Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages

NetBSD 6.1.5 - man page for faithd (netbsd section 8)

FAITHD(8)			   BSD System Manager's Manual				FAITHD(8)

     faithd -- FAITH IPv6/v4 translator daemon

     faithd [-dp] [-f configfile] service [serverpath [serverargs]]

     The faithd utility provides IPv6-to-IPv4 TCP relaying.  It can only be used on an IPv4/v6
     dual stack router.

     When faithd receives TCPv6 traffic, it will relay the TCPv6 traffic to TCPv4.  The destina-
     tion for the relayed TCPv4 connection will be determined by the last 4 octets of the origi-
     nal IPv6 destination.  For example, if 2001:0db8:4819:ffff:: is reserved for faithd, and the
     TCPv6 destination address is 2001:0db8:4819:ffff::0a01:0101, the traffic will be relayed to
     IPv4 destination

     To use the faithd translation service, an IPv6 address prefix must be reserved for mapping
     IPv4 addresses into.  The kernel must be properly configured to route all the TCP connec-
     tions toward the reserved IPv6 address prefix into the faith(4) pseudo interface, using the
     route(8) command.	Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.

     The router must be configured to capture all the TCP traffic for the reserved IPv6 address
     prefix, by using route(8) and sysctl(8) commands.

     The faithd utility needs special name-to-address translation logic, so that hostnames gets
     resolved into the special IPv6 address prefix.  For small-scale installations, use hosts(5);
     For large-scale installations, it is useful to have a DNS server with special address trans-
     lation support.  An implementation called totd is available at
     http://www.vermicelli.pasta.cs.uit.no/software/totd.html.	Make sure you do not propagate
     translated DNS records over to normal DNS, as it can cause severe problems.

   Daemon mode
     When faithd is invoked as a standalone program, faithd will daemonize itself.  faithd will
     listen to TCPv6 port service.  If TCPv6 traffic to port service is found, it relays the con-

     Since faithd listens to TCP port service, it is not possible to run local TCP daemons for
     port service on the router, using inetd(8) or other standard mechanisms.  By specifying
     serverpath to faithd, you can run local daemons on the router.  The faithd utility will
     invoke ia local daemon at serverpath if the destination address is a local interface
     address, and will perform translation to IPv4 TCP in other cases.	You can also specify
     serverargs for the arguments for the local daemon.

     The following options are available:

     -d      Debugging information will be generated using syslog(3).

     -f configfile
	     Specify a configuration file for access control.  See below.

     -p      Use privileged TCP port number as source port, for IPv4 TCP connection toward final
	     destination.  For relaying ftp(1) this flag is not necessary as special program code
	     is supplied.

     faithd will relay both normal and out-of-band TCP data.  It is capable of emulating TCP half
     close as well.  faithd includes special support for protocols used by ftp(1).  When trans-
     lating the FTP protocol, faithd translates network level addresses in PORT/LPRT/EPRT and
     PASV/LPSV/EPSV commands.

     Inactive sessions will be disconnected in 30 minutes, to prevent stale sessions from chewing
     up resources.  This may be inappropriate for some services (should this be configurable?).

   inetd mode
     When faithd is invoked via inetd(8), faithd will handle connections passed from standard
     input.  If the connection endpoint is in the reserved IPv6 address prefix, faithd will relay
     the connection.  Otherwise, faithd will invoke a service-specific daemon like telnetd(8), by
     using the command argument passed from inetd(8).

     faithd determines operation mode by the local TCP port number, and enables special protocol
     handling whenever necessary/possible.  For example, if faithd is invoked via inetd(8) on the
     FTP port, it will operate as an FTP relay.

   Access control
     To prevent malicious access, faithd implements a simple address-based access control.  With
     /etc/faithd.conf (or configfile specified by -f), faithd will avoid relaying unwanted traf-
     fic.  The faithd.conf configuration file contains directives of the following format:

     o	 src/slen deny dst/dlen

	 If the source address of a query matches src/slen, and the translated destination
	 address matches dst/dlen, deny the connection.

     o	 src/slen permit dst/dlen

	 If the source address of a query matches src/slen, and the translated destination
	 address matches dst/dlen, permit the connection.

     The directives are evaluated in sequence, and the first matching entry will be effective.
     If there is no match (if we reach the end of the ruleset) the traffic will be denied.

     With inetd mode, traffic may be filtered by using access control functionality in inetd(8).

     faithd exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on error.

     Before invoking faithd, the faith(4) interface has to be configured properly.

     # sysctl -w net.inet6.ip6.accept_rtadv=0
     # sysctl -w net.inet6.ip6.forwarding=1
     # sysctl -w net.inet6.ip6.keepfaith=1
     # ifconfig faith0 create up
     # route add -inet6 2001:0db8:4819:ffff:: -prefixlen 96 ::1
     # route change -inet6 2001:0db8:4819:ffff:: -prefixlen 96 -ifp faith0

   Daemon mode samples
     To translate telnet service, and provide no local telnet service, invoke faithd as follows:

     # faithd telnet

     If you would like to provide local telnet service via telnetd(8) on /usr/libexec/telnetd,
     use the following command line:

     # faithd telnet /usr/libexec/telnetd telnetd

     If you would like to pass extra arguments to the local daemon:

     # faithd ftp /usr/libexec/ftpd ftpd -l

     Here are some other examples.  You may need -p if the service checks the source port range.

     # faithd ssh
     # faithd telnet /usr/libexec/telnetd telnetd

   inetd mode samples
     Add the following lines into inetd.conf(5).

     telnet  stream  faith/tcp6  nowait  root  faithd  telnetd
     ftp     stream  faith/tcp6  nowait  root  faithd  ftpd -l
     ssh     stream  faith/tcp6  nowait  root  faithd  /usr/sbin/sshd -i

     inetd(8) will open listening sockets with kernel TCP relay support enabled.  Whenever a con-
     nection comes in, faithd will be invoked by inetd(8).  If the connection endpoint is in the
     reserved IPv6 address prefix.  faithd will relay the connection.  Otherwise, faithd will
     invoke service-specific daemon like telnetd(8).

   Access control samples
     The following illustrates a simple faithd.conf setting.

     # permit anyone from 2001:0db8:ffff::/48 to use the translator,
     # to connect to the following IPv4 destinations:
     # - any location except and
     # Permit no other connections.
     2001:0db8:ffff::/48 deny
     2001:0db8:ffff::/48 deny
     2001:0db8:ffff::/48 permit

     faith(4), route(8), sysctl(8), pkgsrc/net/totd

     Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4 transport relay translator",
     RFC 3142, ftp://ftp.isi.edu/in-notes/rfc3142.txt, June 2001.

     The faithd utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.

     It is very insecure to use IP-address based authentication, for connections relayed by
     faithd, and any other TCP relaying services.

     Administrators are advised to limit accesses to faithd using faithd.conf, or by using IPv6
     packet filters, to protect the faithd service from malicious parties, and to avoid theft of
     service/bandwidth.  IPv6 destination addresses can be limited by carefully configuring rout-
     ing entries that point to faith(4), using route(8).  The IPv6 source address needs to be
     filtered using packet filters.  The documents listed in SEE ALSO have more information on
     this topic.

BSD					 January 9, 2010				      BSD

All times are GMT -4. The time now is 08:48 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password