1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd July 25, 2015 32.Dt MAC_IFOFF 4 33.Os 34.Sh NAME 35.Nm mac_ifoff 36.Nd "interface silencing policy" 37.Sh SYNOPSIS 38To compile the interface silencing policy into your kernel, 39place the following lines in your kernel 40configuration file: 41.Bd -ragged -offset indent 42.Cd "options MAC" 43.Cd "options MAC_IFOFF" 44.Ed 45.Pp 46Alternately, to load the interface silencing policy module at boot time, 47place the following line in your kernel configuration file: 48.Bd -ragged -offset indent 49.Cd "options MAC" 50.Ed 51.Pp 52and in 53.Xr loader.conf 5 : 54.Bd -literal -offset indent 55mac_ifoff_load="YES" 56.Ed 57.Sh DESCRIPTION 58The 59.Nm 60interface silencing module allows administrators to enable and disable 61incoming and outgoing data flow on system network interfaces 62via the 63.Xr sysctl 8 64interface. 65.Pp 66To disable network traffic over the loopback 67.Pq Xr lo 4 68interface, set the 69.Xr sysctl 8 70OID 71.Va security.mac.ifoff.lo_enabled 72to 0 (default 1). 73.Pp 74To enable network traffic over other interfaces, 75set the 76.Xr sysctl 8 77OID 78.Va security.mac.ifoff.other_enabled 79to 1 (default 0). 80.Pp 81To allow BPF traffic to be received, 82even while other traffic is disabled, 83set the 84.Xr sysctl 8 85OID 86.Va security.mac.ifoff.bpfrecv_enabled 87to 1 (default 0). 88.Ss Label Format 89No labels are defined. 90.Sh SEE ALSO 91.Xr mac 4 , 92.Xr mac_bsdextended 4 , 93.Xr mac_lomac 4 , 94.Xr mac_mls 4 , 95.Xr mac_none 4 , 96.Xr mac_partition 4 , 97.Xr mac_portacl 4 , 98.Xr mac_seeotheruids 4 , 99.Xr mac_test 4 , 100.Xr mac 9 101.Sh HISTORY 102The 103.Nm 104policy module first appeared in 105.Fx 5.0 106and was developed by the 107.Tn TrustedBSD 108Project. 109.Sh AUTHORS 110This software was contributed to the 111.Fx 112Project by Network Associates Labs, 113the Security Research Division of Network Associates 114Inc. 115under DARPA/SPAWAR contract N66001-01-C-8035 116.Pq Dq CBOSS , 117as part of the DARPA CHATS research program. 118.Sh BUGS 119While the MAC Framework design is intended to support the containment of 120the root user, not all attack channels are currently protected by entry 121point checks. 122As such, MAC Framework policies should not be relied on, in isolation, 123to protect against a malicious privileged user. 124