NetBSD/usr.sbin/faithd
tls 4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
..
faithd.8
faithd.c
faithd.h
ftp.c Coverity CID 1321: False -gative detection. 2006-05-24 21:47:25 +00:00
Makefile Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the 2007-05-28 12:06:17 +00:00
prefix.c
prefix.h
README
tcp.c

Configuring FAITH IPv6-to-IPv4 TCP relay

Kazu Yamamoto and Jun-ichiro itojun Hagino
$KAME: README,v 1.9 2002/05/09 14:10:06 itojun Exp $


Introduction
============

FAITH is a IPv6-to-IPv4 TCP relay.  It performs tcp relay just as some of
firewall-oriented gateway does, but between IPv6 and IPv4 with address
translation.
TCP connections has to be made from IPv6 node to IPv4 node.  FAITH will
not relay connections for the opposite direction.
To perform relays, FAITH daemon needs to be executed on a router between
your local IPv6 site and outside IPv4 network.  The daemon needs to be
invoked per each TCP services (TCP port number).

	IPv4 node "dest" = 123.4.5.6
		|
	[[[[ outside IPv4 ocean ]]]]
		|
	node that runs FAITH-daemon (usually a router)
		|
	==+=====+===+==== IPv6, or IPv4/v6 network in your site ^
	  |	    |						| connection
	clients	  IPv6 node "src"				|

You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
The following description uses 3ffe:0501:ffff:0000:: as example.
Please use a prefix which belongs to your site.
FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
"src", toward IPv4 node "dest", by specifying FAITH-mapped address
3ffe:0501:ffff:0000::123.4.5.6
(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506).
The address mapping can be performed by hand:-), by special nameserver on
the network, or by special resolver on the source node.


Setup
=====

The following example assumes:
- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix.
- You are willing to provide IPv6-to IPv4 TCP relay for telnet.

<<On the translating router on which faithd runs>>

(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via
    inet6d, disable that daemon.  Comment out the line from "inet6d.conf"
    and send the HUP signal to "inet6d".

(2) Execute sysctl as root to enable FAITH support in the kernel.

        # sysctl -w net.inet6.ip6.keepfaith=1

(3) Route packets toward FAITH prefix into "faith0" interface.

	# ifconfig faith0 up
	# route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1
	# route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0

(4) Execute "faithd" by root as follows:

	# faithd telnet /usr/libexec/telnetd telnetd

    1st argument is a service name you are willing to provide TCP relay.
	(it can be specified either by number "23" or by string "telnet")
    2nd argument is a path name for local IPv6 TCP server.  If there is a
    connection toward the router itself, this program will be invoked.
    3rd and the following arguments are arguments for the local IPv6 TCP
    server.  (3rd argument is typically the program name without its path.)

    More examples:

	# faithd ftpd /usr/libexec/ftpd ftpd -l
	# faithd sshd

If inetd(8) on your platform have special support for faithd, it is possible
to setup faithd services via inetd(8).  Consult manpage for details.


<<Routing>>

(4) Make sure that packets whose destinations match the prefix can
reach from the IPv6 host to the translating router.

<<On the IPv6 host>>

There are two ways to translate IPv4 address to IPv6 address:
	(a) Faked by DNS
	(b) Faked by /etc/hosts.

(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie.

(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
faked IPv6 address.  For example, add the following line for
www.NetBSD.org:

	3ffe:0501:ffff:0000::140.160.140.252	www.NetBSD.org

<<On the translating router on which faithd runs.>>

(6) To see if "faithd" works, watch "/var/log/daemon". Note: please
setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored
in "/var/log/daemon".

	<e.g.>
	daemon.*   /var/log/daemon


Access control
==============

Since faithd implements TCP relaying service, it is critical to implement
proper access control to cope with malicious use.  Bad guy may try to
use your relay router to circumvent access controls, or may try to
abuse your network (like sending SPAMs from IPv4 address that belong to you).
Install IPv6 packet filter directives that would reject traffic from
unwanted source.  If you are using inetd-based setup, you may be able to
use access control mechanisms in inetd.


Advanced configuration
======================

If you would like to restrict IPv4 destination for translation, you may
want to do the following:

	# route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1
	# route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \
		-ifp faith0

By this way, you can restrict IPv4 destination to 123.0.0.0/8.
You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which
is not in 3ffe:0501:ffff:0000::123.0.0.0/104.  This will be left as excerside
for the reader.

By doing this, you will be able to provide your IPv4 web server to outside
IPv6 customers, without risks of unwanted open relays.

	[[[[ IPv6 network outside ]]]]			|
		|					| connection
	node that runs FAITH-daemon (usually a router)	v
		|
	========+======== IPv4/v6 network in your site
		|			(123.0.0.0/8)
	IPv4 web server