Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FAITHD(8)		  BSD System Manager's Manual		     FAITHD(8)

     faithd -- FAITH IPv6/v4 translator	daemon

     faithd [-dp] [-f configfile] service [serverpath [serverargs]]

     The faithd	utility	provides IPv6-to-IPv4 TCP relaying.  It	can only be
     used on an	IPv4/v6	dual stack router.

     When faithd receives TCPv6	traffic, it will relay the TCPv6 traffic to
     TCPv4.  The destination for the relayed TCPv4 connection will be deter-
     mined by the last 4 octets	of the original	IPv6 destination.  For exam-
     ple, if 3ffe:0501:4819:ffff:: is reserved for faithd, and the TCPv6 des-
     tination address is 3ffe:0501:4819:ffff::0a01:0101, the traffic will be
     relayed to	IPv4 destination

     To	use the	faithd translation service, an IPv6 address prefix must	be re-
     served for	mapping	IPv4 addresses into.  The kernel must be properly con-
     figured to	route all the TCP connections toward the reserved IPv6 address
     prefix into the faith(4) pseudo interface,	using the route(8) command.
     Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.

     The router	must be	configured to capture all the TCP traffic for the re-
     served IPv6 address prefix, by using route(8) and sysctl(8) commands.

     The faithd	utility	needs special name-to-address translation logic, so
     that hostnames get	resolved into the special IPv6 address prefix.	For
     small-scale installations,	use hosts(5); For large-scale installations,
     it	is useful to have a DNS	server with special address translation	sup-
     port.  An implementation called totd is available at	Make sure you
     do	not propagate translated DNS records over to normal DNS, as it can
     cause severe problems.

   Daemon mode
     When faithd is invoked as a standalone program, faithd will daemonize it-
     self.  The	faithd utility will listen to TCPv6 port service.  If TCPv6
     traffic to	port service is	found, it relays the connection.

     Since faithd listens to TCP port service, it is not possible to run local
     TCP daemons for port service on the router, using inetd(8)	or other stan-
     dard mechanisms.  By specifying serverpath	to faithd, you can run local
     daemons on	the router.  The faithd	utility	will invoke a local daemon at
     serverpath	if the destination address is a	local interface	address, and
     will perform translation to IPv4 TCP in other cases.  You can also	spec-
     ify serverargs for	the arguments for the local daemon.

     The following options are available:

     -d	     Debugging information will	be generated using syslog(3).

     -f	configfile
	     Specify a configuration file for access control.  See below.

     -p	     Use privileged TCP	port number as source port, for	IPv4 TCP con-
	     nection toward final destination.	For relaying ftp(1), this flag
	     is	not necessary as special program code is supplied.

     The faithd	utility	will relay both	normal and out-of-band TCP data.  It
     is	capable	of emulating TCP half close as well.  The faithd utility in-
     cludes special support for	protocols used by ftp(1).  When	translating
     the FTP protocol, faithd translates network level addresses in
     PORT/LPRT/EPRT and	PASV/LPSV/EPSV commands.

     Inactive sessions will be disconnected in 30 minutes, to prevent stale
     sessions from chewing up resources.  This may be inappropriate for	some
     services (should this be configurable?).

   inetd mode
     When faithd is invoked via	inetd(8), faithd will handle connections
     passed from standard input.  If the connection endpoint is	in the re-
     served IPv6 address prefix, faithd	will relay the connection.  Otherwise,
     faithd will invoke	a service-specific daemon like telnetd(8), by using
     the command argument passed from inetd(8).

     The faithd	utility	determines operation mode by the local TCP port	num-
     ber, and enables special protocol handling	whenever necessary/possible.
     For example, if faithd is invoked via inetd(8) on the FTP port, it	will
     operate as	an FTP relay.

     The operation mode	requires special support for faithd in inetd(8).

   Access control
     To	prevent	malicious access, faithd implements simple address-based ac-
     cess control.  With /etc/faithd.conf (or configfile specified by -f),
     faithd will avoid relaying	unwanted traffic.  The faithd.conf configura-
     tion file contains	directives of the following format:

     +o	 src/slen deny dst/dlen

	 If the	source address of a query matches src/slen, and	the translated
	 destination address matches dst/dlen, deny the	connection.

     +o	 src/slen permit dst/dlen

	 If the	source address of a query matches src/slen, and	the translated
	 destination address matches dst/dlen, permit the connection.

     The directives are	evaluated in sequence, and the first matching entry
     will be effective.	 If there is no	match (if we reach the end of the
     ruleset) the traffic will be denied.

     With inetd	mode, traffic may be filtered by using access control func-
     tionality in inetd(8).

     The faithd	utility	exits with EXIT_SUCCESS	(0) on success,	and
     EXIT_FAILURE (1) on error.

     Before invoking faithd, the faith(4) interface has	to be configured prop-

	   # sysctl net.inet6.ip6.accept_rtadv=0
	   # sysctl net.inet6.ip6.forwarding=1
	   # sysctl net.inet6.ip6.keepfaith=1
	   # ifconfig faith0 up
	   # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
	   # route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0

   Daemon mode samples
     To	translate telnet service, and provide no local telnet service, invoke
     faithd as follows:

	   # faithd telnet

     If	you would like to provide local	telnet service via telnetd(8) on
     /usr/libexec/telnetd, use the following command line:

	   # faithd telnet /usr/libexec/telnetd	telnetd

     If	you would like to pass extra arguments to the local daemon:

	   # faithd ftp	/usr/libexec/ftpd ftpd -l

     Here are some other examples.  You	may need -p if the service checks the
     source port range.

	   # faithd ssh
	   # faithd telnet /usr/libexec/telnetd	telnetd

   inetd mode samples
     Add the following lines into inetd.conf(5).  Syntax may vary depending
     upon your operating system.

	   telnet  stream  tcp6/faith  nowait  root  faithd  telnetd
	   ftp	   stream  tcp6/faith  nowait  root  faithd  ftpd -l
	   ssh	   stream  tcp6/faith  nowait  root  faithd  /usr/sbin/sshd -i

     inetd(8) will open	listening sockets with kernel TCP relay	support	en-
     abled.  Whenever a	connection comes in, faithd will be invoked by
     inetd(8).	If the connection endpoint is in the reserved IPv6 address
     prefix.  The faithd utility will relay the	connection.  Otherwise,	faithd
     will invoke service-specific daemon like telnetd(8).

   Access control samples
     The following illustrates a simple	faithd.conf setting.

	   # permit anyone from	3ffe:501:ffff::/48 to use the translator,
	   # to	connect	to the following IPv4 destinations:
	   # - any location except and
	   # Permit no other connections.
	   3ffe:501:ffff::/48 deny
	   3ffe:501:ffff::/48 deny
	   3ffe:501:ffff::/48 permit

     faith(4), route(8), sysctl(8)

     Jun-ichiro	itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4 transport
     relay translator",	RFC3142,, June

     The faithd	utility	first appeared in the WIDE Hydrangea IPv6 protocol
     stack kit.

     IPv6 and IPsec support based on the KAME Project (
     stack was initially integrated into FreeBSD 4.0.

     It	is very	insecure to use	IP-address based authentication, for connec-
     tions relayed by faithd, and any other TCP	relaying services.

     Administrators are	advised	to limit accesses to faithd using faithd.conf,
     or	by using IPv6 packet filters, to protect the faithd service from mali-
     cious parties, and	to avoid theft of service/bandwidth.  IPv6 destination
     addresses can be limited by carefully configuring routing entries that
     point to faith(4),	using route(8).	 The IPv6 source address needs to be
     filtered using packet filters.  The documents listed in SEE ALSO have
     more information on this topic.

BSD				August 2, 2011				   BSD


Want to link to this manual page? Use this URL:

home | help