Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FAITHD(8)               OpenBSD System Manager's Manual              FAITHD(8)

     faithd - FAITH IPv6/v4 translator daemon

     faithd [-dp] [-f configfile] service [serverpath [serverargs]]

     faithd provides an IPv6-to-IPv4 TCP relay.  faithd must be used on an
     IPv4/v6 dual stack router.

     When faithd receives TCPv6 traffic, faithd will relay the TCPv6 traffic
     to TCPv4.  The destination for the relayed TCPv4 connection is determined
     by the last 4 octets of the original IPv6 destination.  For example, if
     3ffe:0501:4819:ffff:: is reserved for faithd, and the TCPv6 destination
     address is 3ffe:0501:4819:ffff::0a01:0101, the traffic is relayed to IPv4

     To use the faithd translation service, an IPv6 address prefix must be re-
     served for mapping IPv4 addresses onto.  The kernel must be properly con-
     figured to route all the TCP connections toward the reserved IPv6 address
     prefix into the faith(4) pseudo interface, by using the route(8) command.
     Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.

     The router must be configured to capture all the TCP traffic for a given
     reserved IPv6 address prefix, by using the route(8) and sysctl(8) com-

     faithd needs a special name-to-address translation logic, so that host-
     names get resolved into a special IPv6 address prefix.  For small-scale
     installation, use hosts(5).  For large-scale installation, it is useful
     to have a DNS server with special address translation support.  An imple-
     mentation called totd is available at  Make sure you
     do not propagate translated DNS records to normal DNS cloud, it is highly
     harmful.  When faithd is invoked, faithd will daemonize itself.  faithd
     will listen to TCPv6 port service.  If TCPv6 traffic to port service is
     found, it relays the connection.

     Since faithd listens to TCP port service, it is not possible to run local
     TCP daemons for port service on the router, using inetd(8) or other stan-
     dard mechanisms.  Local daemons can be run on the router by specifying a
     serverpath to faithd.  faithd will invoke a local daemon at serverpath if
     the destination address is a local interface address, and will perform
     translation to IPv4 TCP in other cases.  Serverargs can also be specified
     as arguments for the local daemon.

     The following options are available:

     -d      Debugging information will be generated using syslog(3).

     -f configfile
             Specify a configuration file for access control.  See below.

     -p      Use the privileged TCP port number as a source port, for an IPv4
             TCP connection toward the final destination.  For relaying ftp(1)
             this flag is not necessary as special program code is supplied.

     faithd will relay both normal and out-of-band TCP data.  It is capable of
     emulating TCP half close as well.  faithd includes special support for
     protocols used by ftp(1).  When translating FTP protocol, faithd trans-
     lates network level addresses in PORT/LPRT/EPRT and PASV/LPSV/EPSV com-

     Inactive sessions will be disconnected in 30 minutes, to avoid stale ses-
     sions from chewing up resources.  This may be inappropriate for some of
     the services (should this be configurable?).

   Access control
     To prevent malicious access, faithd implements a simple address-based ac-
     cess control.  With /etc/faithd.conf (or configfile specified by -f),
     faithd will avoid relaying unwanted traffic.  faithd.conf contains direc-
     tives with the following format:

     +o   src/slen deny dst/dlen

         If the source address of a query matches src/slen, and the translated
         destination address matches dst/dlen, deny the connection.

     +o   src/slen permit dst/dlen

         If the source address of a query matches src/slen, and the translated
         destination address matches dst/dlen, permit the connection.

     The directives are evaluated in sequence, and the first matching entry
     will be effective.  If there is no match (the end of the ruleset has been
     reached), the traffic is denied.

     faithd exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on

     Before invoking faithd, the faith(4) interface has to be configured prop-

     # sysctl -w net.inet6.ip6.accept_rtadv=0
     # sysctl -w net.inet6.ip6.forwarding=1
     # sysctl -w net.inet6.ip6.keepfaith=1
     # ifconfig faith0 up
     # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
     # route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0

     To translate telnet service, and provide no local telnet service, invoke
     faithd as follows:

     # faithd telnet

     Provide local telnet service via telnetd(8) using /usr/libexec/telnetd.

     # faithd telnet /usr/libexec/telnetd telnetd

     Pass extra arguments to the local daemon:

     # faithd ftp /usr/libexec/ftpd ftpd -l

     Here are some other examples.  If the service checks the source port
     range, -p may be required.

     # faithd ssh
     # faithd telnet /usr/libexec/telnetd telnetd

   Access control samples
     The following illustrates a simple faithd.conf setting.

     # permit anyone from 3ffe:501:ffff::/48 to use the translator,
     # to connect to the following IPv4 destinations:
     # - any location except and
     # Permit no other connections.
     3ffe:501:ffff::/48 deny
     3ffe:501:ffff::/48 deny
     3ffe:501:ffff::/48 permit

     faith(4), route(8), sysctl(8)

     Jun-ichiro itojun Hagino, and Kazu Yamamoto, "An IPv6-to-IPv4 transport
     relay translator", RFC 3142, June 2001,

     The faithd command first appeared in WIDE Hydrangea IPv6 protocol stack

     It is very insecure to use IP-address based authentication, for
     connections relayed by faithd, and any other TCP relaying services.

     Administrators are advised to limit accesses to faithd using faithd.conf,
     or by using IPv6 packet filters, to protect the faithd service from mali-
     cious parties and avoid theft of service/bandwidth.  IPv6 destination ad-
     dresses can be limited by carefully configuring routing entries that
     point to faith(4), using route(8).  IPv6 source addresses need to be fil-
     tered using a packet filter.  Documents listed in SEE ALSO have more dis-
     cussions on this topic.

OpenBSD 3.4                      May 17, 1998                                3


Want to link to this manual page? Use this URL:

home | help