Module name: mac_ifoff.ko
Kernel configuration line: options MAC_IFOFF
Boot option: mac_ifoff_load="YES"
The mac_ifoff(4) module
exists solely to disable network interfaces on the fly and keep network interfaces from
being brought up during the initial system boot. It does not require any labels to be set
up on the system, nor does it have a dependency on other MAC modules.
Most of the control is done through the sysctl tunables
listed below.
-
security.mac.ifoff.lo_enabled will enable/disable all traffic
on the loopback (lo(4)) interface.
-
security.mac.ifoff.bpfrecv_enabled will enable/disable all
traffic on the Berkeley Packet Filter interface (bpf(4))
-
security.mac.ifoff.other_enabled will enable/disable traffic
on all other interfaces.
One of the most common uses of mac_ifoff(4) is
network monitoring in an environment where network traffic should not be permitted during
the boot sequence. Another suggested use would be to write a script which uses security/aide to automatically block network traffic if it
finds new or altered files in protected directories.