FAITHD(8) | System Manager's Manual | FAITHD(8) |
faithd
—
faithd |
[-dp ] [-f
configfile] service
[serverpath [serverargs]] |
faithd |
faithd
utility provides IPv6-to-IPv4 TCP relaying.
It can only be used on an IPv4/v6 dual stack router.
When faithd
receives TCPv6 traffic, it
will relay the TCPv6 traffic to TCPv4. The destination for the relayed TCPv4
connection will be determined by the last 4 octets of the original IPv6
destination. For example, if 2001:0db8:4819:ffff::
is reserved for faithd
, and the TCPv6 destination
address is 2001:0db8:4819:ffff::0a01:0101
, the
traffic will be relayed to IPv4 destination
10.1.1.1
.
To use the faithd
translation service, an
IPv6 address prefix must be reserved for mapping IPv4 addresses into. The
kernel must be properly configured to route all the TCP connections toward
the reserved IPv6 address prefix into the
faith(4) pseudo interface,
using the route(8) command.
Also, sysctl(8) should be used
to configure net.inet6.ip6.keepfaith
to
1
.
The router must be configured to capture all the TCP traffic for the reserved IPv6 address prefix, by using route(8) and sysctl(8) commands.
The faithd
utility needs special
name-to-address translation logic, so that hostnames gets resolved into the
special IPv6 address prefix. For small-scale installations, use
hosts(5); For large-scale
installations, it is useful to have a DNS server with special address
translation support. An implementation called totd
is available at
http://www.dillema.net/software/totd.html.
Make sure you do not propagate translated DNS records over to normal DNS, as
it can cause severe problems.
faithd
is invoked as a standalone program,
faithd
will daemonize itself.
faithd
will listen to TCPv6 port
service. If TCPv6 traffic to port
service is found, it relays the connection.
Since faithd
listens to TCP port
service, it is not possible to run local TCP daemons
for port service on the router, using
inetd(8) or other standard
mechanisms. By specifying serverpath to
faithd
, you can run local daemons on the router. The
faithd
utility will invoke ia local daemon at
serverpath if the destination address is a local
interface address, and will perform translation to IPv4 TCP in other cases.
You can also specify serverargs for the arguments for
the local daemon.
The following options are available:
-d
-f
configfile-p
faithd
will relay both normal and
out-of-band TCP data. It is capable of emulating TCP half close as well.
faithd
includes special support for protocols used
by ftp(1). When translating the
FTP protocol, faithd
translates network level
addresses in PORT/LPRT/EPRT
and
PASV/LPSV/EPSV
commands.
Inactive sessions will be disconnected in 30 minutes, to prevent stale sessions from chewing up resources. This may be inappropriate for some services (should this be configurable?).
faithd
is invoked via
inetd(8),
faithd
will handle connections passed from standard
input. If the connection endpoint is in the reserved IPv6 address prefix,
faithd
will relay the connection. Otherwise,
faithd
will invoke a service-specific daemon like
telnetd(8), by using the
command argument passed from
inetd(8).
faithd
determines operation mode by the
local TCP port number, and enables special protocol handling whenever
necessary/possible. For example, if faithd
is
invoked via inetd(8) on the FTP
port, it will operate as an FTP relay.
faithd
implements a simple
address-based access control. With /etc/faithd.conf
(or configfile specified by -f
),
faithd
will avoid relaying unwanted traffic. The
faithd.conf configuration file contains directives of
the following format:
deny
dst/dlen
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.
permit
dst/dlen
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (if we reach the end of the ruleset) the traffic will be denied.
With inetd mode, traffic may be filtered by using access control functionality in inetd(8).
faithd
exits with EXIT_SUCCESS
(0) on success, and EXIT_FAILURE
(1) on error.
faithd
, the
faith(4) interface has to be
configured properly.
# sysctl -w net.inet6.ip6.accept_rtadv=0 # sysctl -w net.inet6.ip6.forwarding=1 # sysctl -w net.inet6.ip6.keepfaith=1 # ifconfig faith0 create up # route add -inet6 2001:0db8:4819:ffff:: -prefixlen 96 ::1 # route change -inet6 2001:0db8:4819:ffff:: -prefixlen 96 -ifp faith0
telnet
service, and provide no local telnet
service, invoke faithd
as follows:
# faithd telnet
If you would like to provide local telnet service via telnetd(8) on /usr/libexec/telnetd, use the following command line:
# faithd telnet /usr/libexec/telnetd telnetd
If you would like to pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. You may need
-p
if the service checks the source port range.
# faithd ssh # faithd telnet /usr/libexec/telnetd telnetd
telnet stream faith/tcp6 nowait root faithd telnetd ftp stream faith/tcp6 nowait root faithd ftpd -l ssh stream faith/tcp6 nowait root faithd /usr/sbin/sshd -i
inetd(8) will open
listening sockets with kernel TCP relay support enabled. Whenever a
connection comes in, faithd
will be invoked by
inetd(8). If the connection
endpoint is in the reserved IPv6 address prefix.
faithd
will relay the connection. Otherwise,
faithd
will invoke service-specific daemon like
telnetd(8).
# permit anyone from 2001:0db8:ffff::/48 to use the translator, # to connect to the following IPv4 destinations: # - any location except 10.0.0.0/8 and 127.0.0.0/8. # Permit no other connections. # 2001:0db8:ffff::/48 deny 10.0.0.0/8 2001:0db8:ffff::/48 deny 127.0.0.0/8 2001:0db8:ffff::/48 permit 0.0.0.0/0
Jun-ichiro itojun Hagino and Kazu Yamamoto, An IPv6-to-IPv4 transport relay translator, RFC 3142, http://www.ietf.org/rfc/rfc3142.txt, June 2001.
faithd
utility first appeared in the WIDE Hydrangea
IPv6 protocol stack kit.
faithd
, and any other TCP relaying
services.
Administrators are advised to limit accesses to
faithd
using faithd.conf, or
by using IPv6 packet filters, to protect the faithd
service from malicious parties, and to avoid theft of service/bandwidth.
IPv6 destination addresses can be limited by carefully configuring routing
entries that point to faith(4),
using route(8). The IPv6 source
address needs to be filtered using packet filters. The documents listed in
SEE ALSO have more information on this
topic.
January 9, 2010 | NetBSD 9.4 |