Deleted Added
full compact
ppp.conf.sample (89211) ppp.conf.sample (108533)
1#################################################################
2#
3# PPP Sample Configuration File
4#
5# Originally written by Toshiharu OHNO
6#
1#################################################################
2#
3# PPP Sample Configuration File
4#
5# Originally written by Toshiharu OHNO
6#
7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 89211 2002-01-10 14:56:47Z brian $
7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 108533 2003-01-01 18:49:04Z schweikh $
8#
9#################################################################
10
11# This file is separated into sections. Each section is named with
12# a label starting in column 0 and followed directly by a ``:''. The
13# section continues until the next label. Blank lines and characters
14# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\''
15# or quoted with ""). All commands inside sections that do not begin
16# with ``!'' (e.g., ``!include'') *must* be indented by at least one
17# space or tab or they will not be recognized!
18#
19# Lines beginning with "!include" will ``include'' another file. You
20# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
21#
22
23# Default setup. Always executed when PPP is invoked.
24# This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
25#
26# This is the best place to specify your modem device, its DTR rate,
27# your dial script and any logging specification. Logging specs should
28# be done first so that the results of subsequent commands are logged.
29#
30default:
31 set log Phase Chat LCP IPCP CCP tun command
32 set device /dev/cuaa1
33 set speed 115200
34 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
35 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
36
37# Client side PPP
38#
39# Although the PPP protocol is a peer to peer protocol, we normally
40# consider the side that initiates the connection as the client and
41# the side that receives the connection as the server. Authentication
42# is required by the server either using a unix-style login procedure
43# or by demanding PAP or CHAP authentication from the client.
44#
45
46# An on demand example where we have dynamic IP addresses and wish to
47# use a unix-style login script:
48#
49# If the peer assigns us an arbitrary IP (most ISPs do this) and we
50# can't predict what their IP will be either, take a wild guess at
51# some IPs that you can't currently route to. Ppp can change this
52# when the link comes up.
53#
54# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
55# specified IP actually being correct, therefore, the other side can assign
56# any IP number.
57#
58# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
59# IP number, forcing the peer to make the decision. This is necessary
60# when negotiating with some (broken) ppp implementations.
61#
62# This entry also works with static IP numbers or when not in -auto mode.
63# The ``add'' line adds a `sticky' default route that will be updated if
64# and when any of the IP numbers are changed in IPCP negotiations.
65# The "set ifaddr" is required in -auto mode only.
66# It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
67#
68# Finally, the ``enable dns'' line tells ppp to ask the peer for the
69# nameserver addresses that should be used. This isn't always supported
70# by the other side, but if it is, ppp will update /etc/resolv.conf with
71# the correct nameserver values at connection time.
72#
73# The login script shown says that you're expecting ``ogin:''. If you
74# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
75# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
76# You *MUST* customise this login script according to your local
77# requirements.
78#
79pmdemand:
80 set phone 1234567
81 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
82 set timeout 120
83 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
84 add default HISADDR
85 enable dns
86
87# If you want to use PAP or CHAP instead of using a unix-style login
88# procedure, do the following. Note, the peer suggests whether we
89# should send PAP or CHAP. By default, we send whatever we're asked for.
90#
91# You *MUST* customise ``MyName'' and ``MyKey'' below.
92#
93PAPorCHAPpmdemand:
94 set phone 1234567
95 set login
96 set authname MyName
97 set authkey MyKey
98 set timeout 120
99 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
100 add default HISADDR
101 enable dns
102
103# On demand dialup example with static IP addresses:
104# Here, the local side uses 192.244.185.226 and the remote side
105# uses 192.244.176.44.
106#
107# # ppp -auto ondemand
108#
109# With static IP numbers, our setup is similar to dynamic:
110# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
8#
9#################################################################
10
11# This file is separated into sections. Each section is named with
12# a label starting in column 0 and followed directly by a ``:''. The
13# section continues until the next label. Blank lines and characters
14# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\''
15# or quoted with ""). All commands inside sections that do not begin
16# with ``!'' (e.g., ``!include'') *must* be indented by at least one
17# space or tab or they will not be recognized!
18#
19# Lines beginning with "!include" will ``include'' another file. You
20# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
21#
22
23# Default setup. Always executed when PPP is invoked.
24# This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
25#
26# This is the best place to specify your modem device, its DTR rate,
27# your dial script and any logging specification. Logging specs should
28# be done first so that the results of subsequent commands are logged.
29#
30default:
31 set log Phase Chat LCP IPCP CCP tun command
32 set device /dev/cuaa1
33 set speed 115200
34 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
35 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
36
37# Client side PPP
38#
39# Although the PPP protocol is a peer to peer protocol, we normally
40# consider the side that initiates the connection as the client and
41# the side that receives the connection as the server. Authentication
42# is required by the server either using a unix-style login procedure
43# or by demanding PAP or CHAP authentication from the client.
44#
45
46# An on demand example where we have dynamic IP addresses and wish to
47# use a unix-style login script:
48#
49# If the peer assigns us an arbitrary IP (most ISPs do this) and we
50# can't predict what their IP will be either, take a wild guess at
51# some IPs that you can't currently route to. Ppp can change this
52# when the link comes up.
53#
54# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
55# specified IP actually being correct, therefore, the other side can assign
56# any IP number.
57#
58# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
59# IP number, forcing the peer to make the decision. This is necessary
60# when negotiating with some (broken) ppp implementations.
61#
62# This entry also works with static IP numbers or when not in -auto mode.
63# The ``add'' line adds a `sticky' default route that will be updated if
64# and when any of the IP numbers are changed in IPCP negotiations.
65# The "set ifaddr" is required in -auto mode only.
66# It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
67#
68# Finally, the ``enable dns'' line tells ppp to ask the peer for the
69# nameserver addresses that should be used. This isn't always supported
70# by the other side, but if it is, ppp will update /etc/resolv.conf with
71# the correct nameserver values at connection time.
72#
73# The login script shown says that you're expecting ``ogin:''. If you
74# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
75# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
76# You *MUST* customise this login script according to your local
77# requirements.
78#
79pmdemand:
80 set phone 1234567
81 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
82 set timeout 120
83 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
84 add default HISADDR
85 enable dns
86
87# If you want to use PAP or CHAP instead of using a unix-style login
88# procedure, do the following. Note, the peer suggests whether we
89# should send PAP or CHAP. By default, we send whatever we're asked for.
90#
91# You *MUST* customise ``MyName'' and ``MyKey'' below.
92#
93PAPorCHAPpmdemand:
94 set phone 1234567
95 set login
96 set authname MyName
97 set authkey MyKey
98 set timeout 120
99 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
100 add default HISADDR
101 enable dns
102
103# On demand dialup example with static IP addresses:
104# Here, the local side uses 192.244.185.226 and the remote side
105# uses 192.244.176.44.
106#
107# # ppp -auto ondemand
108#
109# With static IP numbers, our setup is similar to dynamic:
110# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
111# a "ondemand" label, and finally the "MYADDR" label.
111# an "ondemand" label, and finally the "MYADDR" label.
112#
113ondemand:
114 set phone 1234567
115 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
116 set timeout 120
117 set ifaddr 192.244.185.226 192.244.176.44
118 add default HISADDR
119 enable dns
120
121# An on-demand dialup example using an external Terminal Adapter (TA)
122# that supports multi-link ppp itself.
123#
124# This may be specific to the AETHRA TA.
125#
126TA:
127 set phone 12345678 # Replace this with your ISPs phone number
128
129 set authname somename # Replace these with your login name & password.
130 set authkey somepasswd # This profile assumes you're using PAP or CHAP.
131
132 enable lqr
133 set reconnect 3 5
134 set redial 3 10
135 set lqrperiod 45
136 disable pred1 deflate mppe
137 deny pred1 deflate mppe
138
139 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \
140 OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
141 set login
142 set logout
143 set hangup
144
145 set timeout 60 300 # The minimum charge period is 5 minutes, so don't
146 # hangup before then
147
148 set device /dev/cuaa0 # Or whatever
149 set speed 115200 # Use as high a speed as possible
150
151 enable dns # Ask the peer what to put in resolv.conf
152
153 # Take a wild guess at an IP number and let the other side decide
154 set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0
155 add! default hisaddr
156
157 set mru 1504 # Some extra room for the MP header
158
159 set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------)
160
161
162# Example segments
163#
164# The following lines may be included as part of your configuration
165# section and aren't themselves complete. They're provided as examples
166# of how to achieve different things.
167
168examples:
169# Multi-phone example. Numbers separated by a : are used sequentially.
170# Numbers separated by a | are used if the previous dial or login script
171# failed. Usually, you will prefer to use only one of | or :, but both
172# are allowed.
173#
174 set phone 12345678|12345679:12345670|12345671
175#
176# Some phone numbers may include # characters - don't forget to escape
177# (or quote) them:
178#
179 set phone "12345##678"
180#
181# Ppp can accept control instructions from the ``pppctl'' program.
182# First, you must set up your control socket. It's safest to use
183# a UNIX domain socket, and watch the permissions:
184#
185 set server /var/run/ppp/internet MySecretPassword 0177
186#
187# Although a TCP port may be used if you want to allow control
188# connections from other machines:
189#
190 set server 6670 MySecretpassword
191#
192# If you don't like ppp's builtin chat, use an external one:
193#
194 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
195#
196# If we have a ``strange'' modem that must be re-initialized when we
197# hangup:
198#
199 set hangup "\"\" AT OK-AT-OK ATZ OK"
200#
201# To adjust logging without blowing away the setting in default:
202#
203 set log -command +tcp/ip
204#
205# To see log messages on the screen in interactive mode:
206#
207 set log local LCP IPCP CCP
208#
209# If you're seeing a lot of magic number problems and failed connections,
210# try this (see the man page):
211#
212 set openmode active 5
213#
214# For noisy lines, we may want to reconnect (up to 20 times) after loss
215# of carrier, with 3 second delays between each attempt:
216#
217 set reconnect 3 20
218#
219# When playing server for M$ clients, tell them who our NetBIOS name
220# servers are:
221#
222 set nbns 10.0.0.1 10.0.0.2
223#
224# Inform the client if they ask for our DNS IP numbers:
225#
226 enable dns
227#
228# If you don't want to tell them what's in your /etc/resolv.conf file
229# with `enable dns', override the values:
230#
231 set dns 10.0.0.1 10.0.0.2
232#
233# Some people like to prioritize DNS packets:
234#
235 set urgent udp +53
236#
237# If we're using the -nat switch, redirect ftp and http to an internal
238# machine:
239#
240 nat port tcp 10.0.0.2:ftp ftp
241 nat port tcp 10.0.0.2:http http
242#
243# or don't trust the outside at all
244#
245 nat deny_incoming yes
246#
247# I trust user brian to run ppp, so this goes in the `default' section:
248#
249 allow user brian
250#
251# But label `internet' contains passwords that even brian can't have, so
252# I empty out the user access list in that section so that only root can
253# have access:
254#
255 allow users
256#
257# I also may wish to set up my ppp login script so that it asks the client
258# for the label they wish to use. I may only want user ``dodgy'' to access
259# their own label in direct mode:
260#
261dodgy:
262 allow user dodgy
263 allow mode direct
264#
265# We don't want certain packets to keep our connection alive
266#
267 set filter alive 0 deny udp src eq 520 # routed
268 set filter alive 1 deny udp dst eq 520 # routed
269 set filter alive 2 deny udp src eq 513 # rwhod
270 set filter alive 3 deny udp src eq 525 # timed
271 set filter alive 4 deny udp src eq 137 # NetBIOS name service
272 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service
273 set filter alive 6 deny tcp src eq 139 # NetBIOS session service
274 set filter alive 7 deny udp dst eq 137 # NetBIOS name service
275 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service
276 set filter alive 9 deny tcp dst eq 139 # NetBIOS session service
277 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside
278 set filter alive 11 permit 0/0 0/0
279#
280# And in auto mode, we don't want certain packets to cause a dialup
281#
282 set filter dial 0 deny udp src eq 513 # rwhod
283 set filter dial 1 deny udp src eq 525 # timed
284 set filter dial 2 deny udp src eq 137 # NetBIOS name service
285 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
286 set filter dial 4 deny tcp src eq 139 # NetBIOS session service
287 set filter dial 5 deny udp dst eq 137 # NetBIOS name service
288 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
289 set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
290 set filter dial 8 deny tcp finrst # Badly closed TCP channels
291 set filter dial 9 permit 0 0
292#
293# Once the line's up, allow these connections
294#
295 set filter in 0 permit tcp dst eq 113 # ident
296 set filter out 0 permit tcp src eq 113 # ident
297 set filter in 1 permit tcp src eq 23 estab # telnet
298 set filter out 1 permit tcp dst eq 23 # telnet
299 set filter in 2 permit tcp src eq 21 estab # ftp
300 set filter out 2 permit tcp dst eq 21 # ftp
301 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data
302 set filter out 3 permit tcp dst eq 20 # ftp-data
303 set filter in 4 permit udp src eq 53 # DNS
304 set filter out 4 permit udp dst eq 53 # DNS
305 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work
306 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work
307 set filter in 6 permit icmp # pings
308 set filter out 6 permit icmp # pings
309 set filter in 7 permit udp dst gt 33433 # traceroute
310 set filter out 7 permit udp dst gt 33433 # traceroute
311
312#
313# ``dodgynet'' is an example intended for an autodial configuration which
314# is connecting a local network to a host on an untrusted network.
315dodgynet:
316 set log Phase # Log link uptime
317 allow mode auto # For autoconnect only
318 set device /dev/cuaa1 # Define modem device and speed
319 set speed 115200
320 deny lqr # Don't support LQR
321 set phone 0W1194 # Remote system phone number,
322 set authname pppLogin # login
323 set authkey MyPassword # and password
324 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer
325 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
326 ATE1Q0M0 OK \\dATDT\\T \
327 TIMEOUT 40 CONNECT"
328 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system
329 gin:--gin: \\U word: \\P"
330
331 # Drop the link after 15 minutes of inactivity
332 # Inactivity is defined by the `set filter alive' line below
333 set timeout 900
334
335 # Hard-code remote system to appear within local subnet and use proxy arp
336 # to make this system the gateway for the rest of the local network
337 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
338 enable proxy
339
340 # Allow any TCP packet to keep the link alive
341 set filter alive 0 permit tcp
342
343 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
344 # private TCP ports 24 and 4000
345 set filter dial 0 7 0 0 tcp dst eq http
346 set filter dial 1 7 0 0 tcp dst eq login
347 set filter dial 2 7 0 0 tcp dst eq shell
348 set filter dial 3 7 0 0 tcp dst eq telnet
349 set filter dial 4 7 0 0 tcp dst eq ftp
350 set filter dial 5 7 0 0 tcp dst eq 24
351 set filter dial 6 deny ! 0 0 tcp dst eq 4000
352
353 # From hosts on a couple of local subnets to the remote peer
354 # If the remote host allowed IP forwarding and we wanted to use it, the
355 # following rules could be split into two groups to separately validate
356 # the source and destination addresses.
112#
113ondemand:
114 set phone 1234567
115 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
116 set timeout 120
117 set ifaddr 192.244.185.226 192.244.176.44
118 add default HISADDR
119 enable dns
120
121# An on-demand dialup example using an external Terminal Adapter (TA)
122# that supports multi-link ppp itself.
123#
124# This may be specific to the AETHRA TA.
125#
126TA:
127 set phone 12345678 # Replace this with your ISPs phone number
128
129 set authname somename # Replace these with your login name & password.
130 set authkey somepasswd # This profile assumes you're using PAP or CHAP.
131
132 enable lqr
133 set reconnect 3 5
134 set redial 3 10
135 set lqrperiod 45
136 disable pred1 deflate mppe
137 deny pred1 deflate mppe
138
139 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \
140 OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
141 set login
142 set logout
143 set hangup
144
145 set timeout 60 300 # The minimum charge period is 5 minutes, so don't
146 # hangup before then
147
148 set device /dev/cuaa0 # Or whatever
149 set speed 115200 # Use as high a speed as possible
150
151 enable dns # Ask the peer what to put in resolv.conf
152
153 # Take a wild guess at an IP number and let the other side decide
154 set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0
155 add! default hisaddr
156
157 set mru 1504 # Some extra room for the MP header
158
159 set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------)
160
161
162# Example segments
163#
164# The following lines may be included as part of your configuration
165# section and aren't themselves complete. They're provided as examples
166# of how to achieve different things.
167
168examples:
169# Multi-phone example. Numbers separated by a : are used sequentially.
170# Numbers separated by a | are used if the previous dial or login script
171# failed. Usually, you will prefer to use only one of | or :, but both
172# are allowed.
173#
174 set phone 12345678|12345679:12345670|12345671
175#
176# Some phone numbers may include # characters - don't forget to escape
177# (or quote) them:
178#
179 set phone "12345##678"
180#
181# Ppp can accept control instructions from the ``pppctl'' program.
182# First, you must set up your control socket. It's safest to use
183# a UNIX domain socket, and watch the permissions:
184#
185 set server /var/run/ppp/internet MySecretPassword 0177
186#
187# Although a TCP port may be used if you want to allow control
188# connections from other machines:
189#
190 set server 6670 MySecretpassword
191#
192# If you don't like ppp's builtin chat, use an external one:
193#
194 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
195#
196# If we have a ``strange'' modem that must be re-initialized when we
197# hangup:
198#
199 set hangup "\"\" AT OK-AT-OK ATZ OK"
200#
201# To adjust logging without blowing away the setting in default:
202#
203 set log -command +tcp/ip
204#
205# To see log messages on the screen in interactive mode:
206#
207 set log local LCP IPCP CCP
208#
209# If you're seeing a lot of magic number problems and failed connections,
210# try this (see the man page):
211#
212 set openmode active 5
213#
214# For noisy lines, we may want to reconnect (up to 20 times) after loss
215# of carrier, with 3 second delays between each attempt:
216#
217 set reconnect 3 20
218#
219# When playing server for M$ clients, tell them who our NetBIOS name
220# servers are:
221#
222 set nbns 10.0.0.1 10.0.0.2
223#
224# Inform the client if they ask for our DNS IP numbers:
225#
226 enable dns
227#
228# If you don't want to tell them what's in your /etc/resolv.conf file
229# with `enable dns', override the values:
230#
231 set dns 10.0.0.1 10.0.0.2
232#
233# Some people like to prioritize DNS packets:
234#
235 set urgent udp +53
236#
237# If we're using the -nat switch, redirect ftp and http to an internal
238# machine:
239#
240 nat port tcp 10.0.0.2:ftp ftp
241 nat port tcp 10.0.0.2:http http
242#
243# or don't trust the outside at all
244#
245 nat deny_incoming yes
246#
247# I trust user brian to run ppp, so this goes in the `default' section:
248#
249 allow user brian
250#
251# But label `internet' contains passwords that even brian can't have, so
252# I empty out the user access list in that section so that only root can
253# have access:
254#
255 allow users
256#
257# I also may wish to set up my ppp login script so that it asks the client
258# for the label they wish to use. I may only want user ``dodgy'' to access
259# their own label in direct mode:
260#
261dodgy:
262 allow user dodgy
263 allow mode direct
264#
265# We don't want certain packets to keep our connection alive
266#
267 set filter alive 0 deny udp src eq 520 # routed
268 set filter alive 1 deny udp dst eq 520 # routed
269 set filter alive 2 deny udp src eq 513 # rwhod
270 set filter alive 3 deny udp src eq 525 # timed
271 set filter alive 4 deny udp src eq 137 # NetBIOS name service
272 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service
273 set filter alive 6 deny tcp src eq 139 # NetBIOS session service
274 set filter alive 7 deny udp dst eq 137 # NetBIOS name service
275 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service
276 set filter alive 9 deny tcp dst eq 139 # NetBIOS session service
277 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside
278 set filter alive 11 permit 0/0 0/0
279#
280# And in auto mode, we don't want certain packets to cause a dialup
281#
282 set filter dial 0 deny udp src eq 513 # rwhod
283 set filter dial 1 deny udp src eq 525 # timed
284 set filter dial 2 deny udp src eq 137 # NetBIOS name service
285 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
286 set filter dial 4 deny tcp src eq 139 # NetBIOS session service
287 set filter dial 5 deny udp dst eq 137 # NetBIOS name service
288 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
289 set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
290 set filter dial 8 deny tcp finrst # Badly closed TCP channels
291 set filter dial 9 permit 0 0
292#
293# Once the line's up, allow these connections
294#
295 set filter in 0 permit tcp dst eq 113 # ident
296 set filter out 0 permit tcp src eq 113 # ident
297 set filter in 1 permit tcp src eq 23 estab # telnet
298 set filter out 1 permit tcp dst eq 23 # telnet
299 set filter in 2 permit tcp src eq 21 estab # ftp
300 set filter out 2 permit tcp dst eq 21 # ftp
301 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data
302 set filter out 3 permit tcp dst eq 20 # ftp-data
303 set filter in 4 permit udp src eq 53 # DNS
304 set filter out 4 permit udp dst eq 53 # DNS
305 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work
306 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work
307 set filter in 6 permit icmp # pings
308 set filter out 6 permit icmp # pings
309 set filter in 7 permit udp dst gt 33433 # traceroute
310 set filter out 7 permit udp dst gt 33433 # traceroute
311
312#
313# ``dodgynet'' is an example intended for an autodial configuration which
314# is connecting a local network to a host on an untrusted network.
315dodgynet:
316 set log Phase # Log link uptime
317 allow mode auto # For autoconnect only
318 set device /dev/cuaa1 # Define modem device and speed
319 set speed 115200
320 deny lqr # Don't support LQR
321 set phone 0W1194 # Remote system phone number,
322 set authname pppLogin # login
323 set authkey MyPassword # and password
324 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer
325 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
326 ATE1Q0M0 OK \\dATDT\\T \
327 TIMEOUT 40 CONNECT"
328 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system
329 gin:--gin: \\U word: \\P"
330
331 # Drop the link after 15 minutes of inactivity
332 # Inactivity is defined by the `set filter alive' line below
333 set timeout 900
334
335 # Hard-code remote system to appear within local subnet and use proxy arp
336 # to make this system the gateway for the rest of the local network
337 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
338 enable proxy
339
340 # Allow any TCP packet to keep the link alive
341 set filter alive 0 permit tcp
342
343 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
344 # private TCP ports 24 and 4000
345 set filter dial 0 7 0 0 tcp dst eq http
346 set filter dial 1 7 0 0 tcp dst eq login
347 set filter dial 2 7 0 0 tcp dst eq shell
348 set filter dial 3 7 0 0 tcp dst eq telnet
349 set filter dial 4 7 0 0 tcp dst eq ftp
350 set filter dial 5 7 0 0 tcp dst eq 24
351 set filter dial 6 deny ! 0 0 tcp dst eq 4000
352
353 # From hosts on a couple of local subnets to the remote peer
354 # If the remote host allowed IP forwarding and we wanted to use it, the
355 # following rules could be split into two groups to separately validate
356 # the source and destination addresses.
357 set filter dial 7 permit 172.17.16.0/20 172.17.20.248
358 set filter dial 8 permit 172.17.36.0/22 172.17.20.248
359 set filter dial 9 permit 172.17.118.0/26 172.17.20.248
360 set filter dial 10 permit 10.123.5.0/24 172.17.20.248
357 set filter dial 7 permit 172.17.16.0/20 172.17.20.248
358 set filter dial 8 permit 172.17.36.0/22 172.17.20.248
359 set filter dial 9 permit 172.17.118.0/26 172.17.20.248
360 set filter dial 10 permit 10.123.5.0/24 172.17.20.248
361
362 # Once the link's up, limit outgoing access to the specified hosts
361
362 # Once the link's up, limit outgoing access to the specified hosts
363 set filter out 0 4 172.17.16.0/20 172.17.20.248
364 set filter out 1 4 172.17.36.0/22 172.17.20.248
365 set filter out 2 4 172.17.118.0/26 172.17.20.248
366 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
363 set filter out 0 4 172.17.16.0/20 172.17.20.248
364 set filter out 1 4 172.17.36.0/22 172.17.20.248
365 set filter out 2 4 172.17.118.0/26 172.17.20.248
366 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
367
368 # Allow established TCP connections
369 set filter out 4 permit 0 0 tcp estab
370
371 # And new connections to http, rlogin, rsh, telnet, ftp and ports
372 # 24 and 4000
373 set filter out 5 permit 0 0 tcp dst eq http
374 set filter out 6 permit 0 0 tcp dst eq login
375 set filter out 7 permit 0 0 tcp dst eq shell
376 set filter out 8 permit 0 0 tcp dst eq telnet
377 set filter out 9 permit 0 0 tcp dst eq ftp
378 set filter out 10 permit 0 0 tcp dst eq 24
379 set filter out 11 permit 0 0 tcp dst eq 4000
380
381 # And outgoing icmp
382 set filter out 12 permit 0 0 icmp
383
384 # Once the link's up, limit incoming access to the specified hosts
385 set filter in 0 4 172.17.20.248 172.17.16.0/20
386 set filter in 1 4 172.17.20.248 172.17.36.0/22
387 set filter in 2 4 172.17.20.248 172.17.118.0/26
388 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
389
390 # Established TCP connections and non-PASV FTP
391 set filter in 4 permit 0/0 0/0 tcp estab
392 set filter in 5 permit 0/0 0/0 tcp src eq 20
393
394 # Useful ICMP messages
395 set filter in 6 permit 0/0 0/0 icmp src eq 3
396 set filter in 7 permit 0/0 0/0 icmp src eq 4
397 set filter in 8 permit 0/0 0/0 icmp src eq 11
398 set filter in 9 permit 0/0 0/0 icmp src eq 12
399
400 # Echo reply (local systems can ping the remote host)
401 set filter in 10 permit 0/0 0/0 icmp src eq 0
402
403 # And the remote host can ping the local gateway (only)
404 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
405
406
407# Server side PPP
408#
409# If you want the remote system to authenticate itself, you must insist
410# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
411# PAP are disabled by default. You may enable either or both. If both
412# are enabled, CHAP is requested first. If the client doesn't agree, PAP
413# will then be requested.
414#
415# Note: If you use the getty/login process to authenticate users, you
416# don't need to enable CHAP or PAP, but the user that has logged
417# in *MUST* be a member of the ``network'' group (in /etc/group).
418#
419# Note: Chap80 and chap81 are Microsoft variations of standard chap (05).
420#
421# If you wish to allow any user in the passwd database ppp access, you
422# can ``enable passwdauth'', but this will only work with PAP.
423#
424# When the peer authenticates itself, we use ppp.secret for verification
425# (although refer to the ``set radius'' command below for an alternative).
426#
427# Note: We may supply a third field in ppp.secret specifying the IP
428# address for that user, a fourth field to specify the
429# ppp.link{up,down} label to use and a fifth field to specify
430# callback characteristics.
431#
432# The easiest way to allow transparent LAN access to your dialin users
433# is to assign them a number from your local LAN and tell ppp to make a
434# ``proxy'' arp entry for them. In this example, we have a local LAN
435# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
436# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
437# override the dynamic IP number with a static IP number specified in
438# ppp.secret.
439#
440# Ppp is launched with:
441# # ppp -direct server
442#
443server:
444 enable chap chap80 chap81 pap passwdauth
445 enable proxy
446 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
447 accept dns
448
449# Example of a RADIUS configuration:
450# If there are one or more radius servers available, we can use them
451# instead of the ppp.secret file. Simply put then in a radius
452# configuration file (usually /etc/radius.conf) and give ppp the
453# file name.
454# Ppp will use the FRAMED characteristics supplied by the radius server
455# to configure the link.
456
457radius-server:
458 load server # load in the server config from above
459 set radius /etc/radius.conf
460
461
462# Example to connect using a null-modem cable:
463# The important thing here is to allow the lqr packets on both sides.
464# Without them enabled, we can't tell if the line's dropped - there
465# should always be carrier on a direct connection.
466# Here, the server sends lqr's every 10 seconds and quits if five in a
467# row fail.
468#
469# Make sure you don't have "deny lqr" in your default: on the client !
470# If the peer denies LQR, we still send ECHO LQR packets at the given
471# lqrperiod interval (ppp-style-pings).
472#
473direct-client:
474 set dial
475 set device /dev/cuaa0
476 set sp 115200
477 set timeout 900
478 set lqrperiod 10
479 set log Phase Chat LQM
480 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
481 set ifaddr 10.0.4.2 10.0.4.1
482 enable lqr
483 accept lqr
367
368 # Allow established TCP connections
369 set filter out 4 permit 0 0 tcp estab
370
371 # And new connections to http, rlogin, rsh, telnet, ftp and ports
372 # 24 and 4000
373 set filter out 5 permit 0 0 tcp dst eq http
374 set filter out 6 permit 0 0 tcp dst eq login
375 set filter out 7 permit 0 0 tcp dst eq shell
376 set filter out 8 permit 0 0 tcp dst eq telnet
377 set filter out 9 permit 0 0 tcp dst eq ftp
378 set filter out 10 permit 0 0 tcp dst eq 24
379 set filter out 11 permit 0 0 tcp dst eq 4000
380
381 # And outgoing icmp
382 set filter out 12 permit 0 0 icmp
383
384 # Once the link's up, limit incoming access to the specified hosts
385 set filter in 0 4 172.17.20.248 172.17.16.0/20
386 set filter in 1 4 172.17.20.248 172.17.36.0/22
387 set filter in 2 4 172.17.20.248 172.17.118.0/26
388 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
389
390 # Established TCP connections and non-PASV FTP
391 set filter in 4 permit 0/0 0/0 tcp estab
392 set filter in 5 permit 0/0 0/0 tcp src eq 20
393
394 # Useful ICMP messages
395 set filter in 6 permit 0/0 0/0 icmp src eq 3
396 set filter in 7 permit 0/0 0/0 icmp src eq 4
397 set filter in 8 permit 0/0 0/0 icmp src eq 11
398 set filter in 9 permit 0/0 0/0 icmp src eq 12
399
400 # Echo reply (local systems can ping the remote host)
401 set filter in 10 permit 0/0 0/0 icmp src eq 0
402
403 # And the remote host can ping the local gateway (only)
404 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
405
406
407# Server side PPP
408#
409# If you want the remote system to authenticate itself, you must insist
410# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
411# PAP are disabled by default. You may enable either or both. If both
412# are enabled, CHAP is requested first. If the client doesn't agree, PAP
413# will then be requested.
414#
415# Note: If you use the getty/login process to authenticate users, you
416# don't need to enable CHAP or PAP, but the user that has logged
417# in *MUST* be a member of the ``network'' group (in /etc/group).
418#
419# Note: Chap80 and chap81 are Microsoft variations of standard chap (05).
420#
421# If you wish to allow any user in the passwd database ppp access, you
422# can ``enable passwdauth'', but this will only work with PAP.
423#
424# When the peer authenticates itself, we use ppp.secret for verification
425# (although refer to the ``set radius'' command below for an alternative).
426#
427# Note: We may supply a third field in ppp.secret specifying the IP
428# address for that user, a fourth field to specify the
429# ppp.link{up,down} label to use and a fifth field to specify
430# callback characteristics.
431#
432# The easiest way to allow transparent LAN access to your dialin users
433# is to assign them a number from your local LAN and tell ppp to make a
434# ``proxy'' arp entry for them. In this example, we have a local LAN
435# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
436# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
437# override the dynamic IP number with a static IP number specified in
438# ppp.secret.
439#
440# Ppp is launched with:
441# # ppp -direct server
442#
443server:
444 enable chap chap80 chap81 pap passwdauth
445 enable proxy
446 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
447 accept dns
448
449# Example of a RADIUS configuration:
450# If there are one or more radius servers available, we can use them
451# instead of the ppp.secret file. Simply put then in a radius
452# configuration file (usually /etc/radius.conf) and give ppp the
453# file name.
454# Ppp will use the FRAMED characteristics supplied by the radius server
455# to configure the link.
456
457radius-server:
458 load server # load in the server config from above
459 set radius /etc/radius.conf
460
461
462# Example to connect using a null-modem cable:
463# The important thing here is to allow the lqr packets on both sides.
464# Without them enabled, we can't tell if the line's dropped - there
465# should always be carrier on a direct connection.
466# Here, the server sends lqr's every 10 seconds and quits if five in a
467# row fail.
468#
469# Make sure you don't have "deny lqr" in your default: on the client !
470# If the peer denies LQR, we still send ECHO LQR packets at the given
471# lqrperiod interval (ppp-style-pings).
472#
473direct-client:
474 set dial
475 set device /dev/cuaa0
476 set sp 115200
477 set timeout 900
478 set lqrperiod 10
479 set log Phase Chat LQM
480 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
481 set ifaddr 10.0.4.2 10.0.4.1
482 enable lqr
483 accept lqr
484
484
485direct-server:
486 set timeout 0
487 set lqrperiod 10
488 set log Phase LQM
489 set ifaddr 10.0.4.1 10.0.4.2
490 enable lqr
491 accept lqr
492
493
494# Example to connect via compuserve
495# Compuserve insists on 7 bits even parity during the chat phase. Modem
496# parity is always reset to ``none'' after the link has been established.
497#
498compuserve:
499 set phone 1234567
500 set parity even
501 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
502 word: XXXXXXXX PPP"
503 set timeout 300
504 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
505 delete ALL
506 add default HISADDR
507
508
509# Example for PPP over TCP.
510# We assume that inetd on tcpsrv.mynet has been
511# configured to run "ppp -direct tcp-server" when it gets a connection on
512# port 1234 with an entry something like this in /etc/inetd.conf.:
513#
514# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
515#
516# with this in /etc/services:
517#
518# ppp 6671/tcp
519#
520# Read the man page for further details.
521#
522# Note, we assume we're using a binary-clean connection. If something
523# such as `rlogin' is involved, you may need to ``set escape 0xff''
524#
525tcp-client:
526 set device tcpsrv.mynet:1234
527 set dial
528 set login
529 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
530
531tcp-server:
532 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
533
534
535# Using UDP is also possible with this in /etc/inetd.conf:
536#
537# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
538#
539# and this in /etc/services:
540#
541# ppp 6671/tcp
542#
543udp-client:
544 set device udpsrv.mynet:1234/udp
545 set dial
546 set login
547 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
548
549udp-server:
550 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
551
552
553# Example for PPP testing.
554# If you want to test ppp, do it through the loopback interface:
555#
556# Requires a line in /etc/services:
557# ppploop 6671/tcp # loopback ppp daemon
558#
559# and a line in /etc/inetd.conf:
560# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in
561#
562inet-loop:
563 set timeout 0
564 set log phase chat connect lcp ipcp command
565 set device localhost:ppploop
566 set dial
567 set login
568 set ifaddr 127.0.0.2 127.0.0.3
569 set server /var/run/ppp/loop "" 0177
485direct-server:
486 set timeout 0
487 set lqrperiod 10
488 set log Phase LQM
489 set ifaddr 10.0.4.1 10.0.4.2
490 enable lqr
491 accept lqr
492
493
494# Example to connect via compuserve
495# Compuserve insists on 7 bits even parity during the chat phase. Modem
496# parity is always reset to ``none'' after the link has been established.
497#
498compuserve:
499 set phone 1234567
500 set parity even
501 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
502 word: XXXXXXXX PPP"
503 set timeout 300
504 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
505 delete ALL
506 add default HISADDR
507
508
509# Example for PPP over TCP.
510# We assume that inetd on tcpsrv.mynet has been
511# configured to run "ppp -direct tcp-server" when it gets a connection on
512# port 1234 with an entry something like this in /etc/inetd.conf.:
513#
514# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
515#
516# with this in /etc/services:
517#
518# ppp 6671/tcp
519#
520# Read the man page for further details.
521#
522# Note, we assume we're using a binary-clean connection. If something
523# such as `rlogin' is involved, you may need to ``set escape 0xff''
524#
525tcp-client:
526 set device tcpsrv.mynet:1234
527 set dial
528 set login
529 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
530
531tcp-server:
532 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
533
534
535# Using UDP is also possible with this in /etc/inetd.conf:
536#
537# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
538#
539# and this in /etc/services:
540#
541# ppp 6671/tcp
542#
543udp-client:
544 set device udpsrv.mynet:1234/udp
545 set dial
546 set login
547 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
548
549udp-server:
550 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
551
552
553# Example for PPP testing.
554# If you want to test ppp, do it through the loopback interface:
555#
556# Requires a line in /etc/services:
557# ppploop 6671/tcp # loopback ppp daemon
558#
559# and a line in /etc/inetd.conf:
560# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in
561#
562inet-loop:
563 set timeout 0
564 set log phase chat connect lcp ipcp command
565 set device localhost:ppploop
566 set dial
567 set login
568 set ifaddr 127.0.0.2 127.0.0.3
569 set server /var/run/ppp/loop "" 0177
570
570
571inet-loop-in:
572 set timeout 0
573 set log phase lcp ipcp command
574 allow mode direct
575
576# Example of a VPN.
577# If you're going to create a tunnel through a public network, your VPN
578# should be set up something like this:
579#
580# You should already have set up ssh using ssh-agent & ssh-add.
581#
582sloop:
583 load inet-loop
584 # Passive mode allows ssh plenty of time to establish the connection
585 set openmode passive
586 set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in"
587
588
589# or a better VPN solution (which doesn't run IP over a reliable
590# protocol like tcp) may be:
591#
592vpn-client:
593 set device udpsrv.mynet:1234/udp # PPP over UDP
594 set dial
595 set login
596 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
597 disable deflate pred1
598 deny deflate pred1
599 enable MPPE # With encryption
600 accept MPPE
601
602vpn-server:
603 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
604 disable deflate pred1
605 deny deflate pred1
606 enable MPPE
607 accept MPPE
608 enable chap81 # Required for MPPE
609
610# Example of non-PPP callback.
611# If you wish to connect to a server that will dial back *without* using
612# the ppp callback facility (rfc1570), take advantage of the fact that
613# ppp doesn't look for carrier 'till `set login' is complete:
614#
615# Here, we expect the server to say DIALBACK then disconnect after
616# we've authenticated ourselves. When this has happened, we wait
617# 60 seconds for a RING.
618#
619# Note, it's important that we tell ppp not to expect carrier, otherwise
620# we'll drop out at the ``NO CARRIER'' stage.
621#
622dialback:
623 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
624 ATDT\\T TIMEOUT 60 CONNECT"
625 set cd off
626 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
627 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
628
629# Example of PPP callback.
630# Alternatively, if the peer is using the PPP callback protocol, we're
631# happy either with ``auth'' style callback where the server dials us
632# back based on what we authenticate ourselves with, ``cbcp'' style
633# callback (invented by Microsoft but not agreed by the IETF) where
634# we negotiate callback *after* authentication or E.164 callback where
635# we specify only a phone number. I would recommend only ``auth'' and/or
636# ``cbcp'' callback methods.
637# For ``cbcp'', we insist that we choose ``1234567'' as the number that
638# the server must call back.
639#
640callback:
641 load pmdemand # load in the pmdemand config
642 set callback auth cbcp e.164 1234567
643 set cbcp 1234567
644
645# If we're running a ppp server that wants to only call back microsoft
646# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
647#
648callback-server:
649 load server
650 set callback cbcp
651 set cbcp
652 set log +cbcp
653 set redial 3 1
654 set device /dev/cuaa0
655 set speed 115200
656 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
657
658# Or if we want to allow authenticated clients to specify their own
659# callback number:
660#
661callback-server-client-decides:
662 load callback-server
663 set cbcp *
664
665# Multilink mode is available (rfc1990).
666# To enable multi-link capabilities, you must specify a MRRU. 1500 is
667# a reasonable value. To create new links, use the ``clone'' command
668# to duplicate an existing link. If you already have more than one
669# link, you must specify which link you wish to run the command on via
670# the ``link'' command.
671#
672# It's worth increasing your MTU and MRU slightly in multi-link mode to
673# prevent full packets from being fragmented.
674#
675# See ppp.conf.isdn for an example of how to do multi-link isdn.
676#
677# You can now ``dial'' specific links, or even dial all links at the
678# same time. The `dial' command may also be prefixed with a specific
679# link that should do the dialing.
680#
681mloop:
682 load loop
683 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices
684 set mode interactive
685 set mrru 1500
686 set mru 1504 # Room for the MP header
687 clone 1 2 3
688 link deflink remove
689 # dial
571inet-loop-in:
572 set timeout 0
573 set log phase lcp ipcp command
574 allow mode direct
575
576# Example of a VPN.
577# If you're going to create a tunnel through a public network, your VPN
578# should be set up something like this:
579#
580# You should already have set up ssh using ssh-agent & ssh-add.
581#
582sloop:
583 load inet-loop
584 # Passive mode allows ssh plenty of time to establish the connection
585 set openmode passive
586 set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in"
587
588
589# or a better VPN solution (which doesn't run IP over a reliable
590# protocol like tcp) may be:
591#
592vpn-client:
593 set device udpsrv.mynet:1234/udp # PPP over UDP
594 set dial
595 set login
596 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
597 disable deflate pred1
598 deny deflate pred1
599 enable MPPE # With encryption
600 accept MPPE
601
602vpn-server:
603 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
604 disable deflate pred1
605 deny deflate pred1
606 enable MPPE
607 accept MPPE
608 enable chap81 # Required for MPPE
609
610# Example of non-PPP callback.
611# If you wish to connect to a server that will dial back *without* using
612# the ppp callback facility (rfc1570), take advantage of the fact that
613# ppp doesn't look for carrier 'till `set login' is complete:
614#
615# Here, we expect the server to say DIALBACK then disconnect after
616# we've authenticated ourselves. When this has happened, we wait
617# 60 seconds for a RING.
618#
619# Note, it's important that we tell ppp not to expect carrier, otherwise
620# we'll drop out at the ``NO CARRIER'' stage.
621#
622dialback:
623 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
624 ATDT\\T TIMEOUT 60 CONNECT"
625 set cd off
626 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
627 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
628
629# Example of PPP callback.
630# Alternatively, if the peer is using the PPP callback protocol, we're
631# happy either with ``auth'' style callback where the server dials us
632# back based on what we authenticate ourselves with, ``cbcp'' style
633# callback (invented by Microsoft but not agreed by the IETF) where
634# we negotiate callback *after* authentication or E.164 callback where
635# we specify only a phone number. I would recommend only ``auth'' and/or
636# ``cbcp'' callback methods.
637# For ``cbcp'', we insist that we choose ``1234567'' as the number that
638# the server must call back.
639#
640callback:
641 load pmdemand # load in the pmdemand config
642 set callback auth cbcp e.164 1234567
643 set cbcp 1234567
644
645# If we're running a ppp server that wants to only call back microsoft
646# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
647#
648callback-server:
649 load server
650 set callback cbcp
651 set cbcp
652 set log +cbcp
653 set redial 3 1
654 set device /dev/cuaa0
655 set speed 115200
656 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
657
658# Or if we want to allow authenticated clients to specify their own
659# callback number:
660#
661callback-server-client-decides:
662 load callback-server
663 set cbcp *
664
665# Multilink mode is available (rfc1990).
666# To enable multi-link capabilities, you must specify a MRRU. 1500 is
667# a reasonable value. To create new links, use the ``clone'' command
668# to duplicate an existing link. If you already have more than one
669# link, you must specify which link you wish to run the command on via
670# the ``link'' command.
671#
672# It's worth increasing your MTU and MRU slightly in multi-link mode to
673# prevent full packets from being fragmented.
674#
675# See ppp.conf.isdn for an example of how to do multi-link isdn.
676#
677# You can now ``dial'' specific links, or even dial all links at the
678# same time. The `dial' command may also be prefixed with a specific
679# link that should do the dialing.
680#
681mloop:
682 load loop
683 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices
684 set mode interactive
685 set mrru 1500
686 set mru 1504 # Room for the MP header
687 clone 1 2 3
688 link deflink remove
689 # dial
690 # link 2 dial
691 # link 3 dial
690 # link 2 dial
691 # link 3 dial
692
693mloop-in:
694 set timeout 0 # No idle timer
695 set log tun phase
696 allow mode direct
697 set mrru 1500
698 set mru 1504 # Room for the MP header
699
700# User supplied authentication:
701# It's possible to run ppp in the background while specifying a
702# program to use to obtain authentication details on demand.
703# This program would usually be a simple GUI that presents a
704# prompt to a known user. The ``chap-auth'' program is supplied
705# as an example (and requires tcl version 8.0).
706#
707CHAPprompt:
708 load PAPorCHAPpmdemand
709 set authkey !/usr/share/examples/ppp/chap-auth
710
711# It's possible to do the same sort of thing at the login prompt.
712# Here, after sending ``brian'' in response to the ``name'' prompt,
713# we're prompted with ``code:''. A window is then displayed on the
714# ``keep:0.0'' display and the typed response is sent to the peer
715# as the password. We then expect to see ``MTU'' and ``.'' in the
716# servers response.
717#
718loginprompt:
719 load pmdemand
720 set authname brian
721 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
722 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
723 AUTHNAME\" MTU \\c ."
724
725# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache
726# the MAC address that connects to them, making it impossible to switch
727# your PPPoE connection between machines.
728#
729# The current implementation requires Netgraph, so it doesn't work with
730# OpenBSD or NetBSD.
731#
732# The client should be something like this:
733#
734pppoe:
735 set device PPPoE:de0:pppoe-in
736 enable lqr
737 set cd 5
738 set dial
739 set login
740 set redial 0 0
741
742# And the server should be running
743#
744# /usr/libexec/pppoed -p pppoe-in fxp0
745#
746# See rc.conf(5)
747#
748pppoe-in:
749 allow mode direct # Only for use on server-side
750 enable lqr proxy # Enable LQR and proxy-arp
751 enable chap pap passwdauth # Force client authentication
752 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers
753 accept dns # Allow DNS negotiation
754
755# It's possible to run ppp back-to-back with itself. This is useful
756# for testing.
757#
758# When testing scalability and concurrency, the following profile might
759# be used.
760#
761# Note, you'll have to make some other machine adjustments:
762#
763# o Bump maxusers in your kernel configuration to about 256 so that there
764# are enough process table slots.
765# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll
766# need 3 descriptors per ppp process (assuming no server socket).
767# o If you're not using DEVFS, create device notes with
768# ``cd /dev; ./MAKEDEV tun5000''.
769#
770# You can now create 2000 processes (1000 pairs) with:
771#
772# n=0
773# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done
774#
775# If you want to test concurrency, try using ``ppp -dd loop'' instead.
776#
777loop:
778 set timeout 0
779 set log
780 set device "!ppp -direct loop-in"
781 set dial
782 set login
692
693mloop-in:
694 set timeout 0 # No idle timer
695 set log tun phase
696 allow mode direct
697 set mrru 1500
698 set mru 1504 # Room for the MP header
699
700# User supplied authentication:
701# It's possible to run ppp in the background while specifying a
702# program to use to obtain authentication details on demand.
703# This program would usually be a simple GUI that presents a
704# prompt to a known user. The ``chap-auth'' program is supplied
705# as an example (and requires tcl version 8.0).
706#
707CHAPprompt:
708 load PAPorCHAPpmdemand
709 set authkey !/usr/share/examples/ppp/chap-auth
710
711# It's possible to do the same sort of thing at the login prompt.
712# Here, after sending ``brian'' in response to the ``name'' prompt,
713# we're prompted with ``code:''. A window is then displayed on the
714# ``keep:0.0'' display and the typed response is sent to the peer
715# as the password. We then expect to see ``MTU'' and ``.'' in the
716# servers response.
717#
718loginprompt:
719 load pmdemand
720 set authname brian
721 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
722 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
723 AUTHNAME\" MTU \\c ."
724
725# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache
726# the MAC address that connects to them, making it impossible to switch
727# your PPPoE connection between machines.
728#
729# The current implementation requires Netgraph, so it doesn't work with
730# OpenBSD or NetBSD.
731#
732# The client should be something like this:
733#
734pppoe:
735 set device PPPoE:de0:pppoe-in
736 enable lqr
737 set cd 5
738 set dial
739 set login
740 set redial 0 0
741
742# And the server should be running
743#
744# /usr/libexec/pppoed -p pppoe-in fxp0
745#
746# See rc.conf(5)
747#
748pppoe-in:
749 allow mode direct # Only for use on server-side
750 enable lqr proxy # Enable LQR and proxy-arp
751 enable chap pap passwdauth # Force client authentication
752 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers
753 accept dns # Allow DNS negotiation
754
755# It's possible to run ppp back-to-back with itself. This is useful
756# for testing.
757#
758# When testing scalability and concurrency, the following profile might
759# be used.
760#
761# Note, you'll have to make some other machine adjustments:
762#
763# o Bump maxusers in your kernel configuration to about 256 so that there
764# are enough process table slots.
765# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll
766# need 3 descriptors per ppp process (assuming no server socket).
767# o If you're not using DEVFS, create device notes with
768# ``cd /dev; ./MAKEDEV tun5000''.
769#
770# You can now create 2000 processes (1000 pairs) with:
771#
772# n=0
773# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done
774#
775# If you want to test concurrency, try using ``ppp -dd loop'' instead.
776#
777loop:
778 set timeout 0
779 set log
780 set device "!ppp -direct loop-in"
781 set dial
782 set login
783 set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255
783 set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255
784 disable deflate pred1 mppe
785 deny deflate pred1 mppe
784 disable deflate pred1 mppe
785 deny deflate pred1 mppe
786
786
787loop-in:
788 set timeout 0
789 set log
790 allow mode direct
791 set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255
792 disable deflate pred1 mppe
793 deny deflate pred1 mppe
787loop-in:
788 set timeout 0
789 set log
790 allow mode direct
791 set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255
792 disable deflate pred1 mppe
793 deny deflate pred1 mppe