faithd.8 (140368) | faithd.8 (201889) |
---|---|
1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" | 1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" |
30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 140368 2005-01-17 07:44:44Z ru $ | 30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 201889 2010-01-09 10:24:09Z brueffer $ |
31.\" | 31.\" |
32.Dd May 17, 1998 | 32.Dd January 9, 2010 |
33.Dt FAITHD 8 34.Os 35.Sh NAME 36.Nm faithd 37.Nd FAITH IPv6/v4 translator daemon 38.Sh SYNOPSIS 39.Nm 40.Op Fl dp 41.Op Fl f Ar configfile 42.Ar service 43.Op Ar serverpath Op Ar serverargs 44.Sh DESCRIPTION 45The 46.Nm | 33.Dt FAITHD 8 34.Os 35.Sh NAME 36.Nm faithd 37.Nd FAITH IPv6/v4 translator daemon 38.Sh SYNOPSIS 39.Nm 40.Op Fl dp 41.Op Fl f Ar configfile 42.Ar service 43.Op Ar serverpath Op Ar serverargs 44.Sh DESCRIPTION 45The 46.Nm |
47utility provides IPv6-to-IPv4 TCP relay. 48It must be used on an IPv4/v6 dual stack router. | 47utility provides IPv6-to-IPv4 TCP relaying. 48It can only be used on an IPv4/v6 dual stack router. |
49.Pp 50When 51.Nm 52receives 53.Tn TCPv6 | 49.Pp 50When 51.Nm 52receives 53.Tn TCPv6 |
54traffic, 55.Nm 56will relay the | 54traffic, it will relay the |
57.Tn TCPv6 58traffic to 59.Tn TCPv4 . | 55.Tn TCPv6 56traffic to 57.Tn TCPv4 . |
60Destination for relayed | 58The destination for the relayed |
61.Tn TCPv4 62connection will be determined by the last 4 octets of the original 63.Tn IPv6 64destination. 65For example, if 66.Li 3ffe:0501:4819:ffff:: 67is reserved for 68.Nm , 69and the 70.Tn TCPv6 71destination address is 72.Li 3ffe:0501:4819:ffff::0a01:0101 , 73the traffic will be relayed to IPv4 destination 74.Li 10.1.1.1 . 75.Pp | 59.Tn TCPv4 60connection will be determined by the last 4 octets of the original 61.Tn IPv6 62destination. 63For example, if 64.Li 3ffe:0501:4819:ffff:: 65is reserved for 66.Nm , 67and the 68.Tn TCPv6 69destination address is 70.Li 3ffe:0501:4819:ffff::0a01:0101 , 71the traffic will be relayed to IPv4 destination 72.Li 10.1.1.1 . 73.Pp |
76To use | 74To use the |
77.Nm 78translation service, 79an IPv6 address prefix must be reserved for mapping IPv4 addresses into. | 75.Nm 76translation service, 77an IPv6 address prefix must be reserved for mapping IPv4 addresses into. |
80Kernel must be properly configured to route all the TCP connection | 78The kernel must be properly configured to route all the TCP connections |
81toward the reserved IPv6 address prefix into the 82.Xr faith 4 | 79toward the reserved IPv6 address prefix into the 80.Xr faith 4 |
83pseudo interface, by using | 81pseudo interface, using the |
84.Xr route 8 85command. 86Also, 87.Xr sysctl 8 88should be used to configure 89.Dv net.inet6.ip6.keepfaith 90to 91.Dv 1 . 92.Pp 93The router must be configured to capture all the TCP traffic | 82.Xr route 8 83command. 84Also, 85.Xr sysctl 8 86should be used to configure 87.Dv net.inet6.ip6.keepfaith 88to 89.Dv 1 . 90.Pp 91The router must be configured to capture all the TCP traffic |
94toward reserved | 92for the reserved |
95.Tn IPv6 96address prefix, by using 97.Xr route 8 98and 99.Xr sysctl 8 100commands. 101.Pp 102The 103.Nm | 93.Tn IPv6 94address prefix, by using 95.Xr route 8 96and 97.Xr sysctl 8 98commands. 99.Pp 100The 101.Nm |
104utility needs a special name-to-address translation logic, so that 105hostnames gets resolved into special | 102utility needs special name-to-address translation logic, so that 103hostnames get resolved into the special |
106.Tn IPv6 107address prefix. | 104.Tn IPv6 105address prefix. |
108For small-scale installation, use 109.Xr hosts 5 . 110For large-scale installation, it is useful to have | 106For small-scale installations, use 107.Xr hosts 5 ; 108For large-scale installations, it is useful to have |
111a DNS server with special address translation support. 112An implementation called 113.Nm totd | 109a DNS server with special address translation support. 110An implementation called 111.Nm totd |
114is available 115at 116.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html . 117Make sure you do not propagate translated DNS records to normal DNS cloud, 118it is highly harmful. | 112is available at 113.Pa http://www.vermicelli.pasta.cs.uit.no/software/totd.html . 114Make sure you do not propagate translated DNS records over to normal 115DNS, as it can cause severe problems. |
119.Ss Daemon mode 120When 121.Nm 122is invoked as a standalone program, 123.Nm 124will daemonize itself. 125The 126.Nm --- 18 unchanged lines hidden (view full) --- 145or other standard mechanisms. 146By specifying 147.Ar serverpath 148to 149.Nm , 150you can run local daemons on the router. 151The 152.Nm | 116.Ss Daemon mode 117When 118.Nm 119is invoked as a standalone program, 120.Nm 121will daemonize itself. 122The 123.Nm --- 18 unchanged lines hidden (view full) --- 142or other standard mechanisms. 143By specifying 144.Ar serverpath 145to 146.Nm , 147you can run local daemons on the router. 148The 149.Nm |
153utility will invoke local daemon at | 150utility will invoke a local daemon at |
154.Ar serverpath | 151.Ar serverpath |
155if the destination address is local interface address, | 152if the destination address is a local interface address, |
156and will perform translation to IPv4 TCP in other cases. 157You can also specify 158.Ar serverargs 159for the arguments for the local daemon. 160.Pp 161The following options are available: 162.Bl -tag -width indent 163.It Fl d --- 13 unchanged lines hidden (view full) --- 177The 178.Nm 179utility will relay both normal and out-of-band TCP data. 180It is capable of emulating TCP half close as well. 181The 182.Nm 183utility includes special support for protocols used by 184.Xr ftp 1 . | 153and will perform translation to IPv4 TCP in other cases. 154You can also specify 155.Ar serverargs 156for the arguments for the local daemon. 157.Pp 158The following options are available: 159.Bl -tag -width indent 160.It Fl d --- 13 unchanged lines hidden (view full) --- 174The 175.Nm 176utility will relay both normal and out-of-band TCP data. 177It is capable of emulating TCP half close as well. 178The 179.Nm 180utility includes special support for protocols used by 181.Xr ftp 1 . |
185When translating FTP protocol, | 182When translating the FTP protocol, |
186.Nm 187translates network level addresses in 188.Li PORT/LPRT/EPRT 189and 190.Li PASV/LPSV/EPSV 191commands. 192.Pp 193Inactive sessions will be disconnected in 30 minutes, | 183.Nm 184translates network level addresses in 185.Li PORT/LPRT/EPRT 186and 187.Li PASV/LPSV/EPSV 188commands. 189.Pp 190Inactive sessions will be disconnected in 30 minutes, |
194to avoid stale sessions from chewing up resources. 195This may be inappropriate for some of the services | 191to prevent stale sessions from chewing up resources. 192This may be inappropriate for some services |
196(should this be configurable?). 197.Ss inetd mode 198When 199.Nm 200is invoked via 201.Xr inetd 8 , 202.Nm | 193(should this be configurable?). 194.Ss inetd mode 195When 196.Nm 197is invoked via 198.Xr inetd 8 , 199.Nm |
203will handle connection passed from standard input. | 200will handle connections passed from standard input. |
204If the connection endpoint is in the reserved IPv6 address prefix, 205.Nm 206will relay the connection. 207Otherwise, 208.Nm | 201If the connection endpoint is in the reserved IPv6 address prefix, 202.Nm 203will relay the connection. 204Otherwise, 205.Nm |
209will invoke service-specific daemon like | 206will invoke a service-specific daemon like |
210.Xr telnetd 8 , 211by using the command argument passed from 212.Xr inetd 8 . 213.Pp 214The 215.Nm 216utility determines operation mode by the local TCP port number, 217and enables special protocol handling whenever necessary/possible. 218For example, if 219.Nm 220is invoked via 221.Xr inetd 8 | 207.Xr telnetd 8 , 208by using the command argument passed from 209.Xr inetd 8 . 210.Pp 211The 212.Nm 213utility determines operation mode by the local TCP port number, 214and enables special protocol handling whenever necessary/possible. 215For example, if 216.Nm 217is invoked via 218.Xr inetd 8 |
222on FTP port, it will operate as a FTP relay. | 219on the FTP port, it will operate as an FTP relay. |
223.Pp 224The operation mode requires special support for 225.Nm 226in 227.Xr inetd 8 . 228.Ss Access control | 220.Pp 221The operation mode requires special support for 222.Nm 223in 224.Xr inetd 8 . 225.Ss Access control |
229To prevent malicious accesses, | 226To prevent malicious access, |
230.Nm | 227.Nm |
231implements a simple address-based access control. | 228implements simple address-based access control. |
232With 233.Pa /etc/faithd.conf 234(or 235.Ar configfile 236specified by 237.Fl f ) , 238.Nm 239will avoid relaying unwanted traffic. 240The 241.Pa faithd.conf | 229With 230.Pa /etc/faithd.conf 231(or 232.Ar configfile 233specified by 234.Fl f ) , 235.Nm 236will avoid relaying unwanted traffic. 237The 238.Pa faithd.conf |
242contains directives with the following format: | 239configuration file contains directives of the following format: |
243.Bl -bullet 244.It 245.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen 246.Pp 247If the source address of a query matches 248.Ar src Ns / Ns Ar slen , 249and the translated destination address matches 250.Ar dst Ns / Ns Ar dlen , --- 25 unchanged lines hidden (view full) --- 276.Pq 0 277on success, and 278.Dv EXIT_FAILURE 279.Pq 1 280on error. 281.Sh EXAMPLES 282Before invoking 283.Nm , | 240.Bl -bullet 241.It 242.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen 243.Pp 244If the source address of a query matches 245.Ar src Ns / Ns Ar slen , 246and the translated destination address matches 247.Ar dst Ns / Ns Ar dlen , --- 25 unchanged lines hidden (view full) --- 273.Pq 0 274on success, and 275.Dv EXIT_FAILURE 276.Pq 1 277on error. 278.Sh EXAMPLES 279Before invoking 280.Nm , |
281the |
|
284.Xr faith 4 285interface has to be configured properly. 286.Bd -literal -offset 287# sysctl net.inet6.ip6.accept_rtadv=0 288# sysctl net.inet6.ip6.forwarding=1 289# sysctl net.inet6.ip6.keepfaith=1 290# ifconfig faith0 up 291# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 --- 37 unchanged lines hidden (view full) --- 329Syntax may vary depending upon your operating system. 330.Bd -literal -offset 331telnet stream tcp6/faith nowait root faithd telnetd 332ftp stream tcp6/faith nowait root faithd ftpd -l 333ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i 334.Ed 335.Pp 336.Xr inetd 8 | 282.Xr faith 4 283interface has to be configured properly. 284.Bd -literal -offset 285# sysctl net.inet6.ip6.accept_rtadv=0 286# sysctl net.inet6.ip6.forwarding=1 287# sysctl net.inet6.ip6.keepfaith=1 288# ifconfig faith0 up 289# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 --- 37 unchanged lines hidden (view full) --- 327Syntax may vary depending upon your operating system. 328.Bd -literal -offset 329telnet stream tcp6/faith nowait root faithd telnetd 330ftp stream tcp6/faith nowait root faithd ftpd -l 331ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i 332.Ed 333.Pp 334.Xr inetd 8 |
337will open listening sockets with enabling kernel TCP relay support. 338Whenever connection comes in, | 335will open listening sockets with kernel TCP relay support enabled. 336Whenever a connection comes in, |
339.Nm 340will be invoked by 341.Xr inetd 8 . | 337.Nm 338will be invoked by 339.Xr inetd 8 . |
342If it the connection endpoint is in the reserved IPv6 address prefix. | 340If the connection endpoint is in the reserved IPv6 address prefix. |
343The 344.Nm 345utility will relay the connection. 346Otherwise, 347.Nm 348will invoke service-specific daemon like 349.Xr telnetd 8 . 350.Ss Access control samples --- 21 unchanged lines hidden (view full) --- 372.%B RFC3142 373.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt 374.%D June 2001 375.Re 376.\" 377.Sh HISTORY 378The 379.Nm | 341The 342.Nm 343utility will relay the connection. 344Otherwise, 345.Nm 346will invoke service-specific daemon like 347.Xr telnetd 8 . 348.Ss Access control samples --- 21 unchanged lines hidden (view full) --- 370.%B RFC3142 371.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt 372.%D June 2001 373.Re 374.\" 375.Sh HISTORY 376The 377.Nm |
380utility first appeared in WIDE Hydrangea IPv6 protocol stack kit. | 378utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit. |
381.\" 382.Pp 383IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 384was initially integrated into | 379.\" 380.Pp 381IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 382was initially integrated into |
385.Fx 4.0 | 383.Fx 4.0 . |
386.Sh SECURITY CONSIDERATIONS 387It is very insecure to use IP-address based authentication, for connections relayed by 388.Nm , 389and any other TCP relaying services. 390.Pp 391Administrators are advised to limit accesses to 392.Nm 393using 394.Pa faithd.conf , | 384.Sh SECURITY CONSIDERATIONS 385It is very insecure to use IP-address based authentication, for connections relayed by 386.Nm , 387and any other TCP relaying services. 388.Pp 389Administrators are advised to limit accesses to 390.Nm 391using 392.Pa faithd.conf , |
395or by using IPv6 packet filters. 396It is to protect | 393or by using IPv6 packet filters, to protect the |
397.Nm | 394.Nm |
398service from malicious parties and avoid theft of service/bandwidth. 399IPv6 destination address can be limited by 400carefully configuring routing entries that points to | 395service from malicious parties, and to avoid theft of service/bandwidth. 396IPv6 destination addresses can be limited by 397carefully configuring routing entries that point to |
401.Xr faith 4 , 402using 403.Xr route 8 . | 398.Xr faith 4 , 399using 400.Xr route 8 . |
404IPv6 source address needs to be filtered by using packet filters. 405Documents listed in | 401The IPv6 source address needs to be filtered using packet filters. 402The documents listed in |
406.Sx SEE ALSO | 403.Sx SEE ALSO |
407have more discussions on this topic. | 404have more information on this topic. |