mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
3384154590
This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
150 lines
5.1 KiB
Plaintext
150 lines
5.1 KiB
Plaintext
Configuring FAITH IPv6-to-IPv4 TCP relay
|
|
|
|
Kazu Yamamoto and Jun-ichiro itojun Hagino
|
|
$KAME: README,v 1.7 2001/04/25 11:25:19 itojun Exp $
|
|
$FreeBSD$
|
|
|
|
Introduction
|
|
============
|
|
|
|
FAITH is a IPv6-to-IPv4 TCP relay. It performs tcp relay just as some of
|
|
firewall-oriented gateway does, but between IPv6 and IPv4 with address
|
|
translation.
|
|
TCP connections has to be made from IPv6 node to IPv4 node. FAITH will
|
|
not relay connections for the opposite direction.
|
|
To perform relays, FAITH daemon needs to be executed on a router between
|
|
your local IPv6 site and outside IPv4 network. The daemon needs to be
|
|
invoked per each TCP services (TCP port number).
|
|
|
|
IPv4 node "dest" = 123.4.5.6
|
|
|
|
|
[[[[ outside IPv4 ocean ]]]]
|
|
|
|
|
node that runs FAITH-daemon (usually a router)
|
|
|
|
|
==+=====+===+==== IPv6, or IPv4/v6 network in your site ^
|
|
| | | connection
|
|
clients IPv6 node "src" |
|
|
|
|
You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
|
|
The following description uses 3ffe:0501:ffff:0000:: as example.
|
|
Please use a prefix which belongs to your site.
|
|
FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
|
|
"src", toward IPv4 node "dest", by specifying FAITH-mapped address
|
|
3ffe:0501:ffff:0000::123.4.5.6
|
|
(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506).
|
|
The address mapping can be performed by hand:-), by special nameserver on
|
|
the network, or by special resolver on the source node.
|
|
|
|
|
|
Setup
|
|
=====
|
|
|
|
The following example assumes:
|
|
- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix.
|
|
- You are willing to provide IPv6-to IPv4 TCP relay for telnet.
|
|
|
|
<<On the translating router on which faithd runs>>
|
|
|
|
(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via
|
|
inet6d, disable that daemon. Comment out the line from "inet6d.conf"
|
|
and send the HUP signal to "inet6d".
|
|
|
|
(2) Execute sysctl as root to enable FAITH support in the kernel.
|
|
|
|
# sysctl -w net.inet6.ip6.keepfaith=1
|
|
|
|
(3) Route packets toward FAITH prefix into "faith0" interface.
|
|
|
|
# ifconfig faith0 up
|
|
# route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1
|
|
# route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0
|
|
|
|
(4) Execute "faithd" by root as follows:
|
|
|
|
# faithd telnet /usr/libexec/telnetd telnetd
|
|
|
|
1st argument is a service name you are willing to provide TCP relay.
|
|
(it can be specified either by number "23" or by string "telnet")
|
|
2nd argument is a path name for local IPv6 TCP server. If there is a
|
|
connection toward the router itself, this program will be invoked.
|
|
3rd and the following arguments are arguments for the local IPv6 TCP
|
|
server. (3rd argument is typically the program name without its path.)
|
|
|
|
More examples:
|
|
|
|
# faithd login /usr/libexec/rlogin rlogind
|
|
# faithd shell /usr/libexec/rshd rshd
|
|
# faithd ftpd /usr/libexec/ftpd ftpd -l
|
|
# faithd sshd
|
|
|
|
If inetd(8) on your platform have special support for faithd, it is possible
|
|
to setup faithd services via inetd(8). Consult manpage for details.
|
|
|
|
|
|
<<Routing>>
|
|
|
|
(4) Make sure that packets whose destinations match the prefix can
|
|
reach from the IPv6 host to the translating router.
|
|
|
|
<<On the IPv6 host>>
|
|
|
|
There are two ways to translate IPv4 address to IPv6 address:
|
|
(a) Faked by DNS
|
|
(b) Faked by /etc/hosts.
|
|
|
|
(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie.
|
|
|
|
(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
|
|
faked IPv6 addrss. For example, add the following line for www.netbsd.org:
|
|
|
|
3ffe:0501:ffff:0000::140.160.140.252 www.netbsd.org
|
|
|
|
<<On the translating router on which faithd runs.>>
|
|
|
|
(6) To see if "faithd" works, watch "/var/log/daemon". Note: please
|
|
setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored
|
|
in "/var/log/daemon".
|
|
|
|
<e.g.>
|
|
daemon.* /var/log/daemon
|
|
|
|
|
|
Access control
|
|
==============
|
|
|
|
Since faithd implements TCP relaying service, it is critical to implement
|
|
proper access control to cope with malicious use. Bad guy may try to
|
|
use your relay router to circumvent access controls, or may try to
|
|
abuse your network (like sending SPAMs from IPv4 address that belong to you).
|
|
Install IPv6 packet filter directives that would reject traffic from
|
|
unwanted source. If you are using inetd-based setup, you may be able to
|
|
use access control mechanisms in inetd.
|
|
|
|
|
|
Advanced configuration
|
|
======================
|
|
|
|
If you would like to restrict IPv4 destination for translation, you may
|
|
want to do the following:
|
|
|
|
# route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1
|
|
# route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \
|
|
-ifp faith0
|
|
|
|
By this way, you can restrict IPv4 destination to 123.0.0.0/8.
|
|
You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which
|
|
is not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside
|
|
for the reader.
|
|
|
|
By doing this, you will be able to provide your IPv4 web server to outside
|
|
IPv6 customers, without risks of unwanted open relays.
|
|
|
|
[[[[ IPv6 network outside ]]]] |
|
|
| | connection
|
|
node that runs FAITH-daemon (usually a router) v
|
|
|
|
|
========+======== IPv4/v6 network in your site
|
|
| (123.0.0.0/8)
|
|
IPv4 web server
|