examples/ppp/ppp.conf.sample

#################################################################
#
#              PPP  Sample Configuration File
#
#           Originally written by Toshiharu OHNO
#
# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 51050 1999-09-07 07:58:17Z brian $
#
#################################################################

# This file is separated into sections.  Each section is named with
# a label starting in column 0 and followed directly by a ``:''.  The
# section continues until the next section.  Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file.  You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#

# Default setup. Always executed when PPP is invoked.
#  This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
#
#  This is the best place to specify your modem device, it's DTR rate,
#  your dial script and any logging specification.  Logging specs should
#  be done first so that the results of subsequent commands are logged.
#
default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cuaa1
 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
           OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

# Client side PPP
#
#  Although the PPP protocol is a peer to peer protocol, we normally
#  consider the side that initiates the connection as the client and
#  the side that receives the connection as the server.  Authentication
#  is required by the server either using a unix-style login procedure
#  or by demanding PAP or CHAP authentication from the client.
#

# An on demand example where we have dynamic IP addresses and wish to
# use a unix-style login script:
#
#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
#  can't predict what their IP will be either, take a wild guess at
#  some IPs that you can't currently route to.  Ppp can change this
#  when the link comes up.
#
#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
#  specified IP actually being correct, therefore, the other side can assign
#  any IP number.
#
#  The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
#  IP number, forcing the peer to make the decision.  This is necessary
#  when negotiating with some (broken) ppp implementations.
#
#  This entry also works with static IP numbers or when not in -auto mode.
#  The ``add'' line adds a `sticky' default route that will be updated if
#  and when any of the IP numbers are changed in IPCP negotiations.
#  The "set ifaddr" is required in -auto mode.
#
#  Finally, the ``enable dns'' line tells ppp to ask the peer for the
#  nameserver addresses that should be used.  This isn't always supported
#  by the other side, but if it is, ppp will update /etc/resolv.conf with
#  the correct nameserver values at connection time.
#
#  The login script shown says that you're expecting ``ogin:''.  If you
#  don't receive that, send a ``\n'' and expect ``ogin:'' again.  When
#  it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
#  You *MUST* customise this login script according to your local
#  requirements.
#
pmdemand:
 set phone 1234567
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR
 enable dns

# If you want to use PAP or CHAP instead of using a unix-style login
# procedure, do the following.  Note, the peer suggests whether we
# should send PAP or CHAP.  By default, we send whatever we're asked for.
#
# You *MUST* customise ``MyName'' and ``MyKey'' below.
#
PAPorCHAPpmdemand:
 set phone 1234567
 set login
 set authname MyName
 set authkey MyKey
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR
 enable dns

# On demand dialup example with static IP addresses:
#  Here, the local side uses 192.244.185.226 and the remote side
#  uses 192.244.176.44.
#
#  # ppp -auto ondemand
#
#  With static IP numbers, our setup is similar to dynamic:
#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
#  a "ondemand" label, and finally the "MYADDR" label.
#
ondemand:
 set phone 1234567
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 192.244.185.226 192.244.176.44
 add default HISADDR
 enable dns

#                          Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete.  They're provided as examples
# of how to achieve different things.

examples:
# Multi-phone example.  Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed.  Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
    set phone 12345678|12345679:12345670|12345671
#
# Ppp can accept control instructions from the ``pppctl'' program.
# First, you must set up your control socket.  It's safest to use
# a UNIX domain socket, and watch the permissions:
#
    set server /var/tmp/internet MySecretPassword 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
    set server 6670 MySecretpassword
#
# If you don't like ppp's builtin chat, use an external one:
#
    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
    set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
    set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
    set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (see the man page):
#
    set openmode active 5
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier, with 3 second delays between each attempt:
#
    set reconnect 3 20
#
# When playing server for M$ clients, tell them who our NetBIOS name
# servers are:
#
    set nbns 10.0.0.1 10.0.0.2
#
# Inform the client if they ask for our DNS IP numbers:
#
    enable dns
#
# If you don't want to tell them what's in your /etc/resolf.conf file
# with `enable dns', override the values:
#
    set dns 10.0.0.1 10.0.0.2
#
# Some people like to prioritize DNS packets:
#
   set urgent udp +53
#
# If we're using the -nat switch, redirect ftp and http to an internal
# machine:
#
    nat port 10.0.0.2:ftp ftp
    nat port 10.0.0.2:http http
#
# or don't trust the outside at all
#
    nat deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
    allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section so that only root can
# have access:
#
    allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use.  I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
    allow user dodgy
    allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
    set filter alive 0 deny icmp
    set filter alive 1 deny udp src eq 53
    set filter alive 2 deny udp dst eq 53
    set filter alive 3 permit 0 0
#
# And we don't want ICMPs to cause a dialup:
#
    set filter dial 0 deny icmp
    set filter dial 1 permit 0 0
#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
    set filter dial 2 deny 0 0 tcp syn finrst
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
    set filter in  0 permit tcp dst eq 113
    set filter out 0 permit tcp src eq 113
    set filter in  1 permit tcp src eq 23 estab
    set filter out 1 permit tcp dst eq 23
    set filter in  2 permit tcp src eq 21 estab
    set filter out 2 permit tcp dst eq 21
    set filter in  3 permit tcp src eq 20 dst gt 1023
    set filter out 3 permit tcp dst eq 20
    set filter in  4 permit udp src eq 53
    set filter out 4 permit udp dst eq 53
    set filter in  5 permit 192.244.191.0/24 0/0
    set filter out 5 permit 0/0 192.244.191.0/24
    set filter in  6 permit icmp
    set filter out 6 permit icmp
    set filter in  7 permit udp dst gt 33433
    set filter out 7 permit udp dst gt 33433

#
# ``dodgynet'' is an example intended for an autodial configuration which
# is connecting a local network to a host on an untrusted network.
dodgynet:
    # Log link uptime
    set log Phase
    # For autoconnect only
    allow modes auto
    # Define modem device and speed
    set device /dev/cuaa1
    set speed 115200
    # Don't support LQR
    deny lqr
    # Remote system phone number, login and password
    set phone 0W1194
    set authname pppLogin
    set authkey MyPassword
    # Chat script to dial remote system
    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
    # Chat script to login to remote Unix system
    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
    # Drop the link after 15 minutes of inactivity
    # Inactivity is defined by the `set filter alive' line below
    set timeout 900
    # Hard-code remote system to appear within local subnet and use proxy arp
    # to make this system the gateway
    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
    enable proxy

    # Allow any TCP packet to keep the link alive
    set filter alive 0 permit tcp

    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
    # private TCP ports 24 and 4000
    set filter dial  0 7      0 0 tcp dst eq http
    set filter dial  1 7      0 0 tcp dst eq login
    set filter dial  2 7      0 0 tcp dst eq shell
    set filter dial  3 7      0 0 tcp dst eq telnet
    set filter dial  4 7      0 0 tcp dst eq ftp
    set filter dial  5 7      0 0 tcp dst eq 24
    set filter dial  6 deny ! 0 0 tcp dst eq 4000
    # From hosts on a couple of local subnets to the remote peer
    # If the remote host allowed IP forwarding and we wanted to use it, the
    # following rules could be split into two groups to separately validate
    # the source and destination addresses.
    set filter dial  7 permit 172.17.16.0/20  172.17.20.248
    set filter dial  8 permit 172.17.36.0/22  172.17.20.248
    set filter dial  9 permit 172.17.118.0/26 172.17.20.248
    set filter dial 10 permit 10.123.5.0/24   172.17.20.248

    # Once the link's up, limit outgoing access to the specified hosts
    set filter out  0 4      172.17.16.0/20  172.17.20.248
    set filter out  1 4      172.17.36.0/22  172.17.20.248
    set filter out  2 4      172.17.118.0/26 172.17.20.248
    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248
    # Allow established TCP connections
    set filter out  4 permit 0 0 tcp estab
    # And new connections to http, rlogin, rsh, telnet, ftp and ports
    # 24 and 4000
    set filter out  5 permit 0 0 tcp dst eq http
    set filter out  6 permit 0 0 tcp dst eq login
    set filter out  7 permit 0 0 tcp dst eq shell
    set filter out  8 permit 0 0 tcp dst eq telnet
    set filter out  9 permit 0 0 tcp dst eq ftp
    set filter out 10 permit 0 0 tcp dst eq 24
    set filter out 11 permit 0 0 tcp dst eq 4000
    # And outgoing icmp
    set filter out 12 permit 0 0 icmp

    # Once the link's up, limit incoming access to the specified hosts
    set filter in   0 4      172.17.20.248  172.17.16.0/20
    set filter in   1 4      172.17.20.248  172.17.36.0/22
    set filter in   2 4      172.17.20.248  172.17.118.0/26
    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
    # Established TCP connections and non-PASV FTP
    set filter in   4 permit 0/0  0/0  tcp estab
    set filter in   5 permit 0/0  0/0  tcp src eq 20
    # Useful ICMP messages
    set filter in   6 permit 0/0  0/0  icmp src eq 3
    set filter in   7 permit 0/0  0/0  icmp src eq 4
    set filter in   8 permit 0/0  0/0  icmp src eq 11
    set filter in   9 permit 0/0  0/0  icmp src eq 12
    # Echo reply (local systems can ping the remote host)
    set filter in  10 permit 0/0  0/0  icmp src eq 0
    # And the remote host can ping the local gateway (only)
    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8


# Server side PPP
#
#  If you want the remote system to authenticate itself, you must insist
#  that the peer uses CHAP or PAP with the "enable" keyword.  Both CHAP and
#  PAP are disabled by default.  You may enable either or both.  If both
#  are enabled, CHAP is requested first.  If the client doesn't agree, PAP
#  will then be requested.
#
#  Note:  If you use the getty/login process to authenticate users, you
#         don't need to enable CHAP or PAP, but the user that has logged
#         in *MUST* be a member of the ``network'' group (in /etc/group).
#
#  If you wish to allow any user in the passwd database ppp access, you
#  can ``enable passwdauth''.
#
#  When the peer authenticates itself, we use ppp.secret for verification
#  (although refer to the ``set radius'' command below for an alternative).
#
#  Note:  We may supply a third field in ppp.secret specifying the IP
#         address for that user, a forth field to specify the
#         ppp.link{up,down} label to use and a fifth field to specify
#         callback characteristics.
#
#  The easiest way to allow transparent LAN access to your dialin users
#  is to assign them a number from your local LAN and tell ppp to make a
#  ``proxy'' arp entry for them.  In this example, we have a local LAN
#  with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
#  ppp clients between 10.0.0.100 and 10.0.0.199.  It is possible to
#  override the dynamic IP number with a static IP number specified in
#  ppp.secret.
#
#  Ppp is launched with:
#   # ppp -direct server
#
server:
 enable chap
 enable pap
 enable passwdauth
 enable proxy
 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
 accept dns

# Example of a RADIUS configuration:
#  If there are one or more radius servers available, we can use them
#  instead of the ppp.secret file.  Simply put then in a radius
#  configuration file (usually /etc/radius.conf) and give ppp the
#  file name.
#  Ppp will use the FRAMED characteristics supplied by the radius server
#  to configure the link.

radius-server:
 load server
 set radius /etc/radius.conf


# Example to connect using a null-modem cable:
#  The important thing here is to allow the lqr packets on both sides.
#  Without them enabled, we can't tell if the line's dropped - there
#  should always be carrier on a direct connection.
#  Here, the server sends lqr's every 10 seconds and quits if five in a
#  row fail.
#
#  Make sure you don't have "deny lqr" in your default: on the client !
#  If the peer denies LQR, we still send ECHO LQR packets at the given
#  lqrperiod interval (ppp-style-pings).
#
direct-client:
 set dial ""
 set device /dev/cuaa0
 set sp 115200
 set timeout 900
 set lqrperiod 10
 set log Phase Chat LQM
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
 set ifaddr 10.0.4.2 10.0.4.1
 enable lqr
 accept lqr

direct-server:
 set timeout 0
 set lqrperiod 10
 set log Phase LQM
 set ifaddr 10.0.4.1 10.0.4.2
 enable lqr
 accept lqr


# Example to connect via compuserve
#  Compuserve insists on 7 bits even parity during the chat phase.  Modem
#  parity is always reset to ``none'' after the link has been established.
#
compuserve:
 set phone 1234567
 set parity even
 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
            word: XXXXXXXX PPP"
 set timeout 300
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 delete ALL
 add default HISADDR


# Example for PPP over TCP.
#  We assume that inetd on tcpsrv.mynet has been
#  configured to run "ppp -direct tcp-server" when it gets a connection on
#  port 1234.  Read the man page for further details
#
#  Note, we assume we're using a binary-clean connection.  If something
#  such as `rlogin' is involved, you may need to ``set escape 0xff''
#
tcp-client:
 set device tcpsrv.mynet:1234
 set dial
 set login
 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0

tcp-server:
 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0

# Example for PPP testing.
#  If you want to test ppp, do it through the loopback interface:
#
#  Requires a line in /etc/services:
#    ppploop 6671/tcp # loopback ppp daemon
#
#  and a line in /etc/inetd.conf:
#    ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set device localhost:ppploop
 set dial
 set login
 set ifaddr 127.0.0.2 127.0.0.3
 set server /var/tmp/loop "" 0177

loop-in:
 set timeout 0
 set log phase lcp ipcp command
 allow mode direct

# Example of a VPN.
#  If you're going to create a tunnel through a public network, your VPN
#  should be set up something like this:
#
#  You should already have set up ssh using ssh-agent & ssh-add.
#
sloop:
 load loop
 # Passive mode allows ssh plenty of time to establish the connection
 set openmode passive
 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"

# Example of non-PPP callback.
#  If you wish to connect to a server that will dial back *without* using
#  the ppp callback facility (rfc1570), take advantage of the fact that
#  ppp doesn't look for carrier 'till `set login' is complete:
#
#  Here, we expect the server to say DIALBACK then disconnect after
#  we've authenticated ourselves.  When this has happened, we wait
#  60 seconds for a RING.
#
dialback:
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
           ATDT\\T TIMEOUT 60 CONNECT"
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"

# Example of PPP callback.
#  Alternatively, if the peer is using the PPP callback protocol, we're
#  happy either with ``auth'' style callback where the server dials us
#  back based on what we authenticate ourselves with, ``cbcp'' style
#  callback (invented by Microsoft but not agreed by the IETF) where
#  we negotiate callback *after* authentication or E.164 callback where
#  we specify only a phone number.  I would recommend only ``auth'' and/or
#  ``cbcp'' callback methods.
#  For ``cbcp'', we insist that we choose ``1234567'' as the number that
#  the server must call back.
#
callback:
 load pmdemand
 set callback auth cbcp e.164 1234567
 set cbcp 1234567

# If we're running a ppp server that wants to only call back microsoft
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
#
callback-server:
 load server
 set callback cbcp
 set cbcp
 set log +cbcp
 set redial 3 1
 set device /dev/cuaa0
 set speed 115200
 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"

# Or if we want to allow authenticated clients to specify their own
# callback number:
#
callback-server-client-decides:
 load callback-server
 set cbcp *

# Multilink mode is available (rfc1990).
# To enable multilink capabilities, you must specify a MRRU.  1500 is
# a reasonable value.  To create new links, use the ``clone'' command
# to duplicate an existing link.  If you already have more than one
# link, you must specify which link you wish to run the command on via
# the ``link'' command.
#
# You can now ``dial'' specific links, or even dial all links at the
# same time.  The `dial' command may also be prefixed with a specific
# link that should do the dialing.
#
mloop:
 load loop
 set mode interactive
 set mrru 1500
 clone 1 2 3
 link deflink remove
 # dial
 # link 2 dial
 # link 3 dial

mloop-in:
 set timeout 0
 set log tun phase
 allow mode direct
 set mrru 1500

# User supplied authentication:
#  It's possible to run ppp in the background while specifying a
#  program to use to obtain authentication details on demand.
#  This program would usually be a simple GUI that presents a
#  prompt to a known user.  The ``chap-auth'' program is supplied
#  as an example (and requires tcl version 8.0).
#
CHAPprompt:
 load PAPorCHAPpmdemand
 set authkey !/usr/share/examples/ppp/chap-auth

#  It's possible to do the same sort of thing at the login prompt.
#  Here, after sending ``brian'' in response to the ``name'' prompt,
#  we're prompted with ``code:''.  A window is then displayed on the
#  ``keep:0.0'' display and the typed response is sent to the peer
#  as the password.  We then expect to see ``MTU'' and ``.'' in the
#  servers response.
#
loginprompt:
 load pmdemand
 set authname brian
 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
            code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
                    AUTHNAME\" MTU \\c ."