|FAITHD(8)||System Manager's Manual||FAITHD(8)|
faithd — FAITH
IPv6/v4 translator daemon
faithd provides an IPv6-to-IPv4 TCP relay.
faithd must be used on an IPv4/v6 dual stack
faithd receives TCPv6 traffic,
faithd will relay the TCPv6 traffic to TCPv4. The
destination for the relayed TCPv4 connection is determined by the last 4
octets of the original IPv6 destination. For example, if
2001:db8:4819:ffff:: is reserved for
faithd, and the TCPv6 destination address is
2001:db8:4819:ffff::0a01:0101, the traffic is
relayed to IPv4 destination
To use the
faithd translation service, an
IPv6 address prefix must be reserved for mapping IPv4 addresses onto. The
kernel must be properly configured to route all the TCP connections toward
the reserved IPv6 address prefix into the
faith(4) pseudo interface, by
using the route(8) command.
Also, sysctl(8) should be
used to configure
faithd needs a special name-to-address
translation logic, so that hostnames get resolved into a special IPv6
address prefix. For small-scale installation, use
hosts(5). For large-scale
installation, it is useful to have a DNS server with special address
translation support. An implementation called
is available at
Make sure you do not propagate translated DNS records to normal DNS cloud,
it is highly harmful. When
faithd is invoked,
faithd will daemonize itself.
faithd will listen to TCPv6 port
service. If TCPv6 traffic to port
service is found, it relays the connection.
faithd listens to TCP port
service, it is not possible to run local TCP daemons
for port service on the router, using
inetd(8) or other standard
mechanisms. Local daemons can be run on the router by specifying a
faithd will invoke a local daemon at
serverpath if the destination address is a local
interface address, and will perform translation to IPv4 TCP in other cases.
serverargs can also be specified as arguments for the
The following options are available:
faithd will relay both normal and
out-of-band TCP data. It is capable of emulating TCP half close as well.
faithd includes special support for protocols used
by ftp(1). When translating FTP
faithd translates network level addresses
Inactive sessions will be disconnected in 30 minutes, to avoid stale sessions from chewing up resources. This may be inappropriate for some of the services (should this be configurable?).
To prevent malicious access,
implements a simple address-based access control. With
configfile specified by
faithd will avoid relaying unwanted traffic.
faithd.conf contains directives with the following
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (the end of the ruleset has been reached), the traffic is denied.
faithd exits with
EXIT_SUCCESS (0) on success, and
EXIT_FAILURE (1) on error.
faith(4) interface has to be
# sysctl net.inet6.ip6.accept_rtadv=0 # sysctl net.inet6.ip6.forwarding=1 # sysctl net.inet6.ip6.keepfaith=1 # ifconfig faith0 up # route add -inet6 2001:db8:4819:ffff:: -prefixlen 96 ::1 # route change -inet6 2001:db8:4819:ffff:: -prefixlen 96 -ifp faith0
telnet service, and provide
no local telnet service, invoke
# faithd telnet
Pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
The following illustrates a simple faithd.conf setting.
# Permit anyone from 2001:db8:ffff::/48 to use the translator, # to connect to the following IPv4 destinations: # - any location except 10.0.0.0/8 and 127.0.0.0/8. # Permit no other connections. # 2001:db8:ffff::/48 deny 10.0.0.0/8 2001:db8:ffff::/48 deny 127.0.0.0/8 2001:db8:ffff::/48 permit 0.0.0.0/0
Jun-ichiro itojun Hagino and Kazu Yamamoto, An IPv6-to-IPv4 transport relay translator, RFC 3142, June 2001, ftp://ftp.isi.edu/in-notes/rfc3142.txt.
faithd command first appeared in the
WIDE Hydrangea IPv6 protocol stack kit.
It is very insecure to use IP-address-based authentication for
connections relayed by
Administrators are advised to limit access to
faithd using faithd.conf, or
by using IPv6 packet filters, to protect the
service from malicious parties and avoid theft of service/bandwidth. IPv6
destination addresses can be limited by carefully configuring routing
entries that point to
route(8). IPv6 source
addresses need to be filtered using a packet filter. The documents listed in
SEE ALSO have more discussions on this
|July 19, 2008||OpenBSD-5.1|