PageRenderTime 17ms CodeModel.GetById 14ms app.highlight 0ms RepoModel.GetById 1ms app.codeStats 1ms

/share/man/man4/mac_ifoff.4

https://bitbucket.org/freebsd/freebsd-head/
Forth | 133 lines | 133 code | 0 blank | 0 comment | 3 complexity | b06fc15cae1649b39156c16e03a57b87 MD5 | raw file
  1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
  2.\" All rights reserved.
  3.\"
  4.\" This software was developed for the FreeBSD Project by Chris Costello
  5.\" at Safeport Network Services and Network Associates Laboratories, the
  6.\" Security Research Division of Network Associates, Inc. under
  7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  8.\" DARPA CHATS research program.
  9.\"
 10.\" Redistribution and use in source and binary forms, with or without
 11.\" modification, are permitted provided that the following conditions
 12.\" are met:
 13.\" 1. Redistributions of source code must retain the above copyright
 14.\"    notice, this list of conditions and the following disclaimer.
 15.\" 2. Redistributions in binary form must reproduce the above copyright
 16.\"    notice, this list of conditions and the following disclaimer in the
 17.\"    documentation and/or other materials provided with the distribution.
 18.\"
 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 29.\" SUCH DAMAGE.
 30.\"
 31.\" $FreeBSD$
 32.\"
 33.Dd December 10, 2002
 34.Dt MAC_IFOFF 4
 35.Os
 36.Sh NAME
 37.Nm mac_ifoff
 38.Nd "interface silencing policy"
 39.Sh SYNOPSIS
 40To compile the interface silencing policy into your kernel,
 41place the following lines in your kernel
 42configuration file:
 43.Bd -ragged -offset indent
 44.Cd "options MAC"
 45.Cd "options MAC_IFOFF"
 46.Ed
 47.Pp
 48Alternately, to load the interface silencing policy module at boot time,
 49place the following line in your kernel configuration file:
 50.Bd -ragged -offset indent
 51.Cd "options MAC"
 52.Ed
 53.Pp
 54and in
 55.Xr loader.conf 5 :
 56.Bd -literal -offset indent
 57mac_ifoff_load="YES"
 58.Ed
 59.Sh DESCRIPTION
 60The
 61.Nm
 62interface silencing module allows administrators to enable and disable
 63incoming and outgoing data flow on system network interfaces
 64via the
 65.Xr sysctl 8
 66interface.
 67.Pp
 68To disable network traffic over the loopback
 69.Pq Xr lo 4
 70interface, set the
 71.Xr sysctl 8
 72OID
 73.Va security.mac.ifoff.lo_enabled
 74to 0 (default 1).
 75.Pp
 76To enable network traffic over other interfaces,
 77set the
 78.Xr sysctl 8
 79OID
 80.Va security.mac.ifoff.other_enabled
 81to 1 (default 0).
 82.Pp
 83To allow BPF traffic to be received,
 84even while other traffic is disabled,
 85set the
 86.Xr sysctl 8
 87OID
 88.Va security.mac.ifoff.bpfrecv_enabled
 89to 1 (default 0).
 90.Ss Label Format
 91No labels are defined.
 92.Sh SEE ALSO
 93.Xr mac 4 ,
 94.Xr mac_bsdextended 4 ,
 95.Xr mac_lomac 4 ,
 96.Xr mac_mls 4 ,
 97.Xr mac_none 4 ,
 98.Xr mac_partition 4 ,
 99.Xr mac_portacl 4 ,
100.Xr mac_seeotheruids 4 ,
101.Xr mac_test 4 ,
102.Xr mac 9
103.Sh HISTORY
104The
105.Nm
106policy module first appeared in
107.Fx 5.0
108and was developed by the
109.Tn TrustedBSD
110Project.
111.Sh AUTHORS
112This software was contributed to the
113.Fx
114Project by Network Associates Labs,
115the Security Research Division of Network Associates
116Inc.
117under DARPA/SPAWAR contract N66001-01-C-8035
118.Pq Dq CBOSS ,
119as part of the DARPA CHATS research program.
120.Sh BUGS
121See
122.Xr mac 9
123concerning appropriateness for production use.
124The
125.Tn TrustedBSD
126MAC Framework is considered experimental in
127.Fx .
128.Pp
129While the MAC Framework design is intended to support the containment of
130the root user, not all attack channels are currently protected by entry
131point checks.
132As such, MAC Framework policies should not be relied on, in isolation,
133to protect against a malicious privileged user.