/share/man/man4/mac_ifoff.4

https://bitbucket.org/freebsd/freebsd-head/ · Forth · 133 lines · 133 code · 0 blank · 0 comment · 3 complexity · b06fc15cae1649b39156c16e03a57b87 MD5 · raw file

  1. .\" Copyright (c) 2002 Networks Associates Technology, Inc.
  2. .\" All rights reserved.
  3. .\"
  4. .\" This software was developed for the FreeBSD Project by Chris Costello
  5. .\" at Safeport Network Services and Network Associates Laboratories, the
  6. .\" Security Research Division of Network Associates, Inc. under
  7. .\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  8. .\" DARPA CHATS research program.
  9. .\"
  10. .\" Redistribution and use in source and binary forms, with or without
  11. .\" modification, are permitted provided that the following conditions
  12. .\" are met:
  13. .\" 1. Redistributions of source code must retain the above copyright
  14. .\" notice, this list of conditions and the following disclaimer.
  15. .\" 2. Redistributions in binary form must reproduce the above copyright
  16. .\" notice, this list of conditions and the following disclaimer in the
  17. .\" documentation and/or other materials provided with the distribution.
  18. .\"
  19. .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
  20. .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21. .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22. .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
  23. .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24. .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25. .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26. .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27. .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  28. .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  29. .\" SUCH DAMAGE.
  30. .\"
  31. .\" $FreeBSD$
  32. .\"
  33. .Dd December 10, 2002
  34. .Dt MAC_IFOFF 4
  35. .Os
  36. .Sh NAME
  37. .Nm mac_ifoff
  38. .Nd "interface silencing policy"
  39. .Sh SYNOPSIS
  40. To compile the interface silencing policy into your kernel,
  41. place the following lines in your kernel
  42. configuration file:
  43. .Bd -ragged -offset indent
  44. .Cd "options MAC"
  45. .Cd "options MAC_IFOFF"
  46. .Ed
  47. .Pp
  48. Alternately, to load the interface silencing policy module at boot time,
  49. place the following line in your kernel configuration file:
  50. .Bd -ragged -offset indent
  51. .Cd "options MAC"
  52. .Ed
  53. .Pp
  54. and in
  55. .Xr loader.conf 5 :
  56. .Bd -literal -offset indent
  57. mac_ifoff_load="YES"
  58. .Ed
  59. .Sh DESCRIPTION
  60. The
  61. .Nm
  62. interface silencing module allows administrators to enable and disable
  63. incoming and outgoing data flow on system network interfaces
  64. via the
  65. .Xr sysctl 8
  66. interface.
  67. .Pp
  68. To disable network traffic over the loopback
  69. .Pq Xr lo 4
  70. interface, set the
  71. .Xr sysctl 8
  72. OID
  73. .Va security.mac.ifoff.lo_enabled
  74. to 0 (default 1).
  75. .Pp
  76. To enable network traffic over other interfaces,
  77. set the
  78. .Xr sysctl 8
  79. OID
  80. .Va security.mac.ifoff.other_enabled
  81. to 1 (default 0).
  82. .Pp
  83. To allow BPF traffic to be received,
  84. even while other traffic is disabled,
  85. set the
  86. .Xr sysctl 8
  87. OID
  88. .Va security.mac.ifoff.bpfrecv_enabled
  89. to 1 (default 0).
  90. .Ss Label Format
  91. No labels are defined.
  92. .Sh SEE ALSO
  93. .Xr mac 4 ,
  94. .Xr mac_bsdextended 4 ,
  95. .Xr mac_lomac 4 ,
  96. .Xr mac_mls 4 ,
  97. .Xr mac_none 4 ,
  98. .Xr mac_partition 4 ,
  99. .Xr mac_portacl 4 ,
  100. .Xr mac_seeotheruids 4 ,
  101. .Xr mac_test 4 ,
  102. .Xr mac 9
  103. .Sh HISTORY
  104. The
  105. .Nm
  106. policy module first appeared in
  107. .Fx 5.0
  108. and was developed by the
  109. .Tn TrustedBSD
  110. Project.
  111. .Sh AUTHORS
  112. This software was contributed to the
  113. .Fx
  114. Project by Network Associates Labs,
  115. the Security Research Division of Network Associates
  116. Inc.
  117. under DARPA/SPAWAR contract N66001-01-C-8035
  118. .Pq Dq CBOSS ,
  119. as part of the DARPA CHATS research program.
  120. .Sh BUGS
  121. See
  122. .Xr mac 9
  123. concerning appropriateness for production use.
  124. The
  125. .Tn TrustedBSD
  126. MAC Framework is considered experimental in
  127. .Fx .
  128. .Pp
  129. While the MAC Framework design is intended to support the containment of
  130. the root user, not all attack channels are currently protected by entry
  131. point checks.
  132. As such, MAC Framework policies should not be relied on, in isolation,
  133. to protect against a malicious privileged user.