fd53f7c428
use of .rhosts authentication should be discouraged with relaying service. sync w/kame
402 lines
9.6 KiB
Groff
402 lines
9.6 KiB
Groff
.\" $NetBSD: faithd.8,v 1.18 2002/05/09 14:24:03 itojun Exp $
|
|
.\" $KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
|
|
.\"
|
|
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd May 17, 1998
|
|
.Dt FAITHD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm faithd
|
|
.Nd FAITH IPv6/v4 translator daemon
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl dp
|
|
.Op Fl f Ar configfile
|
|
.Ar service
|
|
.Op Ar serverpath Op Ar serverargs
|
|
.Nm ""
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
provides IPv6-to-IPv4 TCP relay.
|
|
.Nm
|
|
must be used on an IPv4/v6 dual stack router.
|
|
.Pp
|
|
When
|
|
.Nm
|
|
receives
|
|
.Tn TCPv6
|
|
traffic,
|
|
.Nm
|
|
will relay the
|
|
.Tn TCPv6
|
|
traffic to
|
|
.Tn TCPv4 .
|
|
Destination for relayed
|
|
.Tn TCPv4
|
|
connection will be determined by the last 4 octets of the original
|
|
.Tn IPv6
|
|
destination.
|
|
For example, if
|
|
.Li 3ffe:0501:4819:ffff::
|
|
is reserved for
|
|
.Nm Ns ,
|
|
and the
|
|
.Tn TCPv6
|
|
destination address is
|
|
.Li 3ffe:0501:4819:ffff::0a01:0101 ,
|
|
the traffic will be relayed to IPv4 destination
|
|
.Li 10.1.1.1 .
|
|
.Pp
|
|
To use
|
|
.Nm
|
|
translation service,
|
|
an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
|
|
Kernel must be properly configured to route all the TCP connection
|
|
toward the reserved IPv6 address prefix into the
|
|
.Xr faith 4
|
|
pseudo interface, by using
|
|
.Xr route 8
|
|
command.
|
|
Also,
|
|
.Xr sysctl 8
|
|
should be used to configure
|
|
.Dv net.inet6.ip6.keepfaith
|
|
to
|
|
.Dv 1 .
|
|
.Pp
|
|
The router must be configured to capture all the TCP traffic
|
|
toward reserved
|
|
.Tn IPv6
|
|
address prefix, by using
|
|
.Xr route 8
|
|
and
|
|
.Xr sysctl 8
|
|
commands.
|
|
.Pp
|
|
.Nm
|
|
needs a special name-to-address translation logic, so that
|
|
hostnames gets resolved into special
|
|
.Tn IPv6
|
|
address prefix.
|
|
For small-scale installation, use
|
|
.Xr hosts 5 .
|
|
For large-scale installation, it is useful to have
|
|
a DNS server with special address translation support.
|
|
An implementation called
|
|
.Nm totd
|
|
is available
|
|
at
|
|
.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
|
|
Make sure you do not propagate translated DNS records to normal DNS cloud,
|
|
it is highly harmful.
|
|
.Ss Daemon mode
|
|
When
|
|
.Nm
|
|
is invoked as a standalone program,
|
|
.Nm
|
|
will daemonize itself.
|
|
.Nm
|
|
will listen to
|
|
.Tn TCPv6
|
|
port
|
|
.Ar service .
|
|
If
|
|
.Tn TCPv6
|
|
traffic to port
|
|
.Ar service
|
|
is found, it relays the connection.
|
|
.Pp
|
|
Since
|
|
.Nm
|
|
listens to TCP port
|
|
.Ar service ,
|
|
it is not possible to run local TCP daemons for port
|
|
.Ar service
|
|
on the router, using
|
|
.Xr inetd 8
|
|
or other standard mechanisms.
|
|
By specifying
|
|
.Ar serverpath
|
|
to
|
|
.Nm Ns ,
|
|
you can run local daemons on the router.
|
|
.Nm
|
|
will invoke local daemon at
|
|
.Ar serverpath
|
|
if the destination address is local interface address,
|
|
and will perform translation to IPv4 TCP in other cases.
|
|
You can also specify
|
|
.Ar serverargs
|
|
for the arguments for the local daemon.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width indent
|
|
.It Fl d
|
|
Debugging information will be generated using
|
|
.Xr syslog 3 .
|
|
.It Fl f Ar configfile
|
|
Specify a configuration file for access control.
|
|
See below.
|
|
.It Fl p
|
|
Use privileged TCP port number as source port,
|
|
for IPv4 TCP connection toward final destination.
|
|
For relaying
|
|
.Xr ftp 1
|
|
this flag is not necessary as special program code is supplied.
|
|
.El
|
|
.Pp
|
|
.Nm
|
|
will relay both normal and out-of-band TCP data.
|
|
It is capable of emulating TCP half close as well.
|
|
.Nm
|
|
includes special support for protocols used by
|
|
.Xr ftp 1 .
|
|
When translating FTP protocol,
|
|
.Nm
|
|
translates network level addresses in
|
|
.Li PORT/LPRT/EPRT
|
|
and
|
|
.Li PASV/LPSV/EPSV
|
|
commands.
|
|
.Pp
|
|
Inactive sessions will be disconnected in 30 minutes,
|
|
to avoid stale sessions from chewing up resources.
|
|
This may be inappropriate for some of the services
|
|
.Pq should this be configurable? .
|
|
.Ss inetd mode
|
|
When
|
|
.Nm
|
|
is invoked via
|
|
.Xr inetd 8 ,
|
|
.Nm
|
|
will handle connection passed from standard input.
|
|
If the connection endpoint is in the reserved IPv6 address prefix,
|
|
.Nm
|
|
will relay the connection.
|
|
Otherwise,
|
|
.Nm
|
|
will invoke service-specific daemon like
|
|
.Xr telnetd 8 ,
|
|
by using the command argument passed from
|
|
.Xr inetd 8 .
|
|
.Pp
|
|
.Nm
|
|
determines operation mode by the local TCP port number,
|
|
and enables special protocol handling whenever necessary/possible.
|
|
For example, if
|
|
.Nm
|
|
is invoked via
|
|
.Xr inetd 8
|
|
on FTP port, it will operate as a FTP relay.
|
|
.\".Pp
|
|
.\"The operation mode requires special support for
|
|
.\".Nm
|
|
.\"in
|
|
.\".Xr inetd 8 .
|
|
.Ss Access control
|
|
To prevent malicious accesses,
|
|
.Nm
|
|
implements a simple address-based access control.
|
|
With
|
|
.Pa /etc/faithd.conf
|
|
.Po
|
|
or
|
|
.Ar configfile
|
|
specified by
|
|
.Fl f
|
|
.Pc ,
|
|
.Nm
|
|
will avoid relaying unwanted traffic.
|
|
The
|
|
.Pa faithd.conf
|
|
contains directives with the following format:
|
|
.Bl -bullet
|
|
.It
|
|
.Xo
|
|
.Ic Ar src/slen Li deny Ar dst/dlen
|
|
.Xc
|
|
.Pp
|
|
If the source address of a query matches
|
|
.Ar src/slen ,
|
|
and the translated destination address matches
|
|
.Ar dst/dlen ,
|
|
deny the connection.
|
|
.It
|
|
.Xo
|
|
.Ic Ar src/slen Li permit Ar dst/dlen
|
|
.Xc
|
|
.Pp
|
|
If the source address of a query matches
|
|
.Ar src/slen ,
|
|
and the translated destination address matches
|
|
.Ar dst/dlen ,
|
|
permit the connection.
|
|
.El
|
|
.Pp
|
|
The directives are evaluated in sequence,
|
|
and the first matching entry will be effective.
|
|
If there is no match
|
|
.Pq if we reach the end of the ruleset
|
|
the traffic will be denied.
|
|
.Pp
|
|
With inetd mode,
|
|
traffic may be filtered by using access control functionality in
|
|
.Xr inetd 8 .
|
|
.Sh EXIT STATUS
|
|
.Nm
|
|
exits with
|
|
.Dv EXIT_SUCCESS
|
|
.Pq 0
|
|
on success, and
|
|
.Dv EXIT_FAILURE
|
|
.Pq 1
|
|
on error.
|
|
.Sh EXAMPLES
|
|
Before invoking
|
|
.Nm Ns ,
|
|
.Xr faith 4
|
|
interface has to be configured properly.
|
|
.Bd -literal -offset
|
|
# sysctl -w net.inet6.ip6.accept_rtadv=0
|
|
# sysctl -w net.inet6.ip6.forwarding=1
|
|
# sysctl -w net.inet6.ip6.keepfaith=1
|
|
# ifconfig faith0 up
|
|
# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
|
|
# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
|
|
.Ed
|
|
.Ss Daemon mode samples
|
|
To translate
|
|
.Li telnet
|
|
service, and provide no local telnet service, invoke
|
|
.Nm
|
|
as follows:
|
|
.Bd -literal -offset
|
|
# faithd telnet
|
|
.Ed
|
|
.Pp
|
|
If you would like to provide local telnet service via
|
|
.Xr telnetd 8
|
|
on
|
|
.Pa /usr/libexec/telnetd ,
|
|
use the following command line:
|
|
.Bd -literal -offset
|
|
# faithd telnet /usr/libexec/telnetd telnetd
|
|
.Ed
|
|
.Pp
|
|
If you would like to pass extra arguments to the local daemon:
|
|
.Bd -literal -offset
|
|
# faithd ftp /usr/libexec/ftpd ftpd -l
|
|
.Ed
|
|
.Pp
|
|
Here are some other examples.
|
|
You may need
|
|
.Fl p
|
|
if the service checks the source port range.
|
|
.Bd -literal -offset
|
|
# faithd ssh
|
|
# faithd telnet /usr/libexec/telnetd telnetd
|
|
.Ed
|
|
.Ss inetd mode samples
|
|
Add the following lines into
|
|
.Xr inetd.conf 5 .
|
|
.\"Syntax may vary depending upon your operating system.
|
|
.Bd -literal -offset
|
|
telnet stream faith/tcp6 nowait root faithd telnetd
|
|
ftp stream faith/tcp6 nowait root faithd ftpd -l
|
|
ssh stream faith/tcp6 nowait root faithd /usr/sbin/sshd -i
|
|
.Ed
|
|
.Pp
|
|
.Xr inetd 8
|
|
will open listening sockets with enabling kernel TCP relay support.
|
|
Whenever connection comes in,
|
|
.Nm
|
|
will be invoked by
|
|
.Xr inetd 8 .
|
|
If it the connection endpoint is in the reserved IPv6 address prefix.
|
|
.Nm
|
|
will relay the connection.
|
|
Otherwise,
|
|
.Nm
|
|
will invoke service-specific daemon like
|
|
.Xr telnetd 8 .
|
|
.Ss Access control samples
|
|
The following illustrates a simple
|
|
.Pa faithd.conf
|
|
setting.
|
|
.Bd -literal -offset
|
|
# permit anyone from 3ffe:501:ffff::/48 to use the translator,
|
|
# to connect to the following IPv4 destinations:
|
|
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
|
|
# Permit no other connections.
|
|
#
|
|
3ffe:501:ffff::/48 deny 10.0.0.0/8
|
|
3ffe:501:ffff::/48 deny 127.0.0.0/8
|
|
3ffe:501:ffff::/48 permit 0.0.0.0/0
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr faith 4 ,
|
|
.Xr route 8 ,
|
|
.Xr sysctl 8
|
|
.Rs
|
|
.%A Jun-ichiro itojun Hagino
|
|
.%A Kazu Yamamoto
|
|
.%T "An IPv6-to-IPv4 transport relay translator"
|
|
.%B RFC3142
|
|
.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt
|
|
.%D June 2001
|
|
.Re
|
|
.\"
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
|
.\"
|
|
.Sh SECURITY CONSIDERATIONS
|
|
It is very insecure to use IP-address based authentication, for connections relayed by
|
|
.Nm Ns ,
|
|
and any other TCP relaying services.
|
|
.Pp
|
|
Administrators are advised to limit accesses to
|
|
.Nm
|
|
using
|
|
.Pa faithd.conf ,
|
|
or by using IPv6 packet filters.
|
|
It is to protect
|
|
.Nm
|
|
service from malicious parties and avoid theft of service/bandwidth.
|
|
IPv6 destination address can be limited by
|
|
carefully configuring routing entries that points to
|
|
.Xr faith 4 ,
|
|
using
|
|
.Xr route 8 .
|
|
IPv6 source address needs to be filtered by using packet filters.
|
|
Documents listed in
|
|
.Sx SEE ALSO
|
|
have more discussions on this topic.
|