|-d||Debugging information will be generated using syslog(3).|
|Specify a configuration file for access control. See below.|
|-p||Use privileged TCP port number as source port, for IPv4 TCP connection toward final destination. For relaying ftp(1), this flag is not necessary as special program code is supplied.|
The faithd utility will relay both normal and out-of-band TCP data. It is capable of emulating TCP half close as well. The faithd utility includes special support for protocols used by ftp(1). When translating the FTP protocol, faithd translates network level addresses in PORT/LPRT/EPRT and PASV/LPSV/EPSV commands.
Inactive sessions will be disconnected in 30 minutes, to prevent stale sessions from chewing up resources. This may be inappropriate for some services (should this be configurable?).
When faithd is invoked via inetd(8), faithd will handle connections passed from standard input. If the connection endpoint is in the reserved IPv6 address prefix, faithd will relay the connection. Otherwise, faithd will invoke a service-specific daemon like telnetd(8), by using the command argument passed from inetd(8).
The faithd utility determines operation mode by the local TCP port number, and enables special protocol handling whenever necessary/possible. For example, if faithd is invoked via inetd(8) on the FTP port, it will operate as an FTP relay.
The operation mode requires special support for faithd in inetd(8).
To prevent malicious access, faithd implements simple address-based access control. With /etc/faithd.conf (or configfile specified by -f ), faithd will avoid relaying unwanted traffic. The faithd.conf configuration file contains directives of the following format:
- src / slen deny dst / dlen
If the source address of a query matches src / slen, and the translated destination address matches dst / dlen, deny the connection.
- src / slen permit dst / dlen
If the source address of a query matches src / slen, and the translated destination address matches dst / dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (if we reach the end of the ruleset) the traffic will be denied.
With inetd mode, traffic may be filtered by using access control functionality in inetd(8).
The faithd utility exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on error.
Before invoking faithd, the faith(4) interface has to be configured properly.# sysctl net.inet6.ip6.accept_rtadv=0 # sysctl net.inet6.ip6.forwarding=1 # sysctl net.inet6.ip6.keepfaith=1 # ifconfig faith0 up # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1 # route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
To translate telnet service, and provide no local telnet service, invoke faithd as follows:# faithd telnet
If you would like to provide local telnet service via telnetd(8) on /usr/libexec/telnetd, use the following command line:# faithd telnet /usr/libexec/telnetd telnetd
If you would like to pass extra arguments to the local daemon:# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. You may need -p if the service checks the source port range.# faithd ssh # faithd telnet /usr/libexec/telnetd telnetd
Add the following lines into inetd.conf(5). Syntax may vary depending upon your operating system.telnet stream tcp6/faith nowait root faithd telnetd ftp stream tcp6/faith nowait root faithd ftpd -l ssh stream tcp6/faith nowait root faithd /usr/sbin/sshd -i
inetd(8) will open listening sockets with kernel TCP relay support enabled. Whenever a connection comes in, faithd will be invoked by inetd(8). If the connection endpoint is in the reserved IPv6 address prefix. The faithd utility will relay the connection. Otherwise, faithd will invoke service-specific daemon like telnetd(8).
The following illustrates a simple faithd.conf setting.# permit anyone from 3ffe:501:ffff::/48 to use the translator, # to connect to the following IPv4 destinations: # - any location except 10.0.0.0/8 and 127.0.0.0/8. # Permit no other connections. # 3ffe:501:ffff::/48 deny 10.0.0.0/8 3ffe:501:ffff::/48 deny 127.0.0.0/8 3ffe:501:ffff::/48 permit 0.0.0.0/0
The faithd utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack was initially integrated into
.Fx 4.0 .
It is very insecure to use IP-address based authentication, for connections relayed by faithd, and any other TCP relaying services.
Administrators are advised to limit accesses to faithd using faithd.conf, or by using IPv6 packet filters, to protect the faithd service from malicious parties, and to avoid theft of service/bandwidth. IPv6 destination addresses can be limited by carefully configuring routing entries that point to faith(4), using route(8). The IPv6 source address needs to be filtered using packet filters. The documents listed in SEE ALSO have more information on this topic.