FAITHD(8) BSD System Manager's Manual FAITHD(8)NAMEfaithd — FAITH IPv6/v4 translator daemon
SYNOPSISfaithd [-dp] [-f configfile] service [serverpath [serverargs]]
DESCRIPTION
The faithd utility provides IPv6-to-IPv4 TCP relay. It must be used on
an IPv4/v6 dual stack router.
When faithd receives TCPv6 traffic, faithd will relay the TCPv6 traffic
to TCPv4. Destination for relayed TCPv4 connection will be determined by
the last 4 octets of the original IPv6 destination. For example, if
2001:db8:4819:ffff:: is reserved for faithd, and the TCPv6 destination
address is 2001:db8:4819:ffff::a01:101, the traffic will be relayed to
IPv4 destination 10.1.1.1.
To use faithd translation service, an IPv6 address prefix must be
reserved for mapping IPv4 addresses into. Kernel must be properly con‐
figured to route all the TCP connection toward the reserved IPv6 address
prefix into the faith(4) pseudo interface, by using route(8) command.
Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.
The router must be configured to capture all the TCP traffic toward
reserved IPv6 address prefix, by using route(8) and sysctl(8) commands.
The faithd utility needs a special name-to-address translation logic, so
that hostnames gets resolved into special IPv6 address prefix. For
small-scale installation, use hosts(5). For large-scale installation, it
is useful to have a DNS server with special address translation support.
An implementation called totd is available at
http://www.vermicelli.pasta.cs.uit.no/software/totd.html Make sure you do
not propagate translated DNS records to normal DNS cloud, it is highly
harmful.
Daemon mode
When faithd is invoked as a standalone program, faithd will daemonize
itself. The faithd utility will listen to TCPv6 port service. If TCPv6
traffic to port service is found, it relays the connection.
Since faithd listens to TCP port service, it is not possible to run local
TCP daemons for port service on the router, using inetd(8) or other stan‐
dard mechanisms. By specifying serverpath to faithd, you can run local
daemons on the router. The faithd utility will invoke local daemon at
serverpath if the destination address is local interface address, and
will perform translation to IPv4 TCP in other cases. You can also spec‐
ify serverargs for the arguments for the local daemon.
The following options are available:
-d Debugging information will be generated using syslog(3).
-f configfile
Specify a configuration file for access control. See below.
-p Use privileged TCP port number as source port, for IPv4 TCP con‐
nection toward final destination. For relaying ftp(1) and
rlogin(1), this flag is not necessary as special program code is
supplied.
The faithd utility will relay both normal and out-of-band TCP data. It
is capable of emulating TCP half close as well. The faithd utility
includes special support for protocols used by ftp(1) and rlogin(1).
When translating FTP protocol, faithd translates network level addresses
in PORT/LPRT/EPRT and PASV/LPSV/EPSV commands. For RLOGIN protocol,
faithd will relay back connection from rlogind(8) on the server to
rlogin(1) on client.
Inactive sessions will be disconnected in 30 minutes, to avoid stale ses‐
sions from chewing up resources. This may be inappropriate for some of
the services (should this be configurable?).
inetd mode
When faithd is invoked via inetd(8), faithd will handle connection passed
from standard input. If the connection endpoint is in the reserved IPv6
address prefix, faithd will relay the connection. Otherwise, faithd will
invoke service-specific daemon like telnetd(8), by using the command
argument passed from inetd(8).
The faithd utility determines operation mode by the local TCP port num‐
ber, and enables special protocol handling whenever necessary/possible.
For example, if faithd is invoked via inetd(8) on FTP port, it will oper‐
ate as a FTP relay.
The operation mode requires special support for faithd in inetd(8).
Access control
To prevent malicious accesses, faithd implements a simple address-based
access control. With /etc/faithd.conf (or configfile specified by -f),
faithd will avoid relaying unwanted traffic. The faithd.conf contains
directives with the following format:
· src/slen deny dst/dlen
If the source address of a query matches src/slen, and the translated
destination address matches dst/dlen, deny the connection.
· src/slen permit dst/dlen
If the source address of a query matches src/slen, and the translated
destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry
will be effective. If there is no match (if we reach the end of the
ruleset) the traffic will be denied.
With inetd mode, traffic may be filtered by using access control func‐
tionality in inetd(8).
EXAMPLES
Before invoking faithd, faith(4) interface has to be configured properly.
# sysctl net.inet6.ip6.accept_rtadv=0
# sysctl net.inet6.ip6.forwarding=1
# sysctl net.inet6.ip6.keepfaith=1
# ifconfig faith0 up
# route add -inet6 2001:db8:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 2001:db8:4819:ffff:: -prefixlen 96 -ifp faith0
Daemon mode samples
To translate telnet service, and provide no local telnet service, invoke
faithd as follows:
# faithd telnet
If you would like to provide local telnet service via telnetd(8) on
/usr/libexec/telnetd, use the following command line:
# faithd telnet /usr/libexec/telnetd telnetd
If you would like to pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. You may need -p to translate rsh/rlogin
services.
# faithd ssh
# faithd login /usr/libexec/rlogin rlogind
# faithd shell /usr/libexec/rshd rshd
However, you should be careful when translating rlogin or rsh connec‐
tions. See SECURITY CONSIDERATIONS for more details.
inetd mode samples
Add the following lines into inetd.conf(5). Syntax may vary depending
upon your operating system.
telnet stream tcp6/faith nowait root /usr/sbin/faithd telnetd
ftp stream tcp6/faith nowait root /usr/sbin/faithd ftpd -l
ssh stream tcp6/faith nowait root /usr/sbin/faithd /usr/sbin/sshd -i
inetd(8) will open listening sockets with enabling kernel TCP relay sup‐
port. Whenever connection comes in, faithd will be invoked by inetd(8).
If it the connection endpoint is in the reserved IPv6 address prefix.
The faithd utility will relay the connection. Otherwise, faithd will
invoke service-specific daemon like telnetd(8).
Access control samples
The following illustrates a simple faithd.conf setting.
# permit anyone from 2001:db8:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
2001:db8:ffff::/48 deny 10.0.0.0/8
2001:db8:ffff::/48 deny 127.0.0.0/8
2001:db8:ffff::/48 permit 0.0.0.0/0
DIAGNOSTICS
The faithd utility exits with EXIT_SUCCESS (0) on success, and
EXIT_FAILURE (1) on error.
SEE ALSOfaith(4), route(8), sysctl(8)
Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4 transport
relay translator", RFC 3142, June 2001, ftp://ftp.isi.edu/in-
notes/rfc3142.txt.
HISTORY
The faithd utility first appeared in WIDE Hydrangea IPv6 protocol stack
kit.
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/)
stack was initially integrated into FreeBSD 4.0
SECURITY CONSIDERATIONS
It is very insecure to use rhosts(5) and other IP-address based authenti‐
cation, for connections relayed by faithd (and any other TCP relaying
services).
Administrators are advised to limit accesses to faithd using faithd.conf,
or by using IPv6 packet filters. It is to protect faithd service from
malicious parties and avoid theft of service/bandwidth. IPv6 destination
address can be limited by carefully configuring routing entries that
points to faith(4), using route(8). IPv6 source address needs to be fil‐
tered by using packet filters. Documents listed in SEE ALSO have more
discussions on this topic.
BSD May 17, 1998 BSD