*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> faithd (8)              



NAME    [Toc]    [Back]

     faithd - FAITH IPv6/v4 translator daemon

SYNOPSIS    [Toc]    [Back]

     faithd   [-dp]   [-f   configfile]    service    [serverpath

DESCRIPTION    [Toc]    [Back]

     faithd  provides  an IPv6-to-IPv4 TCP relay.  faithd must be
used on an
     IPv4/v6 dual stack router.

     When faithd receives TCPv6 traffic, faithd  will  relay  the
TCPv6 traffic
     to  TCPv4.  The destination for the relayed TCPv4 connection
is determined
     by the last 4 octets of the original IPv6 destination.   For
example, if
     3ffe:0501:4819:ffff::  is reserved for faithd, and the TCPv6
     address is 3ffe:0501:4819:ffff::0a01:0101,  the  traffic  is
relayed to IPv4

     To  use the faithd translation service, an IPv6 address prefix must be reserved
 for mapping IPv4 addresses onto.  The kernel must  be
properly configured
 to route all the TCP connections toward the reserved
IPv6 address
     prefix into the faith(4)  pseudo  interface,  by  using  the
route(8) command.
     Also,   sysctl(8)   should  be  used  to  configure  net.inet6.ip6.keepfaith to 1.

     The router must be configured to capture all the TCP traffic
for a given
     reserved  IPv6  address  prefix,  by  using the route(8) and
sysctl(8) commands.

     faithd needs a special name-to-address translation logic, so
that hostnames
  get resolved into a special IPv6 address prefix.  For
     installation, use hosts(5).  For  large-scale  installation,
it is useful
     to  have  a DNS server with special address translation support.  An implementation
 called totd is available at
Make sure you
     do not propagate translated DNS records to normal DNS cloud,
it is highly
     harmful.  When faithd is invoked, faithd will daemonize  itself.  faithd
     will listen to TCPv6 port service.  If TCPv6 traffic to port
service is
     found, it relays the connection.

     Since faithd listens to TCP port service, it is not possible
to run local
     TCP  daemons  for port service on the router, using inetd(8)
or other standard
 mechanisms.  Local daemons can be run on the router  by
specifying a
     serverpath  to faithd.  faithd will invoke a local daemon at
serverpath if
     the destination address is a local  interface  address,  and
will perform
     translation to IPv4 TCP in other cases.  Serverargs can also
be specified
     as arguments for the local daemon.

     The following options are available:

     -d      Debugging information will be generated  using  syslog(3).

     -f configfile
             Specify  a  configuration  file  for access control.
See below.

     -p      Use the privileged TCP port number as a source port,
for an IPv4
             TCP  connection  toward  the final destination.  For
relaying ftp(1)
             this flag is not necessary as special  program  code
is supplied.

     faithd  will relay both normal and out-of-band TCP data.  It
is capable of
     emulating TCP half close as well.  faithd  includes  special
support for
     protocols  used  by  ftp(1).  When translating FTP protocol,
faithd translates
  network  level  addresses   in   PORT/LPRT/EPRT   and
PASV/LPSV/EPSV commands.

     Inactive  sessions  will  be  disconnected in 30 minutes, to
avoid stale sessions
 from chewing up resources.  This may be  inappropriate
for some of
     the services (should this be configurable?).

   Access control    [Toc]    [Back]
     To  prevent malicious access, faithd implements a simple address-based access
 control.  With /etc/faithd.conf (or  configfile  specified by -f),
     faithd  will  avoid  relaying unwanted traffic.  faithd.conf
contains directives
 with the following format:

     +o   src/slen deny dst/dlen

         If the source address of a query matches  src/slen,  and
the translated
         destination  address  matches dst/dlen, deny the connection.

     +o   src/slen permit dst/dlen

         If the source address of a query matches  src/slen,  and
the translated
         destination address matches dst/dlen, permit the connection.

     The directives are evaluated  in  sequence,  and  the  first
matching entry
     will  be  effective.   If  there is no match (the end of the
ruleset has been
     reached), the traffic is denied.

RETURN VALUES    [Toc]    [Back]

     faithd exits with  EXIT_SUCCESS  (0)  on  success,  and  EXIT_FAILURE (1) on

EXAMPLES    [Toc]    [Back]

     Before  invoking  faithd,  the  faith(4) interface has to be
configured properly:

     # sysctl net.inet6.ip6.accept_rtadv=0
     # sysctl net.inet6.ip6.forwarding=1
     # sysctl net.inet6.ip6.keepfaith=1
     # ifconfig faith0 up
     # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
     # route change  -inet6  3ffe:501:4819:ffff::  -prefixlen  96
-ifp faith0

     To  translate  telnet  service,  and provide no local telnet
service, invoke
     faithd as follows:

     # faithd telnet

     Provide  local   telnet   service   via   telnetd(8)   using

     # faithd telnet /usr/libexec/telnetd telnetd

     Pass extra arguments to the local daemon:

     # faithd ftp /usr/libexec/ftpd ftpd -l

     Here  are  some  other  examples.  If the service checks the
source port
     range, -p may be required.

     # faithd ssh
     # faithd telnet /usr/libexec/telnetd telnetd

   Access control samples    [Toc]    [Back]
     The following illustrates a simple faithd.conf setting.

     # permit anyone from 3ffe:501:ffff::/48 to use the  translator,
     # to connect to the following IPv4 destinations:
     # - any location except and
     # Permit no other connections.
     3ffe:501:ffff::/48 deny
     3ffe:501:ffff::/48 deny
     3ffe:501:ffff::/48 permit

SEE ALSO    [Toc]    [Back]

     faith(4), route(8), sysctl(8)

     Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4
     relay     translator",     RFC     3142,     June      2001,

HISTORY    [Toc]    [Back]

     The  faithd  command  first  appeared in WIDE Hydrangea IPv6
protocol stack


     It is very insecure to use IP-address based  authentication,
for connections
  relayed  by  faithd,  and any other TCP relaying services.

     Administrators are advised to limit accesses to faithd using
     or  by using IPv6 packet filters, to protect the faithd service from malicious
 parties and avoid theft  of  service/bandwidth.   IPv6
destination addresses
  can be limited by carefully configuring routing entries that
     point to faith(4), using route(8).   IPv6  source  addresses
need to be filtered
  using  a packet filter.  Documents listed in SEE ALSO
have more discussions
 on this topic.

OpenBSD      3.6                           May      17,      1998
[ Back ]
 Similar pages
Name OS Title
ip6rtrd Tru64 IPv6 routing daemon
rtradvd HP-UX Router Advertisement daemon for IPv6
ip6rtrd.conf Tru64 IPv6 router daemon (ip6rtrd) configuration file
nd6hostd Tru64 Neighbor discovery and autoconfiguration daemon for IPv6 hosts
dhcpv6d HP-UX Dynamic Host Configuration Protocol Server daemon for IPv6
a2p IRIX Awk to Perl translator
a2p Linux Awk to Perl translator
pppoe OpenBSD PPP Over Ethernet translator
s2p IRIX Sed to Perl translator
s2p Linux Sed to Perl translator
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service