1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\"
| 1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\"
|
30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 140368 2005-01-17 07:44:44Z ru $
| 30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 201889 2010-01-09 10:24:09Z brueffer $
|
31.\"
| 31.\"
|
32.Dd May 17, 1998
| 32.Dd January 9, 2010
|
33.Dt FAITHD 8 34.Os 35.Sh NAME 36.Nm faithd 37.Nd FAITH IPv6/v4 translator daemon 38.Sh SYNOPSIS 39.Nm 40.Op Fl dp 41.Op Fl f Ar configfile 42.Ar service 43.Op Ar serverpath Op Ar serverargs 44.Sh DESCRIPTION 45The 46.Nm
| 33.Dt FAITHD 8 34.Os 35.Sh NAME 36.Nm faithd 37.Nd FAITH IPv6/v4 translator daemon 38.Sh SYNOPSIS 39.Nm 40.Op Fl dp 41.Op Fl f Ar configfile 42.Ar service 43.Op Ar serverpath Op Ar serverargs 44.Sh DESCRIPTION 45The 46.Nm
|
47utility provides IPv6-to-IPv4 TCP relay. 48It must be used on an IPv4/v6 dual stack router.
| 47utility provides IPv6-to-IPv4 TCP relaying. 48It can only be used on an IPv4/v6 dual stack router.
|
49.Pp 50When 51.Nm 52receives 53.Tn TCPv6
| 49.Pp 50When 51.Nm 52receives 53.Tn TCPv6
|
54traffic, 55.Nm 56will relay the
| 54traffic, it will relay the
|
57.Tn TCPv6 58traffic to 59.Tn TCPv4 .
| 55.Tn TCPv6 56traffic to 57.Tn TCPv4 .
|
60Destination for relayed
| 58The destination for the relayed
|
61.Tn TCPv4 62connection will be determined by the last 4 octets of the original 63.Tn IPv6 64destination. 65For example, if 66.Li 3ffe:0501:4819:ffff:: 67is reserved for 68.Nm , 69and the 70.Tn TCPv6 71destination address is 72.Li 3ffe:0501:4819:ffff::0a01:0101 , 73the traffic will be relayed to IPv4 destination 74.Li 10.1.1.1 . 75.Pp
| 59.Tn TCPv4 60connection will be determined by the last 4 octets of the original 61.Tn IPv6 62destination. 63For example, if 64.Li 3ffe:0501:4819:ffff:: 65is reserved for 66.Nm , 67and the 68.Tn TCPv6 69destination address is 70.Li 3ffe:0501:4819:ffff::0a01:0101 , 71the traffic will be relayed to IPv4 destination 72.Li 10.1.1.1 . 73.Pp
|
76To use
| 74To use the
|
77.Nm 78translation service, 79an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
| 75.Nm 76translation service, 77an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
|
80Kernel must be properly configured to route all the TCP connection
| 78The kernel must be properly configured to route all the TCP connections
|
81toward the reserved IPv6 address prefix into the 82.Xr faith 4
| 79toward the reserved IPv6 address prefix into the 80.Xr faith 4
|
83pseudo interface, by using
| 81pseudo interface, using the
|
84.Xr route 8 85command. 86Also, 87.Xr sysctl 8 88should be used to configure 89.Dv net.inet6.ip6.keepfaith 90to 91.Dv 1 . 92.Pp 93The router must be configured to capture all the TCP traffic
| 82.Xr route 8 83command. 84Also, 85.Xr sysctl 8 86should be used to configure 87.Dv net.inet6.ip6.keepfaith 88to 89.Dv 1 . 90.Pp 91The router must be configured to capture all the TCP traffic
|
94toward reserved
| 92for the reserved
|
95.Tn IPv6 96address prefix, by using 97.Xr route 8 98and 99.Xr sysctl 8 100commands. 101.Pp 102The 103.Nm
| 93.Tn IPv6 94address prefix, by using 95.Xr route 8 96and 97.Xr sysctl 8 98commands. 99.Pp 100The 101.Nm
|
104utility needs a special name-to-address translation logic, so that 105hostnames gets resolved into special
| 102utility needs special name-to-address translation logic, so that 103hostnames get resolved into the special
|
106.Tn IPv6 107address prefix.
| 104.Tn IPv6 105address prefix.
|
108For small-scale installation, use 109.Xr hosts 5 . 110For large-scale installation, it is useful to have
| 106For small-scale installations, use 107.Xr hosts 5 ; 108For large-scale installations, it is useful to have
|
111a DNS server with special address translation support. 112An implementation called 113.Nm totd
| 109a DNS server with special address translation support. 110An implementation called 111.Nm totd
|
114is available 115at 116.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html . 117Make sure you do not propagate translated DNS records to normal DNS cloud, 118it is highly harmful.
| 112is available at 113.Pa http://www.vermicelli.pasta.cs.uit.no/software/totd.html . 114Make sure you do not propagate translated DNS records over to normal 115DNS, as it can cause severe problems.
|
119.Ss Daemon mode 120When 121.Nm 122is invoked as a standalone program, 123.Nm 124will daemonize itself. 125The 126.Nm 127utility will listen to 128.Tn TCPv6 129port 130.Ar service . 131If 132.Tn TCPv6 133traffic to port 134.Ar service 135is found, it relays the connection. 136.Pp 137Since 138.Nm 139listens to TCP port 140.Ar service , 141it is not possible to run local TCP daemons for port 142.Ar service 143on the router, using 144.Xr inetd 8 145or other standard mechanisms. 146By specifying 147.Ar serverpath 148to 149.Nm , 150you can run local daemons on the router. 151The 152.Nm
| 116.Ss Daemon mode 117When 118.Nm 119is invoked as a standalone program, 120.Nm 121will daemonize itself. 122The 123.Nm 124utility will listen to 125.Tn TCPv6 126port 127.Ar service . 128If 129.Tn TCPv6 130traffic to port 131.Ar service 132is found, it relays the connection. 133.Pp 134Since 135.Nm 136listens to TCP port 137.Ar service , 138it is not possible to run local TCP daemons for port 139.Ar service 140on the router, using 141.Xr inetd 8 142or other standard mechanisms. 143By specifying 144.Ar serverpath 145to 146.Nm , 147you can run local daemons on the router. 148The 149.Nm
|
153utility will invoke local daemon at
| 150utility will invoke a local daemon at
|
154.Ar serverpath
| 151.Ar serverpath
|
155if the destination address is local interface address,
| 152if the destination address is a local interface address,
|
156and will perform translation to IPv4 TCP in other cases. 157You can also specify 158.Ar serverargs 159for the arguments for the local daemon. 160.Pp 161The following options are available: 162.Bl -tag -width indent 163.It Fl d 164Debugging information will be generated using 165.Xr syslog 3 . 166.It Fl f Ar configfile 167Specify a configuration file for access control. 168See below. 169.It Fl p 170Use privileged TCP port number as source port, 171for IPv4 TCP connection toward final destination. 172For relaying 173.Xr ftp 1 , 174this flag is not necessary as special program code is supplied. 175.El 176.Pp 177The 178.Nm 179utility will relay both normal and out-of-band TCP data. 180It is capable of emulating TCP half close as well. 181The 182.Nm 183utility includes special support for protocols used by 184.Xr ftp 1 .
| 153and will perform translation to IPv4 TCP in other cases. 154You can also specify 155.Ar serverargs 156for the arguments for the local daemon. 157.Pp 158The following options are available: 159.Bl -tag -width indent 160.It Fl d 161Debugging information will be generated using 162.Xr syslog 3 . 163.It Fl f Ar configfile 164Specify a configuration file for access control. 165See below. 166.It Fl p 167Use privileged TCP port number as source port, 168for IPv4 TCP connection toward final destination. 169For relaying 170.Xr ftp 1 , 171this flag is not necessary as special program code is supplied. 172.El 173.Pp 174The 175.Nm 176utility will relay both normal and out-of-band TCP data. 177It is capable of emulating TCP half close as well. 178The 179.Nm 180utility includes special support for protocols used by 181.Xr ftp 1 .
|
185When translating FTP protocol,
| 182When translating the FTP protocol,
|
186.Nm 187translates network level addresses in 188.Li PORT/LPRT/EPRT 189and 190.Li PASV/LPSV/EPSV 191commands. 192.Pp 193Inactive sessions will be disconnected in 30 minutes,
| 183.Nm 184translates network level addresses in 185.Li PORT/LPRT/EPRT 186and 187.Li PASV/LPSV/EPSV 188commands. 189.Pp 190Inactive sessions will be disconnected in 30 minutes,
|
194to avoid stale sessions from chewing up resources. 195This may be inappropriate for some of the services
| 191to prevent stale sessions from chewing up resources. 192This may be inappropriate for some services
|
196(should this be configurable?). 197.Ss inetd mode 198When 199.Nm 200is invoked via 201.Xr inetd 8 , 202.Nm
| 193(should this be configurable?). 194.Ss inetd mode 195When 196.Nm 197is invoked via 198.Xr inetd 8 , 199.Nm
|
203will handle connection passed from standard input.
| 200will handle connections passed from standard input.
|
204If the connection endpoint is in the reserved IPv6 address prefix, 205.Nm 206will relay the connection. 207Otherwise, 208.Nm
| 201If the connection endpoint is in the reserved IPv6 address prefix, 202.Nm 203will relay the connection. 204Otherwise, 205.Nm
|
209will invoke service-specific daemon like
| 206will invoke a service-specific daemon like
|
210.Xr telnetd 8 , 211by using the command argument passed from 212.Xr inetd 8 . 213.Pp 214The 215.Nm 216utility determines operation mode by the local TCP port number, 217and enables special protocol handling whenever necessary/possible. 218For example, if 219.Nm 220is invoked via 221.Xr inetd 8
| 207.Xr telnetd 8 , 208by using the command argument passed from 209.Xr inetd 8 . 210.Pp 211The 212.Nm 213utility determines operation mode by the local TCP port number, 214and enables special protocol handling whenever necessary/possible. 215For example, if 216.Nm 217is invoked via 218.Xr inetd 8
|
222on FTP port, it will operate as a FTP relay.
| 219on the FTP port, it will operate as an FTP relay.
|
223.Pp 224The operation mode requires special support for 225.Nm 226in 227.Xr inetd 8 . 228.Ss Access control
| 220.Pp 221The operation mode requires special support for 222.Nm 223in 224.Xr inetd 8 . 225.Ss Access control
|
229To prevent malicious accesses,
| 226To prevent malicious access,
|
230.Nm
| 227.Nm
|
231implements a simple address-based access control.
| 228implements simple address-based access control.
|
232With 233.Pa /etc/faithd.conf 234(or 235.Ar configfile 236specified by 237.Fl f ) , 238.Nm 239will avoid relaying unwanted traffic. 240The 241.Pa faithd.conf
| 229With 230.Pa /etc/faithd.conf 231(or 232.Ar configfile 233specified by 234.Fl f ) , 235.Nm 236will avoid relaying unwanted traffic. 237The 238.Pa faithd.conf
|
242contains directives with the following format:
| 239configuration file contains directives of the following format:
|
243.Bl -bullet 244.It 245.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen 246.Pp 247If the source address of a query matches 248.Ar src Ns / Ns Ar slen , 249and the translated destination address matches 250.Ar dst Ns / Ns Ar dlen , 251deny the connection. 252.It 253.Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen 254.Pp 255If the source address of a query matches 256.Ar src Ns / Ns Ar slen , 257and the translated destination address matches 258.Ar dst Ns / Ns Ar dlen , 259permit the connection. 260.El 261.Pp 262The directives are evaluated in sequence, 263and the first matching entry will be effective. 264If there is no match 265(if we reach the end of the ruleset) 266the traffic will be denied. 267.Pp 268With inetd mode, 269traffic may be filtered by using access control functionality in 270.Xr inetd 8 . 271.Sh EXIT STATUS 272The 273.Nm 274utility exits with 275.Dv EXIT_SUCCESS 276.Pq 0 277on success, and 278.Dv EXIT_FAILURE 279.Pq 1 280on error. 281.Sh EXAMPLES 282Before invoking 283.Nm ,
| 240.Bl -bullet 241.It 242.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen 243.Pp 244If the source address of a query matches 245.Ar src Ns / Ns Ar slen , 246and the translated destination address matches 247.Ar dst Ns / Ns Ar dlen , 248deny the connection. 249.It 250.Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen 251.Pp 252If the source address of a query matches 253.Ar src Ns / Ns Ar slen , 254and the translated destination address matches 255.Ar dst Ns / Ns Ar dlen , 256permit the connection. 257.El 258.Pp 259The directives are evaluated in sequence, 260and the first matching entry will be effective. 261If there is no match 262(if we reach the end of the ruleset) 263the traffic will be denied. 264.Pp 265With inetd mode, 266traffic may be filtered by using access control functionality in 267.Xr inetd 8 . 268.Sh EXIT STATUS 269The 270.Nm 271utility exits with 272.Dv EXIT_SUCCESS 273.Pq 0 274on success, and 275.Dv EXIT_FAILURE 276.Pq 1 277on error. 278.Sh EXAMPLES 279Before invoking 280.Nm ,
|
| 281the
|
284.Xr faith 4 285interface has to be configured properly. 286.Bd -literal -offset 287# sysctl net.inet6.ip6.accept_rtadv=0 288# sysctl net.inet6.ip6.forwarding=1 289# sysctl net.inet6.ip6.keepfaith=1 290# ifconfig faith0 up 291# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 292# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0 293.Ed 294.Ss Daemon mode samples 295To translate 296.Li telnet 297service, and provide no local telnet service, invoke 298.Nm 299as follows: 300.Bd -literal -offset 301# faithd telnet 302.Ed 303.Pp 304If you would like to provide local telnet service via 305.Xr telnetd 8 306on 307.Pa /usr/libexec/telnetd , 308use the following command line: 309.Bd -literal -offset 310# faithd telnet /usr/libexec/telnetd telnetd 311.Ed 312.Pp 313If you would like to pass extra arguments to the local daemon: 314.Bd -literal -offset 315# faithd ftp /usr/libexec/ftpd ftpd -l 316.Ed 317.Pp 318Here are some other examples. 319You may need 320.Fl p 321if the service checks the source port range. 322.Bd -literal -offset 323# faithd ssh 324# faithd telnet /usr/libexec/telnetd telnetd 325.Ed 326.Ss inetd mode samples 327Add the following lines into 328.Xr inetd.conf 5 . 329Syntax may vary depending upon your operating system. 330.Bd -literal -offset 331telnet stream tcp6/faith nowait root faithd telnetd 332ftp stream tcp6/faith nowait root faithd ftpd -l 333ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i 334.Ed 335.Pp 336.Xr inetd 8
| 282.Xr faith 4 283interface has to be configured properly. 284.Bd -literal -offset 285# sysctl net.inet6.ip6.accept_rtadv=0 286# sysctl net.inet6.ip6.forwarding=1 287# sysctl net.inet6.ip6.keepfaith=1 288# ifconfig faith0 up 289# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 290# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0 291.Ed 292.Ss Daemon mode samples 293To translate 294.Li telnet 295service, and provide no local telnet service, invoke 296.Nm 297as follows: 298.Bd -literal -offset 299# faithd telnet 300.Ed 301.Pp 302If you would like to provide local telnet service via 303.Xr telnetd 8 304on 305.Pa /usr/libexec/telnetd , 306use the following command line: 307.Bd -literal -offset 308# faithd telnet /usr/libexec/telnetd telnetd 309.Ed 310.Pp 311If you would like to pass extra arguments to the local daemon: 312.Bd -literal -offset 313# faithd ftp /usr/libexec/ftpd ftpd -l 314.Ed 315.Pp 316Here are some other examples. 317You may need 318.Fl p 319if the service checks the source port range. 320.Bd -literal -offset 321# faithd ssh 322# faithd telnet /usr/libexec/telnetd telnetd 323.Ed 324.Ss inetd mode samples 325Add the following lines into 326.Xr inetd.conf 5 . 327Syntax may vary depending upon your operating system. 328.Bd -literal -offset 329telnet stream tcp6/faith nowait root faithd telnetd 330ftp stream tcp6/faith nowait root faithd ftpd -l 331ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i 332.Ed 333.Pp 334.Xr inetd 8
|
337will open listening sockets with enabling kernel TCP relay support. 338Whenever connection comes in,
| 335will open listening sockets with kernel TCP relay support enabled. 336Whenever a connection comes in,
|
339.Nm 340will be invoked by 341.Xr inetd 8 .
| 337.Nm 338will be invoked by 339.Xr inetd 8 .
|
342If it the connection endpoint is in the reserved IPv6 address prefix.
| 340If the connection endpoint is in the reserved IPv6 address prefix.
|
343The 344.Nm 345utility will relay the connection. 346Otherwise, 347.Nm 348will invoke service-specific daemon like 349.Xr telnetd 8 . 350.Ss Access control samples 351The following illustrates a simple 352.Pa faithd.conf 353setting. 354.Bd -literal -offset 355# permit anyone from 3ffe:501:ffff::/48 to use the translator, 356# to connect to the following IPv4 destinations: 357# - any location except 10.0.0.0/8 and 127.0.0.0/8. 358# Permit no other connections. 359# 3603ffe:501:ffff::/48 deny 10.0.0.0/8 3613ffe:501:ffff::/48 deny 127.0.0.0/8 3623ffe:501:ffff::/48 permit 0.0.0.0/0 363.Ed 364.Sh SEE ALSO 365.Xr faith 4 , 366.Xr route 8 , 367.Xr sysctl 8 368.Rs 369.%A Jun-ichiro itojun Hagino 370.%A Kazu Yamamoto 371.%T "An IPv6-to-IPv4 transport relay translator" 372.%B RFC3142 373.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt 374.%D June 2001 375.Re 376.\" 377.Sh HISTORY 378The 379.Nm
| 341The 342.Nm 343utility will relay the connection. 344Otherwise, 345.Nm 346will invoke service-specific daemon like 347.Xr telnetd 8 . 348.Ss Access control samples 349The following illustrates a simple 350.Pa faithd.conf 351setting. 352.Bd -literal -offset 353# permit anyone from 3ffe:501:ffff::/48 to use the translator, 354# to connect to the following IPv4 destinations: 355# - any location except 10.0.0.0/8 and 127.0.0.0/8. 356# Permit no other connections. 357# 3583ffe:501:ffff::/48 deny 10.0.0.0/8 3593ffe:501:ffff::/48 deny 127.0.0.0/8 3603ffe:501:ffff::/48 permit 0.0.0.0/0 361.Ed 362.Sh SEE ALSO 363.Xr faith 4 , 364.Xr route 8 , 365.Xr sysctl 8 366.Rs 367.%A Jun-ichiro itojun Hagino 368.%A Kazu Yamamoto 369.%T "An IPv6-to-IPv4 transport relay translator" 370.%B RFC3142 371.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt 372.%D June 2001 373.Re 374.\" 375.Sh HISTORY 376The 377.Nm
|
380utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
| 378utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
|
381.\" 382.Pp 383IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 384was initially integrated into
| 379.\" 380.Pp 381IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 382was initially integrated into
|
385.Fx 4.0
| 383.Fx 4.0 .
|
386.Sh SECURITY CONSIDERATIONS 387It is very insecure to use IP-address based authentication, for connections relayed by 388.Nm , 389and any other TCP relaying services. 390.Pp 391Administrators are advised to limit accesses to 392.Nm 393using 394.Pa faithd.conf ,
| 384.Sh SECURITY CONSIDERATIONS 385It is very insecure to use IP-address based authentication, for connections relayed by 386.Nm , 387and any other TCP relaying services. 388.Pp 389Administrators are advised to limit accesses to 390.Nm 391using 392.Pa faithd.conf ,
|
395or by using IPv6 packet filters. 396It is to protect
| 393or by using IPv6 packet filters, to protect the
|
397.Nm
| 394.Nm
|
398service from malicious parties and avoid theft of service/bandwidth. 399IPv6 destination address can be limited by 400carefully configuring routing entries that points to
| 395service from malicious parties, and to avoid theft of service/bandwidth. 396IPv6 destination addresses can be limited by 397carefully configuring routing entries that point to
|
401.Xr faith 4 , 402using 403.Xr route 8 .
| 398.Xr faith 4 , 399using 400.Xr route 8 .
|
404IPv6 source address needs to be filtered by using packet filters. 405Documents listed in
| 401The IPv6 source address needs to be filtered using packet filters. 402The documents listed in
|
406.Sx SEE ALSO
| 403.Sx SEE ALSO
|
407have more discussions on this topic.
| 404have more information on this topic.
|
| |