mac-ifoff.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC ifoff Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC bsdextended Module" href="mac-bsdextended.html" />
<link rel="NEXT" title="The MAC portacl Module" href="mac-portacl.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-bsdextended.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-portacl.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-IFOFF" name="MAC-IFOFF">15.7 The MAC ifoff Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_ifoff.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_IFOFF</var></p>

<p>Boot option: <var class="LITERAL">mac_ifoff_load="YES"</var></p>

<p>The <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_ifoff&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_ifoff</span>(4)</span></a> module
exists solely to disable network interfaces on the fly and keep network interfaces from
being brought up during the initial system boot. It does not require any labels to be set
up on the system, nor does it have a dependency on other <acronym
class="ACRONYM">MAC</acronym> modules.</p>

<p>Most of the control is done through the <tt class="COMMAND">sysctl</tt> tunables
listed below.</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.ifoff.lo_enabled</var> will enable/disable all
traffic on the loopback (<a
href="http://www.FreeBSD.org/cgi/man.cgi?query=lo&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">lo</span>(4)</span></a>) interface.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.ifoff.bpfrecv_enabled</var> will enable/disable all
traffic on the Berkeley Packet Filter interface (<a
href="http://www.FreeBSD.org/cgi/man.cgi?query=bpf&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">bpf</span>(4)</span></a>)</p>
</li>

<li>
<p><var class="LITERAL">security.mac.ifoff.other_enabled</var> will enable/disable
traffic on all other interfaces.</p>
</li>
</ul>

<p>One of the most common uses of <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_ifoff&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_ifoff</span>(4)</span></a> is
network monitoring in an environment where network traffic should not be permitted during
the boot sequence. Another suggested use would be to write a script which uses <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/aide/pkg-descr"><tt
class="FILENAME">security/aide</tt></a> to automatically block network traffic if it
finds new or altered files in protected directories.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-bsdextended.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-portacl.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC bsdextended Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The MAC portacl Module</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>