mac-ifoff.html

这是很好的学习嵌入式LINUX的文章

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC ifoff Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC bsdextended Module" href="mac-bsdextended.html" />
<link rel="NEXT" title="The MAC portacl Module" href="mac-portacl.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-bsdextended.html"
accesskey="P">后退</a></td>
<td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-portacl.html"
accesskey="N">前进</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-IFOFF" name="MAC-IFOFF">15.7. The MAC ifoff Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_ifoff.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_IFOFF</var></p>

<p>Boot option: <var class="LITERAL">mac_ifoff_load="YES"</var></p>

<p>The <span class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_ifoff</span>(4)</span>
module exists solely to disable network interfaces on the fly and keep network interfaces
from being brought up during the initial system boot. It does not require any labels to
be set up on the system, nor does it have a dependency on other <acronym
class="ACRONYM">MAC</acronym> modules.</p>

<p>Most of the control is done through the <tt class="COMMAND">sysctl</tt> tunables
listed below.</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.ifoff.lo_enabled</var> will enable/disable all
traffic on the loopback (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">lo</span>(4)</span>) interface.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.ifoff.bpfrecv_enabled</var> will enable/disable all
traffic on the Berkeley Packet Filter interface (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">bpf</span>(4)</span>)</p>
</li>

<li>
<p><var class="LITERAL">security.mac.ifoff.other_enabled</var> will enable/disable
traffic on all other interfaces.</p>
</li>
</ul>

<p>One of the most common uses of <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_ifoff</span>(4)</span> is network monitoring in an environment
where network traffic should not be permitted during the boot sequence. Another suggested
use would be to write a script which uses <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/aide/pkg-descr"><tt
class="FILENAME">security/aide</tt></a> to automatically block network traffic if it
finds new or altered files in protected directories.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-bsdextended.html"
accesskey="P">后退</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">起点</a></td>
<td width="33%" align="right" valign="top"><a href="mac-portacl.html"
accesskey="N">前进</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC bsdextended Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html"
accesskey="U">上一级</a></td>
<td width="33%" align="right" valign="top">The MAC portacl Module</td>
</tr>
</table>
</div>
</body>
</html>