1 .\" $KAME: faithd.8,v 1.33 2001/09/05 03:04:20 itojun Exp $
3 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. Neither the name of the project nor the names of its contributors
15 .\" may be used to endorse or promote products derived from this software
16 .\" without specific prior written permission.
18 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .\" $FreeBSD: src/usr.sbin/faithd/faithd.8,v 1.2.2.12 2003/03/12 22:08:14 trhodes Exp $
31 .\" $DragonFly: src/usr.sbin/faithd/faithd.8,v 1.10 2008/08/10 21:29:16 hasso Exp $
38 .Nd FAITH IPv6/v4 translator daemon
42 .Op Fl f Ar configfile
44 .Op Ar serverpath Op Ar serverargs
48 utility provides IPv6-to-IPv4 TCP relay. It
49 must be used on an IPv4/v6 dual stack router.
61 Destination for relayed
63 connection will be determined by the last 4 octets of the original
67 .Li 2001:db8:4819:ffff::
72 destination address is
73 .Li 2001:db8:4819:ffff::a01:101 ,
74 the traffic will be relayed to IPv4 destination
80 an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
81 Kernel must be properly configured to route all the TCP connection
82 toward the reserved IPv6 address prefix into the
84 pseudo interface, by using
89 should be used to configure
90 .Va net.inet6.ip6.keepfaith
94 The router must be configured to capture all the TCP traffic
97 address prefix, by using
105 utility needs a special name-to-address translation logic, so that
106 hostnames gets resolved into special
109 For small-scale installation, use
111 For large-scale installation, it is useful to have
112 a DNS server with special address translation support.
113 An implementation called
117 .Pa http://www.vermicelli.pasta.cs.uit.no/software/totd.html
118 Make sure you do not propagate translated DNS records to normal DNS cloud,
119 it is highly harmful.
123 is invoked as a standalone program,
125 will daemonize itself.
128 utility will listen to
136 is found, it relays the connection.
142 it is not possible to run local TCP daemons for port
146 or other standard mechanisms.
151 you can run local daemons on the router.
154 utility will invoke local daemon at
156 if the destination address is local interface address,
157 and will perform translation to IPv4 TCP in other cases.
160 for the arguments for the local daemon.
162 The following options are available:
163 .Bl -tag -width indent
165 Debugging information will be generated using
167 .It Fl f Ar configfile
168 Specify a configuration file for access control.
171 Use privileged TCP port number as source port,
172 for IPv4 TCP connection toward final destination.
177 this flag is not necessary as special program code is supplied.
182 utility will relay both normal and out-of-band TCP data.
183 It is capable of emulating TCP half close as well.
186 utility includes special support for protocols used by
190 When translating FTP protocol,
192 translates network level addresses in
199 will relay back connection from
205 Inactive sessions will be disconnected in 30 minutes,
206 to avoid stale sessions from chewing up resources.
207 This may be inappropriate for some of the services
208 (should this be configurable?).
215 will handle connection passed from standard input.
216 If the connection endpoint is in the reserved IPv6 address prefix,
218 will relay the connection.
221 will invoke service-specific daemon like
223 by using the command argument passed from
228 utility determines operation mode by the local TCP port number,
229 and enables special protocol handling whenever necessary/possible.
234 on FTP port, it will operate as a FTP relay.
236 The operation mode requires special support for
241 To prevent malicious accesses,
243 implements a simple address-based access control.
251 will avoid relaying unwanted traffic.
254 contains directives with the following format:
257 .Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen
259 If the source address of a query matches
260 .Ar src Ns / Ns Ar slen ,
261 and the translated destination address matches
262 .Ar dst Ns / Ns Ar dlen ,
265 .Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen
267 If the source address of a query matches
268 .Ar src Ns / Ns Ar slen ,
269 and the translated destination address matches
270 .Ar dst Ns / Ns Ar dlen ,
271 permit the connection.
274 The directives are evaluated in sequence,
275 and the first matching entry will be effective.
277 (if we reach the end of the ruleset)
278 the traffic will be denied.
281 traffic may be filtered by using access control functionality in
287 interface has to be configured properly.
289 # sysctl net.inet6.ip6.accept_rtadv=0
290 # sysctl net.inet6.ip6.forwarding=1
291 # sysctl net.inet6.ip6.keepfaith=1
293 # route add -inet6 2001:db8:4819:ffff:: -prefixlen 96 ::1
294 # route change -inet6 2001:db8:4819:ffff:: -prefixlen 96 -ifp faith0
296 .Ss Daemon mode samples
299 service, and provide no local telnet service, invoke
306 If you would like to provide local telnet service via
309 .Pa /usr/libexec/telnetd ,
310 use the following command line:
312 # faithd telnet /usr/libexec/telnetd telnetd
315 If you would like to pass extra arguments to the local daemon:
317 # faithd ftp /usr/libexec/ftpd ftpd -l
320 Here are some other examples.
323 to translate rsh/rlogin services.
326 # faithd login /usr/libexec/rlogin rlogind
327 # faithd shell /usr/libexec/rshd rshd
330 However, you should be careful when translating rlogin or rsh
333 .Sx SECURITY CONSIDERATIONS
335 .Ss inetd mode samples
336 Add the following lines into
338 Syntax may vary depending upon your operating system.
340 telnet stream tcp6/faith nowait root /usr/sbin/faithd telnetd
341 ftp stream tcp6/faith nowait root /usr/sbin/faithd ftpd -l
342 ssh stream tcp6/faith nowait root /usr/sbin/faithd /usr/sbin/sshd -i
346 will open listening sockets with enabling kernel TCP relay support.
347 Whenever connection comes in,
351 If it the connection endpoint is in the reserved IPv6 address prefix.
354 utility will relay the connection.
357 will invoke service-specific daemon like
359 .Ss Access control samples
360 The following illustrates a simple
364 # permit anyone from 2001:db8:ffff::/48 to use the translator,
365 # to connect to the following IPv4 destinations:
366 # - any location except 10.0.0.0/8 and 127.0.0.0/8.
367 # Permit no other connections.
369 2001:db8:ffff::/48 deny 10.0.0.0/8
370 2001:db8:ffff::/48 deny 127.0.0.0/8
371 2001:db8:ffff::/48 permit 0.0.0.0/0
388 .%A Jun-ichiro itojun Hagino
390 .%T "An IPv6-to-IPv4 transport relay translator"
392 .%O ftp://ftp.isi.edu/in-notes/rfc3142.txt
399 utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
402 IPv6 and IPsec support based on the KAME Project
403 .Pa ( http://www.kame.net/ )
404 stack was initially integrated into
406 .Sh SECURITY CONSIDERATIONS
407 It is very insecure to use
409 and other IP-address based authentication, for connections relayed by
411 (and any other TCP relaying services).
413 Administrators are advised to limit accesses to
417 or by using IPv6 packet filters.
420 service from malicious parties and avoid theft of service/bandwidth.
421 IPv6 destination address can be limited by
422 carefully configuring routing entries that points to
426 IPv6 source address needs to be filtered by using packet filters.
429 have more discussions on this topic.