barefoot   Frontpage - Barefoot - Download - Usage - Status - Support - Modules - Docs - Links - Survey - GDPR
 

Barefoot configuration quick start

This page describes a simple server configuration for the Barefoot port bouncer.

Usage scenario

The configuration below has two rules that redirects the following services:

  • HTTP (TCP, port 80), to internal.example.org
  • DNS (UDP, port 53), to dns.example.org

These ports (port 80 and port 53) are bound on the external interface eth1. To bind these privileged ports, the server will need to be started as root. A user called barefoot should be created on the machine the Barefoot server runs on (except on Solaris, where Solaris capabilities are used instead of separate userids), so that this user will be used for unprivileged operations, i.e., most of the operations performed while the Barefoot server runs.

Logging will be done to the file /var/log/barefootd.log. In this case no access control is performed by the Barefoot server; all traffic to the two bound ports are forwarded regardless of the source or destination address.

Configuration

logoutput: /var/log/barefootd.log
#debug: 1

#address specification (address Barefoot will use when bouncing/forwarding
#traffic to other hosts)
external: eth1

#server identities (not needed on Solaris)
user.privileged    : root
user.notprivileged : barefoot

##
## Barefoot rules
##

#bounce http to internal.example.org
client pass {
        from: 0.0.0.0/0 to: eth1 port = http
        bounce to: internal.example.org port = http
        protocol: tcp
        log: connect disconnect error
}

#bounce dns to dns.example.org.  In this case, only UDP-based DNS traffic
client pass {
        from: 0.0.0.0/0 to: eth1 port = domain
        bounce to: dns.example.org port = domain
        protocol: udp
        log: connect disconnect error 
}

Copyright © 1998-2024 Inferno Nettverk A/S