Module name: mac_ifoff.ko
Kernel configuration line: options MAC_IFOFF
Boot option: mac_ifoff_load="YES"
The mac_ifoff(4) module exists solely to disable network interfaces on the fly and keep network interfaces from being brought up during system boot. It does not require any labels to be set up on the system, nor does it depend on other MAC modules.
Most of this module's control is performed through the sysctl tunables listed below.
security.mac.ifoff.lo_enabled enables or disables
all traffic on the loopback (lo(4))
security.mac.ifoff.bpfrecv_enabled enables or
disables all traffic on the Berkeley Packet Filter interface (bpf(4))
security.mac.ifoff.other_enabled enables or
disables traffic on all other interfaces.
One of the most common uses of mac_ifoff(4) is network monitoring in an environment where network traffic should not be permitted during the boot sequence. Another suggested use would be to write a script which uses security/aide to automatically block network traffic if it finds new or altered files in protected directories.