ppp.conf.sample revision 51050
1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 51050 1999-09-07 07:58:17Z brian $ 8# 9################################################################# 10 11# This file is separated into sections. Each section is named with 12# a label starting in column 0 and followed directly by a ``:''. The 13# section continues until the next section. Blank lines and lines 14# beginning with ``#'' are ignored. 15# 16# Lines beginning with "!include" will ``include'' another file. You 17# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 18# 19 20# Default setup. Always executed when PPP is invoked. 21# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 22# 23# This is the best place to specify your modem device, it's DTR rate, 24# your dial script and any logging specification. Logging specs should 25# be done first so that the results of subsequent commands are logged. 26# 27default: 28 set log Phase Chat LCP IPCP CCP tun command 29 set device /dev/cuaa1 30 set speed 115200 31 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 32 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 33 34# Client side PPP 35# 36# Although the PPP protocol is a peer to peer protocol, we normally 37# consider the side that initiates the connection as the client and 38# the side that receives the connection as the server. Authentication 39# is required by the server either using a unix-style login procedure 40# or by demanding PAP or CHAP authentication from the client. 41# 42 43# An on demand example where we have dynamic IP addresses and wish to 44# use a unix-style login script: 45# 46# If the peer assigns us an arbitrary IP (most ISPs do this) and we 47# can't predict what their IP will be either, take a wild guess at 48# some IPs that you can't currently route to. Ppp can change this 49# when the link comes up. 50# 51# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 52# specified IP actually being correct, therefore, the other side can assign 53# any IP number. 54# 55# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 56# IP number, forcing the peer to make the decision. This is necessary 57# when negotiating with some (broken) ppp implementations. 58# 59# This entry also works with static IP numbers or when not in -auto mode. 60# The ``add'' line adds a `sticky' default route that will be updated if 61# and when any of the IP numbers are changed in IPCP negotiations. 62# The "set ifaddr" is required in -auto mode. 63# 64# Finally, the ``enable dns'' line tells ppp to ask the peer for the 65# nameserver addresses that should be used. This isn't always supported 66# by the other side, but if it is, ppp will update /etc/resolv.conf with 67# the correct nameserver values at connection time. 68# 69# The login script shown says that you're expecting ``ogin:''. If you 70# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 71# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 72# You *MUST* customise this login script according to your local 73# requirements. 74# 75pmdemand: 76 set phone 1234567 77 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 78 set timeout 120 79 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 80 add default HISADDR 81 enable dns 82 83# If you want to use PAP or CHAP instead of using a unix-style login 84# procedure, do the following. Note, the peer suggests whether we 85# should send PAP or CHAP. By default, we send whatever we're asked for. 86# 87# You *MUST* customise ``MyName'' and ``MyKey'' below. 88# 89PAPorCHAPpmdemand: 90 set phone 1234567 91 set login 92 set authname MyName 93 set authkey MyKey 94 set timeout 120 95 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 96 add default HISADDR 97 enable dns 98 99# On demand dialup example with static IP addresses: 100# Here, the local side uses 192.244.185.226 and the remote side 101# uses 192.244.176.44. 102# 103# # ppp -auto ondemand 104# 105# With static IP numbers, our setup is similar to dynamic: 106# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 107# a "ondemand" label, and finally the "MYADDR" label. 108# 109ondemand: 110 set phone 1234567 111 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 112 set timeout 120 113 set ifaddr 192.244.185.226 192.244.176.44 114 add default HISADDR 115 enable dns 116 117# Example segments 118# 119# The following lines may be included as part of your configuration 120# section and aren't themselves complete. They're provided as examples 121# of how to achieve different things. 122 123examples: 124# Multi-phone example. Numbers separated by a : are used sequentially. 125# Numbers separated by a | are used if the previous dial or login script 126# failed. Usually, you will prefer to use only one of | or :, but both 127# are allowed. 128# 129 set phone 12345678|12345679:12345670|12345671 130# 131# Ppp can accept control instructions from the ``pppctl'' program. 132# First, you must set up your control socket. It's safest to use 133# a UNIX domain socket, and watch the permissions: 134# 135 set server /var/tmp/internet MySecretPassword 0177 136# 137# Although a TCP port may be used if you want to allow control 138# connections from other machines: 139# 140 set server 6670 MySecretpassword 141# 142# If you don't like ppp's builtin chat, use an external one: 143# 144 set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\"" 145# 146# If we have a ``strange'' modem that must be re-initialized when we 147# hangup: 148# 149 set hangup "\"\" AT OK-AT-OK ATZ OK" 150# 151# To adjust logging withouth blasting the setting in default: 152# 153 set log -command +tcp/ip 154# 155# To see log messages on the screen in interactive mode: 156# 157 set log local LCP IPCP CCP 158# 159# If you're seeing a lot of magic number problems and failed connections, 160# try this (see the man page): 161# 162 set openmode active 5 163# 164# For noisy lines, we may want to reconnect (up to 20 times) after loss 165# of carrier, with 3 second delays between each attempt: 166# 167 set reconnect 3 20 168# 169# When playing server for M$ clients, tell them who our NetBIOS name 170# servers are: 171# 172 set nbns 10.0.0.1 10.0.0.2 173# 174# Inform the client if they ask for our DNS IP numbers: 175# 176 enable dns 177# 178# If you don't want to tell them what's in your /etc/resolf.conf file 179# with `enable dns', override the values: 180# 181 set dns 10.0.0.1 10.0.0.2 182# 183# Some people like to prioritize DNS packets: 184# 185 set urgent udp +53 186# 187# If we're using the -nat switch, redirect ftp and http to an internal 188# machine: 189# 190 nat port 10.0.0.2:ftp ftp 191 nat port 10.0.0.2:http http 192# 193# or don't trust the outside at all 194# 195 nat deny_incoming yes 196# 197# I trust user brian to run ppp, so this goes in the `default' section: 198# 199 allow user brian 200# 201# But label `internet' contains passwords that even brian can't have, so 202# I empty out the user access list in that section so that only root can 203# have access: 204# 205 allow users 206# 207# I also may wish to set up my ppp login script so that it asks the client 208# for the label they wish to use. I may only want user ``dodgy'' to access 209# their own label in direct mode: 210# 211dodgy: 212 allow user dodgy 213 allow mode direct 214# 215# If we don't want ICMP and DNS packets to keep the connection alive: 216# 217 set filter alive 0 deny icmp 218 set filter alive 1 deny udp src eq 53 219 set filter alive 2 deny udp dst eq 53 220 set filter alive 3 permit 0 0 221# 222# And we don't want ICMPs to cause a dialup: 223# 224 set filter dial 0 deny icmp 225 set filter dial 1 permit 0 0 226# 227# or any TCP SYN or RST packets (badly closed TCP channels): 228# 229 set filter dial 2 deny 0 0 tcp syn finrst 230# 231# Once the line's up, allow connections for ident (113), telnet (23), 232# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24), 233# ICMP (ping) and traceroute (>33433). 234# 235# Anything else is blocked by default 236# 237 set filter in 0 permit tcp dst eq 113 238 set filter out 0 permit tcp src eq 113 239 set filter in 1 permit tcp src eq 23 estab 240 set filter out 1 permit tcp dst eq 23 241 set filter in 2 permit tcp src eq 21 estab 242 set filter out 2 permit tcp dst eq 21 243 set filter in 3 permit tcp src eq 20 dst gt 1023 244 set filter out 3 permit tcp dst eq 20 245 set filter in 4 permit udp src eq 53 246 set filter out 4 permit udp dst eq 53 247 set filter in 5 permit 192.244.191.0/24 0/0 248 set filter out 5 permit 0/0 192.244.191.0/24 249 set filter in 6 permit icmp 250 set filter out 6 permit icmp 251 set filter in 7 permit udp dst gt 33433 252 set filter out 7 permit udp dst gt 33433 253 254# 255# ``dodgynet'' is an example intended for an autodial configuration which 256# is connecting a local network to a host on an untrusted network. 257dodgynet: 258 # Log link uptime 259 set log Phase 260 # For autoconnect only 261 allow modes auto 262 # Define modem device and speed 263 set device /dev/cuaa1 264 set speed 115200 265 # Don't support LQR 266 deny lqr 267 # Remote system phone number, login and password 268 set phone 0W1194 269 set authname pppLogin 270 set authkey MyPassword 271 # Chat script to dial remote system 272 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 273 ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 274 # Chat script to login to remote Unix system 275 set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P" 276 # Drop the link after 15 minutes of inactivity 277 # Inactivity is defined by the `set filter alive' line below 278 set timeout 900 279 # Hard-code remote system to appear within local subnet and use proxy arp 280 # to make this system the gateway 281 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 282 enable proxy 283 284 # Allow any TCP packet to keep the link alive 285 set filter alive 0 permit tcp 286 287 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 288 # private TCP ports 24 and 4000 289 set filter dial 0 7 0 0 tcp dst eq http 290 set filter dial 1 7 0 0 tcp dst eq login 291 set filter dial 2 7 0 0 tcp dst eq shell 292 set filter dial 3 7 0 0 tcp dst eq telnet 293 set filter dial 4 7 0 0 tcp dst eq ftp 294 set filter dial 5 7 0 0 tcp dst eq 24 295 set filter dial 6 deny ! 0 0 tcp dst eq 4000 296 # From hosts on a couple of local subnets to the remote peer 297 # If the remote host allowed IP forwarding and we wanted to use it, the 298 # following rules could be split into two groups to separately validate 299 # the source and destination addresses. 300 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 301 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 302 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 303 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 304 305 # Once the link's up, limit outgoing access to the specified hosts 306 set filter out 0 4 172.17.16.0/20 172.17.20.248 307 set filter out 1 4 172.17.36.0/22 172.17.20.248 308 set filter out 2 4 172.17.118.0/26 172.17.20.248 309 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 310 # Allow established TCP connections 311 set filter out 4 permit 0 0 tcp estab 312 # And new connections to http, rlogin, rsh, telnet, ftp and ports 313 # 24 and 4000 314 set filter out 5 permit 0 0 tcp dst eq http 315 set filter out 6 permit 0 0 tcp dst eq login 316 set filter out 7 permit 0 0 tcp dst eq shell 317 set filter out 8 permit 0 0 tcp dst eq telnet 318 set filter out 9 permit 0 0 tcp dst eq ftp 319 set filter out 10 permit 0 0 tcp dst eq 24 320 set filter out 11 permit 0 0 tcp dst eq 4000 321 # And outgoing icmp 322 set filter out 12 permit 0 0 icmp 323 324 # Once the link's up, limit incoming access to the specified hosts 325 set filter in 0 4 172.17.20.248 172.17.16.0/20 326 set filter in 1 4 172.17.20.248 172.17.36.0/22 327 set filter in 2 4 172.17.20.248 172.17.118.0/26 328 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 329 # Established TCP connections and non-PASV FTP 330 set filter in 4 permit 0/0 0/0 tcp estab 331 set filter in 5 permit 0/0 0/0 tcp src eq 20 332 # Useful ICMP messages 333 set filter in 6 permit 0/0 0/0 icmp src eq 3 334 set filter in 7 permit 0/0 0/0 icmp src eq 4 335 set filter in 8 permit 0/0 0/0 icmp src eq 11 336 set filter in 9 permit 0/0 0/0 icmp src eq 12 337 # Echo reply (local systems can ping the remote host) 338 set filter in 10 permit 0/0 0/0 icmp src eq 0 339 # And the remote host can ping the local gateway (only) 340 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 341 342 343# Server side PPP 344# 345# If you want the remote system to authenticate itself, you must insist 346# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 347# PAP are disabled by default. You may enable either or both. If both 348# are enabled, CHAP is requested first. If the client doesn't agree, PAP 349# will then be requested. 350# 351# Note: If you use the getty/login process to authenticate users, you 352# don't need to enable CHAP or PAP, but the user that has logged 353# in *MUST* be a member of the ``network'' group (in /etc/group). 354# 355# If you wish to allow any user in the passwd database ppp access, you 356# can ``enable passwdauth''. 357# 358# When the peer authenticates itself, we use ppp.secret for verification 359# (although refer to the ``set radius'' command below for an alternative). 360# 361# Note: We may supply a third field in ppp.secret specifying the IP 362# address for that user, a forth field to specify the 363# ppp.link{up,down} label to use and a fifth field to specify 364# callback characteristics. 365# 366# The easiest way to allow transparent LAN access to your dialin users 367# is to assign them a number from your local LAN and tell ppp to make a 368# ``proxy'' arp entry for them. In this example, we have a local LAN 369# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 370# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 371# override the dynamic IP number with a static IP number specified in 372# ppp.secret. 373# 374# Ppp is launched with: 375# # ppp -direct server 376# 377server: 378 enable chap 379 enable pap 380 enable passwdauth 381 enable proxy 382 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 383 accept dns 384 385# Example of a RADIUS configuration: 386# If there are one or more radius servers available, we can use them 387# instead of the ppp.secret file. Simply put then in a radius 388# configuration file (usually /etc/radius.conf) and give ppp the 389# file name. 390# Ppp will use the FRAMED characteristics supplied by the radius server 391# to configure the link. 392 393radius-server: 394 load server 395 set radius /etc/radius.conf 396 397 398# Example to connect using a null-modem cable: 399# The important thing here is to allow the lqr packets on both sides. 400# Without them enabled, we can't tell if the line's dropped - there 401# should always be carrier on a direct connection. 402# Here, the server sends lqr's every 10 seconds and quits if five in a 403# row fail. 404# 405# Make sure you don't have "deny lqr" in your default: on the client ! 406# If the peer denies LQR, we still send ECHO LQR packets at the given 407# lqrperiod interval (ppp-style-pings). 408# 409direct-client: 410 set dial "" 411 set device /dev/cuaa0 412 set sp 115200 413 set timeout 900 414 set lqrperiod 10 415 set log Phase Chat LQM 416 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 417 set ifaddr 10.0.4.2 10.0.4.1 418 enable lqr 419 accept lqr 420 421direct-server: 422 set timeout 0 423 set lqrperiod 10 424 set log Phase LQM 425 set ifaddr 10.0.4.1 10.0.4.2 426 enable lqr 427 accept lqr 428 429 430# Example to connect via compuserve 431# Compuserve insists on 7 bits even parity during the chat phase. Modem 432# parity is always reset to ``none'' after the link has been established. 433# 434compuserve: 435 set phone 1234567 436 set parity even 437 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 438 word: XXXXXXXX PPP" 439 set timeout 300 440 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 441 delete ALL 442 add default HISADDR 443 444 445# Example for PPP over TCP. 446# We assume that inetd on tcpsrv.mynet has been 447# configured to run "ppp -direct tcp-server" when it gets a connection on 448# port 1234. Read the man page for further details 449# 450# Note, we assume we're using a binary-clean connection. If something 451# such as `rlogin' is involved, you may need to ``set escape 0xff'' 452# 453tcp-client: 454 set device tcpsrv.mynet:1234 455 set dial 456 set login 457 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 458 459tcp-server: 460 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 461 462# Example for PPP testing. 463# If you want to test ppp, do it through the loopback interface: 464# 465# Requires a line in /etc/services: 466# ppploop 6671/tcp # loopback ppp daemon 467# 468# and a line in /etc/inetd.conf: 469# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in 470# 471loop: 472 set timeout 0 473 set log phase chat connect lcp ipcp command 474 set device localhost:ppploop 475 set dial 476 set login 477 set ifaddr 127.0.0.2 127.0.0.3 478 set server /var/tmp/loop "" 0177 479 480loop-in: 481 set timeout 0 482 set log phase lcp ipcp command 483 allow mode direct 484 485# Example of a VPN. 486# If you're going to create a tunnel through a public network, your VPN 487# should be set up something like this: 488# 489# You should already have set up ssh using ssh-agent & ssh-add. 490# 491sloop: 492 load loop 493 # Passive mode allows ssh plenty of time to establish the connection 494 set openmode passive 495 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in" 496 497# Example of non-PPP callback. 498# If you wish to connect to a server that will dial back *without* using 499# the ppp callback facility (rfc1570), take advantage of the fact that 500# ppp doesn't look for carrier 'till `set login' is complete: 501# 502# Here, we expect the server to say DIALBACK then disconnect after 503# we've authenticated ourselves. When this has happened, we wait 504# 60 seconds for a RING. 505# 506dialback: 507 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 508 ATDT\\T TIMEOUT 60 CONNECT" 509 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 510 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 511 512# Example of PPP callback. 513# Alternatively, if the peer is using the PPP callback protocol, we're 514# happy either with ``auth'' style callback where the server dials us 515# back based on what we authenticate ourselves with, ``cbcp'' style 516# callback (invented by Microsoft but not agreed by the IETF) where 517# we negotiate callback *after* authentication or E.164 callback where 518# we specify only a phone number. I would recommend only ``auth'' and/or 519# ``cbcp'' callback methods. 520# For ``cbcp'', we insist that we choose ``1234567'' as the number that 521# the server must call back. 522# 523callback: 524 load pmdemand 525 set callback auth cbcp e.164 1234567 526 set cbcp 1234567 527 528# If we're running a ppp server that wants to only call back microsoft 529# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 530# 531callback-server: 532 load server 533 set callback cbcp 534 set cbcp 535 set log +cbcp 536 set redial 3 1 537 set device /dev/cuaa0 538 set speed 115200 539 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 540 541# Or if we want to allow authenticated clients to specify their own 542# callback number: 543# 544callback-server-client-decides: 545 load callback-server 546 set cbcp * 547 548# Multilink mode is available (rfc1990). 549# To enable multilink capabilities, you must specify a MRRU. 1500 is 550# a reasonable value. To create new links, use the ``clone'' command 551# to duplicate an existing link. If you already have more than one 552# link, you must specify which link you wish to run the command on via 553# the ``link'' command. 554# 555# You can now ``dial'' specific links, or even dial all links at the 556# same time. The `dial' command may also be prefixed with a specific 557# link that should do the dialing. 558# 559mloop: 560 load loop 561 set mode interactive 562 set mrru 1500 563 clone 1 2 3 564 link deflink remove 565 # dial 566 # link 2 dial 567 # link 3 dial 568 569mloop-in: 570 set timeout 0 571 set log tun phase 572 allow mode direct 573 set mrru 1500 574 575# User supplied authentication: 576# It's possible to run ppp in the background while specifying a 577# program to use to obtain authentication details on demand. 578# This program would usually be a simple GUI that presents a 579# prompt to a known user. The ``chap-auth'' program is supplied 580# as an example (and requires tcl version 8.0). 581# 582CHAPprompt: 583 load PAPorCHAPpmdemand 584 set authkey !/usr/share/examples/ppp/chap-auth 585 586# It's possible to do the same sort of thing at the login prompt. 587# Here, after sending ``brian'' in response to the ``name'' prompt, 588# we're prompted with ``code:''. A window is then displayed on the 589# ``keep:0.0'' display and the typed response is sent to the peer 590# as the password. We then expect to see ``MTU'' and ``.'' in the 591# servers response. 592# 593loginprompt: 594 load pmdemand 595 set authname brian 596 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 597 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 598 AUTHNAME\" MTU \\c ." 599