| |
Barefoot configuration quick start
This page describes a simple server
configuration for the Barefoot port bouncer.
Usage scenario
The configuration below has two rules that redirects the following services:
- HTTP (TCP, port 80), to internal.example.org
- DNS (UDP, port 53), to dns.example.org
These ports (port 80 and port 53) are bound on the external
interface eth1. To bind these privileged ports, the server will
need to be started as root. A user called barefoot should be
created on the machine the Barefoot server runs on (except on Solaris,
where Solaris capabilities are used instead of separate userids), so
that this user will be used for unprivileged operations, i.e., most of
the operations performed while the Barefoot server runs.
Logging will be done to the file /var/log/barefootd.log.
In this case no access control is performed by the Barefoot server;
all traffic to the two bound ports are forwarded regardless of the source
or destination address.
Configuration
logoutput: /var/log/barefootd.log
#debug: 1
#address specification (address Barefoot will use when bouncing/forwarding
#traffic to other hosts)
external: eth1
#server identities (not needed on Solaris)
user.privileged : root
user.notprivileged : barefoot
##
## Barefoot rules
##
#bounce http to internal.example.org
client pass {
from: 0.0.0.0/0 to: eth1 port = http
bounce to: internal.example.org port = http
protocol: tcp
log: connect disconnect error
}
#bounce dns to dns.example.org. In this case, only UDP-based DNS traffic
client pass {
from: 0.0.0.0/0 to: eth1 port = domain
bounce to: dns.example.org port = domain
protocol: udp
log: connect disconnect error
}
| |