1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\" may be used to endorse or promote products derived from this software
16.\" without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
| 1.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\" may be used to endorse or promote products derived from this software
16.\" without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
|
30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 140368 2005-01-17 07:44:44Z ru $
| 30.\" $FreeBSD: head/usr.sbin/faithd/faithd.8 201889 2010-01-09 10:24:09Z brueffer $
|
31.\"
| 31.\"
|
32.Dd May 17, 1998
| 32.Dd January 9, 2010
|
33.Dt FAITHD 8
34.Os
35.Sh NAME
36.Nm faithd
37.Nd FAITH IPv6/v4 translator daemon
38.Sh SYNOPSIS
39.Nm
40.Op Fl dp
41.Op Fl f Ar configfile
42.Ar service
43.Op Ar serverpath Op Ar serverargs
44.Sh DESCRIPTION
45The
46.Nm
| 33.Dt FAITHD 8
34.Os
35.Sh NAME
36.Nm faithd
37.Nd FAITH IPv6/v4 translator daemon
38.Sh SYNOPSIS
39.Nm
40.Op Fl dp
41.Op Fl f Ar configfile
42.Ar service
43.Op Ar serverpath Op Ar serverargs
44.Sh DESCRIPTION
45The
46.Nm
|
47utility provides IPv6-to-IPv4 TCP relay.
48It must be used on an IPv4/v6 dual stack router.
| 47utility provides IPv6-to-IPv4 TCP relaying.
48It can only be used on an IPv4/v6 dual stack router.
|
49.Pp
50When
51.Nm
52receives
53.Tn TCPv6
| 49.Pp
50When
51.Nm
52receives
53.Tn TCPv6
|
54traffic,
55.Nm
56will relay the
| 54traffic, it will relay the
|
57.Tn TCPv6
58traffic to
59.Tn TCPv4 .
| 55.Tn TCPv6
56traffic to
57.Tn TCPv4 .
|
60Destination for relayed
| 58The destination for the relayed
|
61.Tn TCPv4
62connection will be determined by the last 4 octets of the original
63.Tn IPv6
64destination.
65For example, if
66.Li 3ffe:0501:4819:ffff::
67is reserved for
68.Nm ,
69and the
70.Tn TCPv6
71destination address is
72.Li 3ffe:0501:4819:ffff::0a01:0101 ,
73the traffic will be relayed to IPv4 destination
74.Li 10.1.1.1 .
75.Pp
| 59.Tn TCPv4
60connection will be determined by the last 4 octets of the original
61.Tn IPv6
62destination.
63For example, if
64.Li 3ffe:0501:4819:ffff::
65is reserved for
66.Nm ,
67and the
68.Tn TCPv6
69destination address is
70.Li 3ffe:0501:4819:ffff::0a01:0101 ,
71the traffic will be relayed to IPv4 destination
72.Li 10.1.1.1 .
73.Pp
|
76To use
| 74To use the
|
77.Nm
78translation service,
79an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
| 75.Nm
76translation service,
77an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
|
80Kernel must be properly configured to route all the TCP connection
| 78The kernel must be properly configured to route all the TCP connections
|
81toward the reserved IPv6 address prefix into the
82.Xr faith 4
| 79toward the reserved IPv6 address prefix into the
80.Xr faith 4
|
83pseudo interface, by using
| 81pseudo interface, using the
|
84.Xr route 8
85command.
86Also,
87.Xr sysctl 8
88should be used to configure
89.Dv net.inet6.ip6.keepfaith
90to
91.Dv 1 .
92.Pp
93The router must be configured to capture all the TCP traffic
| 82.Xr route 8
83command.
84Also,
85.Xr sysctl 8
86should be used to configure
87.Dv net.inet6.ip6.keepfaith
88to
89.Dv 1 .
90.Pp
91The router must be configured to capture all the TCP traffic
|
94toward reserved
| 92for the reserved
|
95.Tn IPv6
96address prefix, by using
97.Xr route 8
98and
99.Xr sysctl 8
100commands.
101.Pp
102The
103.Nm
| 93.Tn IPv6
94address prefix, by using
95.Xr route 8
96and
97.Xr sysctl 8
98commands.
99.Pp
100The
101.Nm
|
104utility needs a special name-to-address translation logic, so that
105hostnames gets resolved into special
| 102utility needs special name-to-address translation logic, so that
103hostnames get resolved into the special
|
106.Tn IPv6
107address prefix.
| 104.Tn IPv6
105address prefix.
|
108For small-scale installation, use
109.Xr hosts 5 .
110For large-scale installation, it is useful to have
| 106For small-scale installations, use
107.Xr hosts 5 ;
108For large-scale installations, it is useful to have
|
111a DNS server with special address translation support.
112An implementation called
113.Nm totd
| 109a DNS server with special address translation support.
110An implementation called
111.Nm totd
|
114is available
115at
116.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
117Make sure you do not propagate translated DNS records to normal DNS cloud,
118it is highly harmful.
| 112is available at
113.Pa http://www.vermicelli.pasta.cs.uit.no/software/totd.html .
114Make sure you do not propagate translated DNS records over to normal
115DNS, as it can cause severe problems.
|
119.Ss Daemon mode
120When
121.Nm
122is invoked as a standalone program,
123.Nm
124will daemonize itself.
125The
126.Nm
127utility will listen to
128.Tn TCPv6
129port
130.Ar service .
131If
132.Tn TCPv6
133traffic to port
134.Ar service
135is found, it relays the connection.
136.Pp
137Since
138.Nm
139listens to TCP port
140.Ar service ,
141it is not possible to run local TCP daemons for port
142.Ar service
143on the router, using
144.Xr inetd 8
145or other standard mechanisms.
146By specifying
147.Ar serverpath
148to
149.Nm ,
150you can run local daemons on the router.
151The
152.Nm
| 116.Ss Daemon mode
117When
118.Nm
119is invoked as a standalone program,
120.Nm
121will daemonize itself.
122The
123.Nm
124utility will listen to
125.Tn TCPv6
126port
127.Ar service .
128If
129.Tn TCPv6
130traffic to port
131.Ar service
132is found, it relays the connection.
133.Pp
134Since
135.Nm
136listens to TCP port
137.Ar service ,
138it is not possible to run local TCP daemons for port
139.Ar service
140on the router, using
141.Xr inetd 8
142or other standard mechanisms.
143By specifying
144.Ar serverpath
145to
146.Nm ,
147you can run local daemons on the router.
148The
149.Nm
|
153utility will invoke local daemon at
| 150utility will invoke a local daemon at
|
154.Ar serverpath
| 151.Ar serverpath
|
155if the destination address is local interface address,
| 152if the destination address is a local interface address,
|
156and will perform translation to IPv4 TCP in other cases.
157You can also specify
158.Ar serverargs
159for the arguments for the local daemon.
160.Pp
161The following options are available:
162.Bl -tag -width indent
163.It Fl d
164Debugging information will be generated using
165.Xr syslog 3 .
166.It Fl f Ar configfile
167Specify a configuration file for access control.
168See below.
169.It Fl p
170Use privileged TCP port number as source port,
171for IPv4 TCP connection toward final destination.
172For relaying
173.Xr ftp 1 ,
174this flag is not necessary as special program code is supplied.
175.El
176.Pp
177The
178.Nm
179utility will relay both normal and out-of-band TCP data.
180It is capable of emulating TCP half close as well.
181The
182.Nm
183utility includes special support for protocols used by
184.Xr ftp 1 .
| 153and will perform translation to IPv4 TCP in other cases.
154You can also specify
155.Ar serverargs
156for the arguments for the local daemon.
157.Pp
158The following options are available:
159.Bl -tag -width indent
160.It Fl d
161Debugging information will be generated using
162.Xr syslog 3 .
163.It Fl f Ar configfile
164Specify a configuration file for access control.
165See below.
166.It Fl p
167Use privileged TCP port number as source port,
168for IPv4 TCP connection toward final destination.
169For relaying
170.Xr ftp 1 ,
171this flag is not necessary as special program code is supplied.
172.El
173.Pp
174The
175.Nm
176utility will relay both normal and out-of-band TCP data.
177It is capable of emulating TCP half close as well.
178The
179.Nm
180utility includes special support for protocols used by
181.Xr ftp 1 .
|
185When translating FTP protocol,
| 182When translating the FTP protocol,
|
186.Nm
187translates network level addresses in
188.Li PORT/LPRT/EPRT
189and
190.Li PASV/LPSV/EPSV
191commands.
192.Pp
193Inactive sessions will be disconnected in 30 minutes,
| 183.Nm
184translates network level addresses in
185.Li PORT/LPRT/EPRT
186and
187.Li PASV/LPSV/EPSV
188commands.
189.Pp
190Inactive sessions will be disconnected in 30 minutes,
|
194to avoid stale sessions from chewing up resources.
195This may be inappropriate for some of the services
| 191to prevent stale sessions from chewing up resources.
192This may be inappropriate for some services
|
196(should this be configurable?).
197.Ss inetd mode
198When
199.Nm
200is invoked via
201.Xr inetd 8 ,
202.Nm
| 193(should this be configurable?).
194.Ss inetd mode
195When
196.Nm
197is invoked via
198.Xr inetd 8 ,
199.Nm
|
203will handle connection passed from standard input.
| 200will handle connections passed from standard input.
|
204If the connection endpoint is in the reserved IPv6 address prefix,
205.Nm
206will relay the connection.
207Otherwise,
208.Nm
| 201If the connection endpoint is in the reserved IPv6 address prefix,
202.Nm
203will relay the connection.
204Otherwise,
205.Nm
|
209will invoke service-specific daemon like
| 206will invoke a service-specific daemon like
|
210.Xr telnetd 8 ,
211by using the command argument passed from
212.Xr inetd 8 .
213.Pp
214The
215.Nm
216utility determines operation mode by the local TCP port number,
217and enables special protocol handling whenever necessary/possible.
218For example, if
219.Nm
220is invoked via
221.Xr inetd 8
| 207.Xr telnetd 8 ,
208by using the command argument passed from
209.Xr inetd 8 .
210.Pp
211The
212.Nm
213utility determines operation mode by the local TCP port number,
214and enables special protocol handling whenever necessary/possible.
215For example, if
216.Nm
217is invoked via
218.Xr inetd 8
|
222on FTP port, it will operate as a FTP relay.
| 219on the FTP port, it will operate as an FTP relay.
|
223.Pp
224The operation mode requires special support for
225.Nm
226in
227.Xr inetd 8 .
228.Ss Access control
| 220.Pp
221The operation mode requires special support for
222.Nm
223in
224.Xr inetd 8 .
225.Ss Access control
|
229To prevent malicious accesses,
| 226To prevent malicious access,
|
230.Nm
| 227.Nm
|
231implements a simple address-based access control.
| 228implements simple address-based access control.
|
232With
233.Pa /etc/faithd.conf
234(or
235.Ar configfile
236specified by
237.Fl f ) ,
238.Nm
239will avoid relaying unwanted traffic.
240The
241.Pa faithd.conf
| 229With
230.Pa /etc/faithd.conf
231(or
232.Ar configfile
233specified by
234.Fl f ) ,
235.Nm
236will avoid relaying unwanted traffic.
237The
238.Pa faithd.conf
|
242contains directives with the following format:
| 239configuration file contains directives of the following format:
|
243.Bl -bullet
244.It
245.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen
246.Pp
247If the source address of a query matches
248.Ar src Ns / Ns Ar slen ,
249and the translated destination address matches
250.Ar dst Ns / Ns Ar dlen ,
251deny the connection.
252.It
253.Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen
254.Pp
255If the source address of a query matches
256.Ar src Ns / Ns Ar slen ,
257and the translated destination address matches
258.Ar dst Ns / Ns Ar dlen ,
259permit the connection.
260.El
261.Pp
262The directives are evaluated in sequence,
263and the first matching entry will be effective.
264If there is no match
265(if we reach the end of the ruleset)
266the traffic will be denied.
267.Pp
268With inetd mode,
269traffic may be filtered by using access control functionality in
270.Xr inetd 8 .
271.Sh EXIT STATUS
272The
273.Nm
274utility exits with
275.Dv EXIT_SUCCESS
276.Pq 0
277on success, and
278.Dv EXIT_FAILURE
279.Pq 1
280on error.
281.Sh EXAMPLES
282Before invoking
283.Nm ,
| 240.Bl -bullet
241.It
242.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen
243.Pp
244If the source address of a query matches
245.Ar src Ns / Ns Ar slen ,
246and the translated destination address matches
247.Ar dst Ns / Ns Ar dlen ,
248deny the connection.
249.It
250.Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen
251.Pp
252If the source address of a query matches
253.Ar src Ns / Ns Ar slen ,
254and the translated destination address matches
255.Ar dst Ns / Ns Ar dlen ,
256permit the connection.
257.El
258.Pp
259The directives are evaluated in sequence,
260and the first matching entry will be effective.
261If there is no match
262(if we reach the end of the ruleset)
263the traffic will be denied.
264.Pp
265With inetd mode,
266traffic may be filtered by using access control functionality in
267.Xr inetd 8 .
268.Sh EXIT STATUS
269The
270.Nm
271utility exits with
272.Dv EXIT_SUCCESS
273.Pq 0
274on success, and
275.Dv EXIT_FAILURE
276.Pq 1
277on error.
278.Sh EXAMPLES
279Before invoking
280.Nm ,
|
| 281the
|
284.Xr faith 4
285interface has to be configured properly.
286.Bd -literal -offset
287# sysctl net.inet6.ip6.accept_rtadv=0
288# sysctl net.inet6.ip6.forwarding=1
289# sysctl net.inet6.ip6.keepfaith=1
290# ifconfig faith0 up
291# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
292# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
293.Ed
294.Ss Daemon mode samples
295To translate
296.Li telnet
297service, and provide no local telnet service, invoke
298.Nm
299as follows:
300.Bd -literal -offset
301# faithd telnet
302.Ed
303.Pp
304If you would like to provide local telnet service via
305.Xr telnetd 8
306on
307.Pa /usr/libexec/telnetd ,
308use the following command line:
309.Bd -literal -offset
310# faithd telnet /usr/libexec/telnetd telnetd
311.Ed
312.Pp
313If you would like to pass extra arguments to the local daemon:
314.Bd -literal -offset
315# faithd ftp /usr/libexec/ftpd ftpd -l
316.Ed
317.Pp
318Here are some other examples.
319You may need
320.Fl p
321if the service checks the source port range.
322.Bd -literal -offset
323# faithd ssh
324# faithd telnet /usr/libexec/telnetd telnetd
325.Ed
326.Ss inetd mode samples
327Add the following lines into
328.Xr inetd.conf 5 .
329Syntax may vary depending upon your operating system.
330.Bd -literal -offset
331telnet stream tcp6/faith nowait root faithd telnetd
332ftp stream tcp6/faith nowait root faithd ftpd -l
333ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i
334.Ed
335.Pp
336.Xr inetd 8
| 282.Xr faith 4
283interface has to be configured properly.
284.Bd -literal -offset
285# sysctl net.inet6.ip6.accept_rtadv=0
286# sysctl net.inet6.ip6.forwarding=1
287# sysctl net.inet6.ip6.keepfaith=1
288# ifconfig faith0 up
289# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
290# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
291.Ed
292.Ss Daemon mode samples
293To translate
294.Li telnet
295service, and provide no local telnet service, invoke
296.Nm
297as follows:
298.Bd -literal -offset
299# faithd telnet
300.Ed
301.Pp
302If you would like to provide local telnet service via
303.Xr telnetd 8
304on
305.Pa /usr/libexec/telnetd ,
306use the following command line:
307.Bd -literal -offset
308# faithd telnet /usr/libexec/telnetd telnetd
309.Ed
310.Pp
311If you would like to pass extra arguments to the local daemon:
312.Bd -literal -offset
313# faithd ftp /usr/libexec/ftpd ftpd -l
314.Ed
315.Pp
316Here are some other examples.
317You may need
318.Fl p
319if the service checks the source port range.
320.Bd -literal -offset
321# faithd ssh
322# faithd telnet /usr/libexec/telnetd telnetd
323.Ed
324.Ss inetd mode samples
325Add the following lines into
326.Xr inetd.conf 5 .
327Syntax may vary depending upon your operating system.
328.Bd -literal -offset
329telnet stream tcp6/faith nowait root faithd telnetd
330ftp stream tcp6/faith nowait root faithd ftpd -l
331ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i
332.Ed
333.Pp
334.Xr inetd 8
|
337will open listening sockets with enabling kernel TCP relay support.
338Whenever connection comes in,
| 335will open listening sockets with kernel TCP relay support enabled.
336Whenever a connection comes in,
|
339.Nm
340will be invoked by
341.Xr inetd 8 .
| 337.Nm
338will be invoked by
339.Xr inetd 8 .
|
342If it the connection endpoint is in the reserved IPv6 address prefix.
| 340If the connection endpoint is in the reserved IPv6 address prefix.
|
343The
344.Nm
345utility will relay the connection.
346Otherwise,
347.Nm
348will invoke service-specific daemon like
349.Xr telnetd 8 .
350.Ss Access control samples
351The following illustrates a simple
352.Pa faithd.conf
353setting.
354.Bd -literal -offset
355# permit anyone from 3ffe:501:ffff::/48 to use the translator,
356# to connect to the following IPv4 destinations:
357# - any location except 10.0.0.0/8 and 127.0.0.0/8.
358# Permit no other connections.
359#
3603ffe:501:ffff::/48 deny 10.0.0.0/8
3613ffe:501:ffff::/48 deny 127.0.0.0/8
3623ffe:501:ffff::/48 permit 0.0.0.0/0
363.Ed
364.Sh SEE ALSO
365.Xr faith 4 ,
366.Xr route 8 ,
367.Xr sysctl 8
368.Rs
369.%A Jun-ichiro itojun Hagino
370.%A Kazu Yamamoto
371.%T "An IPv6-to-IPv4 transport relay translator"
372.%B RFC3142
373.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt
374.%D June 2001
375.Re
376.\"
377.Sh HISTORY
378The
379.Nm
| 341The
342.Nm
343utility will relay the connection.
344Otherwise,
345.Nm
346will invoke service-specific daemon like
347.Xr telnetd 8 .
348.Ss Access control samples
349The following illustrates a simple
350.Pa faithd.conf
351setting.
352.Bd -literal -offset
353# permit anyone from 3ffe:501:ffff::/48 to use the translator,
354# to connect to the following IPv4 destinations:
355# - any location except 10.0.0.0/8 and 127.0.0.0/8.
356# Permit no other connections.
357#
3583ffe:501:ffff::/48 deny 10.0.0.0/8
3593ffe:501:ffff::/48 deny 127.0.0.0/8
3603ffe:501:ffff::/48 permit 0.0.0.0/0
361.Ed
362.Sh SEE ALSO
363.Xr faith 4 ,
364.Xr route 8 ,
365.Xr sysctl 8
366.Rs
367.%A Jun-ichiro itojun Hagino
368.%A Kazu Yamamoto
369.%T "An IPv6-to-IPv4 transport relay translator"
370.%B RFC3142
371.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt
372.%D June 2001
373.Re
374.\"
375.Sh HISTORY
376The
377.Nm
|
380utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
| 378utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
|
381.\"
382.Pp
383IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
384was initially integrated into
| 379.\"
380.Pp
381IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
382was initially integrated into
|
385.Fx 4.0
| 383.Fx 4.0 .
|
386.Sh SECURITY CONSIDERATIONS
387It is very insecure to use IP-address based authentication, for connections relayed by
388.Nm ,
389and any other TCP relaying services.
390.Pp
391Administrators are advised to limit accesses to
392.Nm
393using
394.Pa faithd.conf ,
| 384.Sh SECURITY CONSIDERATIONS
385It is very insecure to use IP-address based authentication, for connections relayed by
386.Nm ,
387and any other TCP relaying services.
388.Pp
389Administrators are advised to limit accesses to
390.Nm
391using
392.Pa faithd.conf ,
|
395or by using IPv6 packet filters.
396It is to protect
| 393or by using IPv6 packet filters, to protect the
|
397.Nm
| 394.Nm
|
398service from malicious parties and avoid theft of service/bandwidth.
399IPv6 destination address can be limited by
400carefully configuring routing entries that points to
| 395service from malicious parties, and to avoid theft of service/bandwidth.
396IPv6 destination addresses can be limited by
397carefully configuring routing entries that point to
|
401.Xr faith 4 ,
402using
403.Xr route 8 .
| 398.Xr faith 4 ,
399using
400.Xr route 8 .
|
404IPv6 source address needs to be filtered by using packet filters.
405Documents listed in
| 401The IPv6 source address needs to be filtered using packet filters.
402The documents listed in
|
406.Sx SEE ALSO
| 403.Sx SEE ALSO
|
407have more discussions on this topic.
| 404have more information on this topic.
|
| |