mbalmer
parent
a33b3d6b72
commit
89644c3065
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: faithd.8,v 1.26 2009/10/25 01:34:40 wiz Exp $
|
||||
.\" $NetBSD: faithd.8,v 1.27 2010/01/09 10:43:11 mbalmer Exp $
|
||||
.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
|
@ -28,7 +28,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd October 25, 2009
|
||||
.Dd January 9, 2010
|
||||
.Dt FAITHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -42,22 +42,20 @@
|
|||
.Op Ar serverpath Op Ar serverargs
|
||||
.Nm
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
provides IPv6-to-IPv4 TCP relay.
|
||||
.Nm
|
||||
must be used on an IPv4/v6 dual stack router.
|
||||
utility provides IPv6-to-IPv4 TCP relaying.
|
||||
It can only be used on an IPv4/v6 dual stack router.
|
||||
.Pp
|
||||
When
|
||||
.Nm
|
||||
receives
|
||||
.Tn TCPv6
|
||||
traffic,
|
||||
.Nm
|
||||
will relay the
|
||||
traffic, it will relay the
|
||||
.Tn TCPv6
|
||||
traffic to
|
||||
.Tn TCPv4 .
|
||||
Destination for relayed
|
||||
The destination for the relayed
|
||||
.Tn TCPv4
|
||||
connection will be determined by the last 4 octets of the original
|
||||
.Tn IPv6
|
||||
|
|
@ -73,14 +71,14 @@ destination address is
|
|||
the traffic will be relayed to IPv4 destination
|
||||
.Li 10.1.1.1 .
|
||||
.Pp
|
||||
To use
|
||||
To use the
|
||||
.Nm
|
||||
translation service,
|
||||
an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
|
||||
Kernel must be properly configured to route all the TCP connection
|
||||
The kernel must be properly configured to route all the TCP connections
|
||||
toward the reserved IPv6 address prefix into the
|
||||
.Xr faith 4
|
||||
pseudo interface, by using
|
||||
pseudo interface, using the
|
||||
.Xr route 8
|
||||
command.
|
||||
Also,
|
||||
|
|
@ -91,7 +89,7 @@ to
|
|||
.Dv 1 .
|
||||
.Pp
|
||||
The router must be configured to capture all the TCP traffic
|
||||
toward reserved
|
||||
for the reserved
|
||||
.Tn IPv6
|
||||
address prefix, by using
|
||||
.Xr route 8
|
||||
|
|
@ -99,22 +97,22 @@ and
|
|||
.Xr sysctl 8
|
||||
commands.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
needs a special name-to-address translation logic, so that
|
||||
hostnames gets resolved into special
|
||||
utility needs special name-to-address translation logic, so that
|
||||
hostnames gets resolved into the special
|
||||
.Tn IPv6
|
||||
address prefix.
|
||||
For small-scale installation, use
|
||||
.Xr hosts 5 .
|
||||
For large-scale installation, it is useful to have
|
||||
For small-scale installations, use
|
||||
.Xr hosts 5 ;
|
||||
For large-scale installations, it is useful to have
|
||||
a DNS server with special address translation support.
|
||||
An implementation called
|
||||
.Nm totd
|
||||
is available
|
||||
at
|
||||
is available at
|
||||
.Pa http://www.vermicelli.pasta.cs.uit.no/software/totd.html .
|
||||
Make sure you do not propagate translated DNS records to normal DNS cloud,
|
||||
it is highly harmful.
|
||||
Make sure you do not propagate translated DNS records over to normal
|
||||
DNS, as it can cause severe problems.
|
||||
.Ss Daemon mode
|
||||
When
|
||||
.Nm
|
||||
|
|
@ -146,10 +144,11 @@ By specifying
|
|||
to
|
||||
.Nm ,
|
||||
you can run local daemons on the router.
|
||||
The
|
||||
.Nm
|
||||
will invoke local daemon at
|
||||
utility will invoke ia local daemon at
|
||||
.Ar serverpath
|
||||
if the destination address is local interface address,
|
||||
if the destination address is a local interface address,
|
||||
and will perform translation to IPv4 TCP in other cases.
|
||||
You can also specify
|
||||
.Ar serverargs
|
||||
|
|
@ -177,7 +176,7 @@ It is capable of emulating TCP half close as well.
|
|||
.Nm
|
||||
includes special support for protocols used by
|
||||
.Xr ftp 1 .
|
||||
When translating FTP protocol,
|
||||
When translating the FTP protocol,
|
||||
.Nm
|
||||
translates network level addresses in
|
||||
.Li PORT/LPRT/EPRT
|
||||
|
|
@ -186,8 +185,8 @@ and
|
|||
commands.
|
||||
.Pp
|
||||
Inactive sessions will be disconnected in 30 minutes,
|
||||
to avoid stale sessions from chewing up resources.
|
||||
This may be inappropriate for some of the services
|
||||
to prevent stale sessions from chewing up resources.
|
||||
This may be inappropriate for some services
|
||||
.Pq should this be configurable? .
|
||||
.Ss inetd mode
|
||||
When
|
||||
|
|
@ -195,13 +194,13 @@ When
|
|||
is invoked via
|
||||
.Xr inetd 8 ,
|
||||
.Nm
|
||||
will handle connection passed from standard input.
|
||||
will handle connections passed from standard input.
|
||||
If the connection endpoint is in the reserved IPv6 address prefix,
|
||||
.Nm
|
||||
will relay the connection.
|
||||
Otherwise,
|
||||
.Nm
|
||||
will invoke service-specific daemon like
|
||||
will invoke a service-specific daemon like
|
||||
.Xr telnetd 8 ,
|
||||
by using the command argument passed from
|
||||
.Xr inetd 8 .
|
||||
|
|
@ -213,14 +212,14 @@ For example, if
|
|||
.Nm
|
||||
is invoked via
|
||||
.Xr inetd 8
|
||||
on FTP port, it will operate as a FTP relay.
|
||||
on the FTP port, it will operate as an FTP relay.
|
||||
.\".Pp
|
||||
.\"The operation mode requires special support for
|
||||
.\".Nm
|
||||
.\"in
|
||||
.\".Xr inetd 8 .
|
||||
.Ss Access control
|
||||
To prevent malicious accesses,
|
||||
To prevent malicious access,
|
||||
.Nm
|
||||
implements a simple address-based access control.
|
||||
With
|
||||
|
|
@ -235,7 +234,7 @@ specified by
|
|||
will avoid relaying unwanted traffic.
|
||||
The
|
||||
.Pa faithd.conf
|
||||
contains directives with the following format:
|
||||
configuration file contains directives of the following format:
|
||||
.Bl -bullet
|
||||
.It
|
||||
.Xo
|
||||
|
|
@ -280,6 +279,7 @@ on error.
|
|||
.Sh EXAMPLES
|
||||
Before invoking
|
||||
.Nm ,
|
||||
the
|
||||
.Xr faith 4
|
||||
interface has to be configured properly.
|
||||
.Bd -literal
|
||||
|
|
@ -333,12 +333,12 @@ ssh stream faith/tcp6 nowait root faithd /usr/sbin/sshd -i
|
|||
.Ed
|
||||
.Pp
|
||||
.Xr inetd 8
|
||||
will open listening sockets with enabling kernel TCP relay support.
|
||||
Whenever connection comes in,
|
||||
will open listening sockets with kernel TCP relay support enabled.
|
||||
Whenever a connection comes in,
|
||||
.Nm
|
||||
will be invoked by
|
||||
.Xr inetd 8 .
|
||||
If it the connection endpoint is in the reserved IPv6 address prefix.
|
||||
If the connection endpoint is in the reserved IPv6 address prefix.
|
||||
.Nm
|
||||
will relay the connection.
|
||||
Otherwise,
|
||||
|
|
@ -376,7 +376,7 @@ setting.
|
|||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||
utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
|
||||
.\"
|
||||
.Sh SECURITY CONSIDERATIONS
|
||||
It is very insecure to use IP-address based authentication, for connections relayed by
|
||||
|
|
@ -387,16 +387,15 @@ Administrators are advised to limit accesses to
|
|||
.Nm
|
||||
using
|
||||
.Pa faithd.conf ,
|
||||
or by using IPv6 packet filters.
|
||||
It is to protect
|
||||
or by using IPv6 packet filters, to protect the
|
||||
.Nm
|
||||
service from malicious parties and avoid theft of service/bandwidth.
|
||||
IPv6 destination address can be limited by
|
||||
carefully configuring routing entries that points to
|
||||
service from malicious parties, and to avoid theft of service/bandwidth.
|
||||
IPv6 destination addresses can be limited by
|
||||
carefully configuring routing entries that point to
|
||||
.Xr faith 4 ,
|
||||
using
|
||||
.Xr route 8 .
|
||||
IPv6 source address needs to be filtered by using packet filters.
|
||||
Documents listed in
|
||||
The IPv6 source address needs to be filtered using packet filters.
|
||||
The documents listed in
|
||||
.Sx SEE ALSO
|
||||
have more discussions on this topic.
|
||||
have more information on this topic.
|
||||
|
|
|
|||
Loading…
Reference in New Issue