Attachment #21793 for bug #38061




.Op Ar serverpath Op Ar serverargs
.Sh DESCRIPTION
.Nm
provides IPv6-to-IPv4 TCP relaying.
.Nm
can only be used on an IPv4/v6 dual stack router.
.Pp
When
.Nm
receives
.Tn TCPv6
traffic, it will relay the
.Nm
will relay the
.Tn TCPv6
traffic to
.Tn TCPv4 .
The destination for the relayed
.Tn TCPv4
connection will be determined by the last 4 octets of the original
.Tn IPv6

the traffic will be relayed to IPv4 destination
.Li 10.1.1.1 .
.Pp
To use the
.Nm
translation service,
an IPv6 address prefix must be reserved for mapping IPv4 addresses
into, and the kernel must be properly configured to route all the
TCPs connections to the reserved IPv6 address prefix into the
.Xr faith 4
pseudo interface, using the
.Xr route 8
command.
Also,

.Dv 1 .
.Pp
The router must be configured to capture all the TCP traffic
for the reserved
.Tn IPv6
address prefix, by using
.Xr route 8

commands.
.Pp
.Nm
needs special name-to-address translation logic, so that
hostnames get resolved into the special
.Tn IPv6
address prefix.
For small-scale installations, use
.Xr hosts 5 ;
for large-scale installations, it is useful to have
a DNS server with special address translation support.
An implementation called
.Nm totd
is available
at
.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
Make sure you do not propagate translated DNS records over to normal
DNS, as it can cause severe problems.
.Pp
.Ss Daemon mode
When

.Nm ,
you can run local daemons on the router.
.Nm
will invoke a local daemon at
.Ar serverpath
if the destination address is a local interface address,
and will perform translation to IPv4 TCP in other cases.
You can also specify
.Ar serverargs

.Xr ftp 1
and
.Xr rlogin 1 .
When translating the FTP protocol,
.Nm
translates network level addresses in
.Li PORT/LPRT/EPRT
and
.Li PASV/LPSV/EPSV
commands.
For the rlogin protocol,
.Nm
will relay back connections from
.Xr rlogind 8
on the server to
.Xr rlogin 1
on the client.
.Pp
Inactive sessions will be disconnected in 30 minutes,
to prevent stale sessions from chewing up resources.
This may be inappropriate for some services
(should this be configurable?).
.Ss inetd mode
When

is invoked via
.Xr inetd 8 ,
.Nm
will handle connections passed from standard input.
If the connection endpoint is in the reserved IPv6 address prefix,
.Nm
will relay the connection.
Otherwise,
.Nm
will invoke a service-specific daemon like
.Xr telnetd 8 ,
by using the command argument passed from
.Xr inetd 8 .

.Nm
is invoked via
.Xr inetd 8
on the FTP port, it will operate as an FTP relay.
.Pp
The operation mode requires special support for
.Nm
in
.Xr inetd 8 .
.Ss Access control
To prevent malicious access,
.Nm
implements simple address-based access control.
With
.Pa /etc/faithd.conf
(or

.Fl f ) ,
.Nm
will avoid relaying unwanted traffic.
The
.Pa faithd.conf
contains directives of the following format:
.Bl -bullet
.It
.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen

.El
.Pp
The directives are evaluated in sequence,
and the first matching entry will be used.
If there is no match
.Pq if we reach the end of the ruleset
the traffic will be denied.

.Sh EXAMPLES
Before invoking
.Nm ,
the
.Xr faith 4
interface has to be configured properly.
.Bd -literal -offset

.Ed
.Pp
.Xr inetd 8
will open listening sockets with kernel TCP relay support enabled.
Whenever a connection comes in,
.Nm
will be invoked by
.Xr inetd 8 .
If the connection endpoint is in the reserved IPv6 address prefix.
.Nm
will relay the connection.
Otherwise,

.Sh HISTORY
The
.Nm
command first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
.\"
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack

.Nm
using
.Pa faithd.conf ,
or by using IPv6 packet filters, to protect the
It is to protect
.Nm
service from malicious parties, and to avoid theft of service/bandwidth.
IPv6 destination addresses can be limited by
carefully configuring routing entries that point to
.Xr faith 4 ,
using
.Xr route 8 .
The IPv6 source address needs to be filtered using packet filters.
The documents listed in
.Sx SEE ALSO
have more information on this topic.

Return to bug 38061

Lines 43-63 Link Here

(-)faithd.8.fixed Mon May 13 23:12:54 2002 (-47 / +44 lines)
43	.Op Ar serverpath Op Ar serverargs	43	.Op Ar serverpath Op Ar serverargs
44	.Sh DESCRIPTION	44	.Sh DESCRIPTION
45	.Nm	45	.Nm
46	provides IPv6-to-IPv4 TCP relay.	46	provides IPv6-to-IPv4 TCP relaying.
47	.Nm	47	.Nm
48	must be used on an IPv4/v6 dual stack router.	48	can only be used on an IPv4/v6 dual stack router.
49	.Pp	49	.Pp
50	When	50	When
51	.Nm	51	.Nm
52	receives	52	receives
53	.Tn TCPv6	53	.Tn TCPv6
54	traffic,	54	traffic, it will relay the
55	.Nm
56	will relay the
57	.Tn TCPv6	55	.Tn TCPv6
58	traffic to	56	traffic to
59	.Tn TCPv4 .	57	.Tn TCPv4 .
60	Destination for relayed	58	The destination for the relayed
61	.Tn TCPv4	59	.Tn TCPv4
62	connection will be determined by the last 4 octets of the original	60	connection will be determined by the last 4 octets of the original
63	.Tn IPv6	61	.Tn IPv6
Lines 73-86 Link Here
73	the traffic will be relayed to IPv4 destination	71	the traffic will be relayed to IPv4 destination
74	.Li 10.1.1.1 .	72	.Li 10.1.1.1 .
75	.Pp	73	.Pp
76	To use	74	To use the
77	.Nm	75	.Nm
78	translation service,	76	translation service,
79	an IPv6 address prefix must be reserved for mapping IPv4 addresses into.	77	an IPv6 address prefix must be reserved for mapping IPv4 addresses
80	Kernel must be properly configured to route all the TCP connection	78	into, and the kernel must be properly configured to route all the
81	toward the reserved IPv6 address prefix into the	79	TCPs connections to the reserved IPv6 address prefix into the
82	.Xr faith 4	80	.Xr faith 4
83	pseudo interface, by using	81	pseudo interface, using the
84	.Xr route 8	82	.Xr route 8
85	command.	83	command.
86	Also,	84	Also,
Lines 91-97 Link Here
91	.Dv 1 .	89	.Dv 1 .
92	.Pp	90	.Pp
93	The router must be configured to capture all the TCP traffic	91	The router must be configured to capture all the TCP traffic
94	toward reserved	92	for the reserved
95	.Tn IPv6	93	.Tn IPv6
96	address prefix, by using	94	address prefix, by using
97	.Xr route 8	95	.Xr route 8
Lines 100-120 Link Here
100	commands.	98	commands.
101	.Pp	99	.Pp
102	.Nm	100	.Nm
103	needs a special name-to-address translation logic, so that	101	needs special name-to-address translation logic, so that
104	hostnames gets resolved into special	102	hostnames get resolved into the special
105	.Tn IPv6	103	.Tn IPv6
106	address prefix.	104	address prefix.
107	For small-scale installation, use	105	For small-scale installations, use
108	.Xr hosts 5 .	106	.Xr hosts 5 ;
109	For large-scale installation, it is useful to have	107	for large-scale installations, it is useful to have
110	a DNS server with special address translation support.	108	a DNS server with special address translation support.
111	An implementation called	109	An implementation called
112	.Nm totd	110	.Nm totd
113	is available	111	is available
114	at	112	at
115	.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .	113	.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
116	Make sure you do not propagate translated DNS records to normal DNS cloud,	114	Make sure you do not propagate translated DNS records over to normal
117	it is highly harmful.	115	DNS, as it can cause severe problems.
118	.Pp	116	.Pp
119	.Ss Daemon mode	117	.Ss Daemon mode
120	When	118	When
Lines 148-156 Link Here
148	.Nm ,	146	.Nm ,
149	you can run local daemons on the router.	147	you can run local daemons on the router.
150	.Nm	148	.Nm
151	will invoke local daemon at	149	will invoke a local daemon at
152	.Ar serverpath	150	.Ar serverpath
153	if the destination address is local interface address,	151	if the destination address is a local interface address,
154	and will perform translation to IPv4 TCP in other cases.	152	and will perform translation to IPv4 TCP in other cases.
155	You can also specify	153	You can also specify
156	.Ar serverargs	154	.Ar serverargs
Lines 182-205 Link Here
182	.Xr ftp 1	180	.Xr ftp 1
183	and	181	and
184	.Xr rlogin 1 .	182	.Xr rlogin 1 .
185	When translating FTP protocol,	183	When translating the FTP protocol,
186	.Nm	184	.Nm
187	translates network level addresses in	185	translates network level addresses in
188	.Li PORT/LPRT/EPRT	186	.Li PORT/LPRT/EPRT
189	and	187	and
190	.Li PASV/LPSV/EPSV	188	.Li PASV/LPSV/EPSV
191	commands.	189	commands.
192	For RLOGIN protocol,	190	For the rlogin protocol,
193	.Nm	191	.Nm
194	will relay back connection from	192	will relay back connections from
195	.Xr rlogind 8	193	.Xr rlogind 8
196	on the server to	194	on the server to
197	.Xr rlogin 1	195	.Xr rlogin 1
198	on client.	196	on the client.
199	.Pp	197	.Pp
200	Inactive sessions will be disconnected in 30 minutes,	198	Inactive sessions will be disconnected in 30 minutes,
201	to avoid stale sessions from chewing up resources.	199	to prevent stale sessions from chewing up resources.
202	This may be inappropriate for some of the services	200	This may be inappropriate for some services
203	(should this be configurable?).	201	(should this be configurable?).
204	.Ss inetd mode	202	.Ss inetd mode
205	When	203	When
Lines 207-219 Link Here
207	is invoked via	205	is invoked via
208	.Xr inetd 8 ,	206	.Xr inetd 8 ,
209	.Nm	207	.Nm
210	will handle connection passed from standard input.	208	will handle connections passed from standard input.
211	If the connection endpoint is in the reserved IPv6 address prefix,	209	If the connection endpoint is in the reserved IPv6 address prefix,
212	.Nm	210	.Nm
213	will relay the connection.	211	will relay the connection.
214	Otherwise,	212	Otherwise,
215	.Nm	213	.Nm
216	will invoke service-specific daemon like	214	will invoke a service-specific daemon like
217	.Xr telnetd 8 ,	215	.Xr telnetd 8 ,
218	by using the command argument passed from	216	by using the command argument passed from
219	.Xr inetd 8 .	217	.Xr inetd 8 .
Lines 225-240 Link Here
225	.Nm	223	.Nm
226	is invoked via	224	is invoked via
227	.Xr inetd 8	225	.Xr inetd 8
228	on FTP port, it will operate as a FTP relay.	226	on the FTP port, it will operate as an FTP relay.
229	.Pp	227	.Pp
230	The operation mode requires special support for	228	The operation mode requires special support for
231	.Nm	229	.Nm
232	in	230	in
233	.Xr inetd 8 .	231	.Xr inetd 8 .
234	.Ss Access control	232	.Ss Access control
235	To prevent malicious accesses,	233	To prevent malicious access,
236	.Nm	234	.Nm
237	implements a simple address-based access control.	235	implements simple address-based access control.
238	With	236	With
239	.Pa /etc/faithd.conf	237	.Pa /etc/faithd.conf
240	(or	238	(or
Lines 243-251 Link Here
243	.Fl f ) ,	241	.Fl f ) ,
244	.Nm	242	.Nm
245	will avoid relaying unwanted traffic.	243	will avoid relaying unwanted traffic.
246	The
247	.Pa faithd.conf	244	.Pa faithd.conf
248	contains directives with the following format:	245	contains directives of the following format:
249	.Bl -bullet	246	.Bl -bullet
250	.It	247	.It
251	.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen	248	.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen
Lines 266-272 Link Here
266	.El	263	.El
267	.Pp	264	.Pp
268	The directives are evaluated in sequence,	265	The directives are evaluated in sequence,
269	and the first matching entry will be effective.	266	and the first matching entry will be used.
270	If there is no match	267	If there is no match
271	.Pq if we reach the end of the ruleset	268	.Pq if we reach the end of the ruleset
272	the traffic will be denied.	269	the traffic will be denied.
Lines 277-282 Link Here
277	.Sh EXAMPLES	274	.Sh EXAMPLES
278	Before invoking	275	Before invoking
279	.Nm ,	276	.Nm ,
		277	the
280	.Xr faith 4	278	.Xr faith 4
281	interface has to be configured properly.	279	interface has to be configured properly.
282	.Bd -literal -offset	280	.Bd -literal -offset
Lines 337-348 Link Here
337	.Ed	335	.Ed
338	.Pp	336	.Pp
339	.Xr inetd 8	337	.Xr inetd 8
340	will open listening sockets with enabling kernel TCP relay support.	338	will open listening sockets with kernel TCP relay support enabled.
341	Whenever connection comes in,	339	Whenever a connection comes in,
342	.Nm	340	.Nm
343	will be invoked by	341	will be invoked by
344	.Xr inetd 8 .	342	.Xr inetd 8 .
345	If it the connection endpoint is in the reserved IPv6 address prefix.	343	If the connection endpoint is in the reserved IPv6 address prefix.
346	.Nm	344	.Nm
347	will relay the connection.	345	will relay the connection.
348	Otherwise,	346	Otherwise,
Lines 388-394 Link Here
388	.Sh HISTORY	386	.Sh HISTORY
389	The	387	The
390	.Nm	388	.Nm
391	command first appeared in WIDE Hydrangea IPv6 protocol stack kit.	389	command first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
392	.\"	390	.\"
393	.Pp	391	.Pp
394	IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack	392	IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
Lines 405-420 Link Here
405	.Nm	403	.Nm
406	using	404	using
407	.Pa faithd.conf ,	405	.Pa faithd.conf ,
408	or by using IPv6 packet filters.	406	or by using IPv6 packet filters, to protect the
409	It is to protect
410	.Nm	407	.Nm
411	service from malicious parties and avoid theft of service/bandwidth.	408	service from malicious parties, and to avoid theft of service/bandwidth.
412	IPv6 destination address can be limited by	409	IPv6 destination addresses can be limited by
413	carefully configuring routing entries that points to	410	carefully configuring routing entries that point to
414	.Xr faith 4 ,	411	.Xr faith 4 ,
415	using	412	using
416	.Xr route 8 .	413	.Xr route 8 .
417	IPv6 source address needs to be filtered by using packet filters.	414	The IPv6 source address needs to be filtered using packet filters.
418	Documents listed in	415	The documents listed in
419	.Sx SEE ALSO	416	.Sx SEE ALSO
420	have more discussions on this topic.	417	have more information on this topic.