| |
Barefoot configuration quick start
This page describes a simple server
configuration for the Barefoot port bouncer.
Usage scenario
The configuration below has two rules that redirects the following services:
- HTTP (TCP, port 80), to internal.example.org
- DNS (UDP, port 53), to dns.example.org
These ports (port 80 and port 53) are bound on the external
interface eth1. To bind these ports, the server will need to
be started as root. A user called barefoot will need to be
created on the machine the Barefoot server runs on (except on Solaris,
where Solaris capabilities are used instead), and this user will be
used for unprivileged operations, i.e., most of the operations
performed while the Barefoot server runs.
Logging will be done to the file /var/log/barefootd.log.
No access control is performed by the server; all traffic to the two bound
ports are forwarded regardless of the source or destination address.
Configuration
logoutput: /var/log/barefootd.log
#debug: 1
#address specification (address used binding bounced traffic)
external: eth1
#server identities (not needed on Solaris)
user.privileged : root
user.notprivileged : barefoot
##
## Barefoot rules
##
#bounce http to internal.example.org
client pass {
from: 0.0.0.0/0 to: eth1 port = http
bounce to: internal.example.org port = http
protocol: tcp
log: connect disconnect error
}
#bounce dns to dns.example.org
client pass {
from: 0.0.0.0/0 to: eth1 port = domain
bounce to: dns.example.org port = domain
protocol: udp
log: connect disconnect error
}
| |