Barefoot configuration quick start

This page describes a simple server configuration for the Barefoot port bouncer.

Usage scenario

The configuration below has two rules that redirects the following services:

• HTTP (TCP, port 80), to internal.example.org
• DNS (UDP, port 53), to dns.example.org

These ports (port 80 and port 53) are bound on the external interface eth1. To bind these ports, the server will need to be started as root. A user called barefoot will need to be created on the machine the Barefoot server runs on (except on Solaris, where Solaris capabilities are used instead), and this user will be used for unprivileged operations, i.e., most of the operations performed while the Barefoot server runs.

Logging will be done to the file /var/log/barefootd.log. No access control is performed by the server; all traffic to the two bound ports are forwarded regardless of the source or destination address.

Configuration

logoutput: /var/log/barefootd.log
#debug: 1

#address specification (address used binding bounced traffic)
external: eth1

#server identities (not needed on Solaris)
user.privileged    : root
user.notprivileged : barefoot

##
## Barefoot rules
##

#bounce http to internal.example.org
client pass {
        from: 0.0.0.0/0 to: eth1 port = http
        bounce to: internal.example.org port = http
        protocol: tcp
        log: connect disconnect error
}

#bounce dns to dns.example.org
client pass {
        from: 0.0.0.0/0 to: eth1 port = domain
        bounce to: dns.example.org port = domain
        protocol: udp
        log: connect disconnect error 
}