mac_ifoff.4 (115211) | mac_ifoff.4 (115643) |
---|---|
1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
31.\" $FreeBSD: head/share/man/man4/mac_ifoff.4 115211 2003-05-21 15:55:40Z ru $ 32.Dd DECEMBER 10, 2002 | 31.\" $FreeBSD: head/share/man/man4/mac_ifoff.4 115643 2003-06-01 21:52:59Z ru $ 32.\" 33.Dd December 10, 2002 |
33.Os 34.Dt MAC_IFOFF 4 35.Sh NAME 36.Nm mac_ifoff | 34.Os 35.Dt MAC_IFOFF 4 36.Sh NAME 37.Nm mac_ifoff |
37.Nd interface silencing policy | 38.Nd "interface silencing policy" |
38.Sh SYNOPSIS 39To compile the interface silencing policy into your kernel, 40place the following lines in your kernel 41configuration file: | 39.Sh SYNOPSIS 40To compile the interface silencing policy into your kernel, 41place the following lines in your kernel 42configuration file: |
43.Bd -ragged -offset indent |
|
42.Cd "options MAC" 43.Cd "options MAC_IFOFF" | 44.Cd "options MAC" 45.Cd "options MAC_IFOFF" |
46.Ed |
|
44.Pp 45Alternately, to load the interface silencing policy module at boot time, 46place the following line in your kernel configuration file: | 47.Pp 48Alternately, to load the interface silencing policy module at boot time, 49place the following line in your kernel configuration file: |
50.Bd -ragged -offset indent |
|
47.Cd "options MAC" | 51.Cd "options MAC" |
52.Ed |
|
48.Pp 49and in 50.Xr loader.conf 5 : | 53.Pp 54and in 55.Xr loader.conf 5 : |
51.Cd mac_ifoff_load= Ns \&"YES" | 56.Bd -literal -offset indent 57mac_ifoff_load="YES" 58.Ed |
52.Sh DESCRIPTION 53The 54.Nm 55interface silencing module allows administrators to enable and disable 56incoming and outgoing data flow on system network interfaces 57via the 58.Xr sysctl 8 59interface. 60.Pp 61To disable network traffic over the loopback | 59.Sh DESCRIPTION 60The 61.Nm 62interface silencing module allows administrators to enable and disable 63incoming and outgoing data flow on system network interfaces 64via the 65.Xr sysctl 8 66interface. 67.Pp 68To disable network traffic over the loopback |
62.Xr ( lo 4 ) | 69.Pq Xr lo 4 |
63interface, set the 64.Xr sysctl 8 65OID 66.Va security.mac.ifoff.lo_enabled | 70interface, set the 71.Xr sysctl 8 72OID 73.Va security.mac.ifoff.lo_enabled |
67to 68.Li 0 69(default 70.Li 1 ) . | 74to 0 (default 1). |
71.Pp 72To enable network traffic over other interfaces, 73set the 74.Xr sysctl 8 75OID 76.Va security.mac.ifoff.other_enabled | 75.Pp 76To enable network traffic over other interfaces, 77set the 78.Xr sysctl 8 79OID 80.Va security.mac.ifoff.other_enabled |
77to 78.Li 1 79(default 80.Li 0 ) . | 81to 1 (default 0). |
81.Pp 82To allow BPF traffic to be received, 83even while other traffic is disabled, 84set the 85.Xr sysctl 8 86OID 87.Va security.mac.ifoff.bpfrecv_enabled | 82.Pp 83To allow BPF traffic to be received, 84even while other traffic is disabled, 85set the 86.Xr sysctl 8 87OID 88.Va security.mac.ifoff.bpfrecv_enabled |
88to 89.Li 1 90(default 91.Li 0 ) . | 89to 1 (default 0). |
92.Ss Label Format 93No labels are defined. 94.Sh SEE ALSO 95.Xr lomac 4 , 96.Xr mac 4 , 97.Xr mac_bsdextended 4 , 98.Xr mac_lomac 4 , 99.Xr mac_mls 4 , 100.Xr mac_none 4 , 101.Xr mac_partition 4 , 102.Xr mac_portacl 4 , 103.Xr mac_seeotheruids 4 , 104.Xr mac_test 4 , 105.Xr mac 9 106.Sh HISTORY 107The 108.Nm 109policy module first appeared in 110.Fx 5.0 | 90.Ss Label Format 91No labels are defined. 92.Sh SEE ALSO 93.Xr lomac 4 , 94.Xr mac 4 , 95.Xr mac_bsdextended 4 , 96.Xr mac_lomac 4 , 97.Xr mac_mls 4 , 98.Xr mac_none 4 , 99.Xr mac_partition 4 , 100.Xr mac_portacl 4 , 101.Xr mac_seeotheruids 4 , 102.Xr mac_test 4 , 103.Xr mac 9 104.Sh HISTORY 105The 106.Nm 107policy module first appeared in 108.Fx 5.0 |
111and was developed by the TrustedBSD Project. | 109and was developed by the 110.Tn TrustedBSD 111Project. |
112.Sh AUTHORS 113This software was contributed to the 114.Fx 115Project by Network Associates Labs, 116the Security Research Division of Network Associates | 112.Sh AUTHORS 113This software was contributed to the 114.Fx 115Project by Network Associates Labs, 116the Security Research Division of Network Associates |
117Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | 117Inc. under DARPA/SPAWAR contract N66001-01-C-8035 118.Pq Dq CBOSS , |
118as part of the DARPA CHATS research program. 119.Sh BUGS 120See 121.Xr mac 9 122concerning appropriateness for production use. | 119as part of the DARPA CHATS research program. 120.Sh BUGS 121See 122.Xr mac 9 123concerning appropriateness for production use. |
123The TrustedBSD MAC Framework is considered experimental in | 124The 125.Tn TrustedBSD 126MAC Framework is considered experimental in |
124.Fx . 125.Pp 126While the MAC Framework design is intended to support the containment of 127the root user, not all attack channels are currently protected by entry 128point checks. 129As such, MAC Framework policies should not be relied on, in isolation, 130to protect against a malicious privileged user. | 127.Fx . 128.Pp 129While the MAC Framework design is intended to support the containment of 130the root user, not all attack channels are currently protected by entry 131point checks. 132As such, MAC Framework policies should not be relied on, in isolation, 133to protect against a malicious privileged user. |