.\" $OpenBSD: faithd.8,v 1.22 2002/05/09 14:26:41 itojun Exp $ .\" $KAME: faithd.8,v 1.36 2002/05/09 13:59:16 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .Dd May 17, 1998 .Dt FAITHD 8 .Os .Sh NAME .Nm faithd .Nd FAITH IPv6/v4 translator daemon .Sh SYNOPSIS .Nm .Op Fl dp .Op Fl f Ar configfile .Ar service .Op Ar serverpath Op Ar serverargs .\".Nm "" .Sh DESCRIPTION .Nm provides IPv6-to-IPv4 TCP relay. .Nm must be used on an IPv4/v6 dual stack router. .Pp When .Nm receives .Tn TCPv6 traffic, .Nm will relay the .Tn TCPv6 traffic to .Tn TCPv4 . Destination for relayed .Tn TCPv4 connection will be determined by the last 4 octets of the original .Tn IPv6 destination. For example, if .Li 3ffe:0501:4819:ffff:: is reserved for .Nm Ns , and the .Tn TCPv6 destination address is .Li 3ffe:0501:4819:ffff::0a01:0101 , the traffic will be relayed to IPv4 destination .Li 10.1.1.1 . .Pp To use .Nm translation service, an IPv6 address prefix must be reserved for mapping IPv4 addresses into. Kernel must be properly configured to route all the TCP connection toward the reserved IPv6 address prefix into the .Xr faith 4 pseudo interface, by using .Xr route 8 command. Also, .Xr sysctl 8 should be used to configure .Dv net.inet6.ip6.keepfaith to .Dv 1 . .Pp The router must be configured to capture all the TCP traffic toward reserved .Tn IPv6 address prefix, by using .Xr route 8 and .Xr sysctl 8 commands. .Pp .Nm needs a special name-to-address translation logic, so that hostnames gets resolved into special .Tn IPv6 address prefix. For small-scale installation, use .Xr hosts 5 . For large-scale installation, it is useful to have a DNS server with special address translation support. An implementation called .Nm totd is available at .Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html . Make sure you do not propagate translated DNS records to normal DNS cloud, it is highly harmful. .\".Ss Daemon mode When .Nm .\"is invoked as a standalone program, is invoked, .Nm will daemonize itself. .Nm will listen to .Tn TCPv6 port .Ar service . If .Tn TCPv6 traffic to port .Ar service is found, it relays the connection. .Pp Since .Nm listens to TCP port .Ar service , it is not possible to run local TCP daemons for port .Ar service on the router, using .Xr inetd 8 or other standard mechanisms. By specifying .Ar serverpath to .Nm Ns , you can run local daemons on the router. .Nm will invoke local daemon at .Ar serverpath if the destination address is local interface address, and will perform translation to IPv4 TCP in other cases. You can also specify .Ar serverargs for the arguments for the local daemon. .Pp The following options are available: .Bl -tag -width indent .It Fl d Debugging information will be generated using .Xr syslog 3 . .It Fl f Ar configfile Specify a configuration file for access control. See below. .It Fl p Use privileged TCP port number as source port, for IPv4 TCP connection toward final destination. For relaying .Xr ftp 1 this flag is not necessary as special program code is supplied. .El .Pp .Nm will relay both normal and out-of-band TCP data. It is capable of emulating TCP half close as well. .Nm includes special support for protocols used by .Xr ftp 1 . When translating FTP protocol, .Nm translates network level addresses in .Li PORT/LPRT/EPRT and .Li PASV/LPSV/EPSV commands. .Pp Inactive sessions will be disconnected in 30 minutes, to avoid stale sessions from chewing up resources. This may be inappropriate for some of the services .Pq should this be configurable? . .Ss Access control To prevent malicious accesses, .Nm implements a simple address-based access control. With .Pa /etc/faithd.conf .Po or .Ar configfile specified by .Fl f .Pc , .Nm will avoid relaying unwanted traffic. The .Pa faithd.conf contains directives with the following format: .Bl -bullet .It .Xo .Ic Ar src/slen Li deny Ar dst/dlen .Xc .Pp If the source address of a query matches .Ar src/slen , and the translated destination address matches .Ar dst/dlen , deny the connection. .It .Xo .Ic Ar src/slen Li permit Ar dst/dlen .Xc .Pp If the source address of a query matches .Ar src/slen , and the translated destination address matches .Ar dst/dlen , permit the connection. .El .Pp The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match .Pq if we reach the end of the ruleset the traffic will be denied. .\".Pp .\"With inetd mode, .\"traffic may be filtered by using access control functionality in .\".Xr inetd 8 . .Sh RETURN VALUES .Nm exits with .Dv EXIT_SUCCESS .Pq 0 on success, and .Dv EXIT_FAILURE .Pq 1 on error. .Sh EXAMPLES Before invoking .Nm Ns , .Xr faith 4 interface has to be configured properly. .Bd -literal -offset # sysctl -w net.inet6.ip6.accept_rtadv=0 # sysctl -w net.inet6.ip6.forwarding=1 # sysctl -w net.inet6.ip6.keepfaith=1 # ifconfig faith0 up # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 # route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0 .Ed .\".Ss Daemon mode samples To translate .Li telnet service, and provide no local telnet service, invoke .Nm as follows: .Bd -literal -offset # faithd telnet .Ed .Pp If you would like to provide local telnet service via .Xr telnetd 8 on .Pa /usr/libexec/telnetd , use the following command line: .Bd -literal -offset # faithd telnet /usr/libexec/telnetd telnetd .Ed .Pp If you would like to pass extra arguments to the local daemon: .Bd -literal -offset # faithd ftp /usr/libexec/ftpd ftpd -l .Ed .Pp Here are some other examples. You may need .Fl p if the service checks the source port range. .Bd -literal -offset # faithd ssh # faithd telnet /usr/libexec/telnetd telnetd .Ed .Ss Access control samples The following illustrates a simple .Pa faithd.conf setting. .Bd -literal -offset # permit anyone from 3ffe:501:ffff::/48 to use the translator, # to connect to the following IPv4 destinations: # - any location except 10.0.0.0/8 and 127.0.0.0/8. # Permit no other connections. # 3ffe:501:ffff::/48 deny 10.0.0.0/8 3ffe:501:ffff::/48 deny 127.0.0.0/8 3ffe:501:ffff::/48 permit 0.0.0.0/0 .Ed .Sh SEE ALSO .Xr faith 4 , .Xr route 8 , .Xr sysctl 8 .Rs .%A Jun-ichiro itojun Hagino .%A Kazu Yamamoto .%T "An IPv6-to-IPv4 transport relay translator" .%B RFC3142 .%O ftp://ftp.isi.edu/in-notes/rfc3142.txt .%D June 2001 .Re .\" .Sh HISTORY The .Nm command first appeared in WIDE Hydrangea IPv6 protocol stack kit. .\" .Sh SECURITY CONSIDERATIONS It is very insecure to use IP-address based authentication, for connections relayed by .Nm Ns , and any other TCP relaying services. .Pp Administrators are advised to limit accesses to .Nm using .Pa faithd.conf , or by using IPv6 packet filters. It is to protect .Nm service from malicious parties and avoid theft of service/bandwidth. IPv6 destination address can be limited by carefully configuring routing entries that points to .Xr faith 4 , using .Xr route 8 . IPv6 source address needs to be filtered by using packet filters. Documents listed in .Sx SEE ALSO have more discussions on this topic.