mac_portacl 4 ,
- .Xr mac_seeotheruids 4 ,
- .Xr mac_test 4 ,
- .Xr mac 9
- .Sh HISTORY
- The
- .Nm
- policy module first appeared in
- .Fx 5.0
- and was developed by the
- .Tn TrustedBSD
- Project.
- .Sh AUTHORS
- This software was contributed to the
- .Fx
- Project by Network Associates Labs,
- the Security Research Division of Network Associates
- Inc.
- under DARPA/SPAWAR contract N66001-01-C-8035
- .Pq Dq CBOSS ,
- as part of the DARPA CHATS research program.
- .Sh BUGS
- See
- .Xr mac 9
- concerning appropriateness for production use.
- The
- .Tn TrustedBSD
- MAC Framework is considered experimental in
- .Fx .
- .Pp
- While the MAC Framework design is intended to support the containment of
- the root user, not all attack channels are currently protected by entry
- point checks.
- As such, MAC Framework policies should not be relied on, in isolation,
- to protect against a malicious privileged user.