1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
|
#################################################################
#
# PPP Sample Configuration File
#
# Originally written by Toshiharu OHNO
#
# $OpenBSD: ppp.conf.sample,v 1.21 2002/06/09 06:15:15 todd Exp $
#
#################################################################
# This file is separated into sections. Each section is named with
# a label starting in column 0 and followed directly by a ``:''. The
# section continues until the next section. Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file. You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#
# Default setup. Always executed when PPP is invoked.
# This section is *not* loaded by the ``load'' or ``dial'' commands.
#
# This is the best place to specify your modem device, its DTR rate,
# and any logging specification. Logging specs should be done first
# so that subsequent commands are logged.
#
default:
set log Phase Chat LCP IPCP CCP tun command
set device /dev/cua01
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
# Client side PPP
#
# Although the PPP protocol is a peer to peer protocol, we normally
# consider the side that makes the connection as the client and the
# side that receives the connection as the server. Authentication
# is required by the server either using a unix-style login procedure
# or by demanding PAP or CHAP authentication from the client.
#
# An on demand example where we have dynamic IP addresses:
# If the peer assigns us an arbitrary IP (most ISPs do this) and we
# can't predict what their IP will be either, take a wild guess at
# some IPs that you can't currently route to.
#
# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
# specified IP actually being correct, therefore, the other side can assign
# any IP numbers.
#
# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
# IP number, forcing the peer to make the decision.
#
# This entry also works with static IP numbers or when not in -auto mode.
# The ``add'' line adds a `sticky' default route that will be updated if
# and when any of the IP numbers are changed in IPCP negotiations.
# The "set ifaddr" is required in -auto mode.
#
# Finally, the ``enable dns'' bit tells ppp to ask the peer for the
# nameserver addresses that should be used. This isn't always supported
# by the other side, but if it is, /etc/resolv.conf will automatically be
# updated.
#
pmdemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# When we want to use PAP or CHAP instead of using a unix-style login
# procedure, we do the following. Note, the peer suggests whether we
# should send PAP or CHAP. By default, we send whatever we're asked for.
#
PAPorCHAPpmdemand:
set phone 1234567
set login
set authname MyName
set authkey MyKey
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# On demand dialup example with static IP addresses:
# Here, the local side uses 192.244.185.226 and the remote side
# uses 192.244.176.44.
#
# # ppp -auto ondemand
#
# With static IP numbers, our setup is similar to dynamic:
# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
# a "ondemand" label, and finally the "MYADDR" label.
#
ondemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 192.244.185.226 192.244.176.44
add default HISADDR
enable dns
# Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete. They're provided as examples
# of how to achieve different things.
examples:
# Multi-phone example. Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed. Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
set phone 12345678|12345679:12345670|12345671
#
# Ppp can accept control instructions from the ``pppctl'' program.
# First, you must set up your control socket. It's safest to use
# a UNIX domain socket, and watch the permissions:
#
set server /var/tmp/internet MySecretPassword 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
set server 6670 MySecretpassword
#
# If you don't like ppp's builtin chat, use an external one:
#
set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (see the man page):
#
set openmode active 5
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier, with 3 second delays between each attempt:
#
set reconnect 3 20
#
# When playing server for M$ clients, tell them who our NetBIOS name
# servers are:
#
set nbns 10.0.0.1 10.0.0.2
#
# Inform the client if they ask for our DNS IP numbers:
#
enable dns
#
# If you don't want to tell them what's in your /etc/resolv.conf file
# with `enable dns', override the values:
#
set dns 10.0.0.1 10.0.0.2
#
# If we're using the -alias switch, redirect ftp and http to an internal
# machine:
#
alias port 10.0.0.2:ftp ftp
alias port 10.0.0.2:http http
#
# or don't trust the outside at all
#
alias deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section so that only root can
# have access:
#
allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use. I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
allow user dodgy
allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 permit 0 0
#
# And we don't want ICMPs to cause a dialup:
#
set filter dial 0 deny icmp
set filter dial 1 permit 0 0
#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
set filter dial 2 deny 0 0 tcp syn finrst
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
set filter in 0 permit tcp dst eq 113
set filter out 0 permit tcp src eq 113
set filter in 1 permit tcp src eq 23 estab
set filter out 1 permit tcp dst eq 23
set filter in 2 permit tcp src eq 21 estab
set filter out 2 permit tcp dst eq 21
set filter in 3 permit tcp src eq 20 dst gt 1023
set filter out 3 permit tcp dst eq 20
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 5 permit 192.244.191.0/24 0/0
set filter out 5 permit 0/0 192.244.191.0/24
set filter in 6 permit icmp
set filter out 6 permit icmp
set filter in 7 permit udp dst gt 33433
set filter out 7 permit udp dst gt 33433
#
# ``dodgynet'' is an example intended for an autodial configuration which
# is connecting a local network to a host on an untrusted network.
dodgynet:
# Log link uptime
set log Phase
# For autoconnect only
allow modes auto
# Define modem device and speed
set device /dev/cua01
set speed 115200
# Don't support LQR
deny lqr
# Remote system phone number, login and password
set phone 0W1194
set authname pppLogin
set authkey MyPassword
# Chat script to dial remote system
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
# Chat script to login to remote Unix system
set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
# Drop the link after 15 minutes of inactivity
# Inactivity is defined by the `set filter alive' line below
set timeout 900
# Hard-code remote system to appear within local subnet and use proxy arp
# to make this system the gateway
set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
enable proxy
# Allow any TCP packet to keep the link alive
set filter alive 0 permit tcp
# Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
# private TCP ports 24 and 4000
set filter dial 0 7 0 0 tcp dst eq http
set filter dial 1 7 0 0 tcp dst eq login
set filter dial 2 7 0 0 tcp dst eq shell
set filter dial 3 7 0 0 tcp dst eq telnet
set filter dial 4 7 0 0 tcp dst eq ftp
set filter dial 5 7 0 0 tcp dst eq 24
set filter dial 6 deny ! 0 0 tcp dst eq 4000
# From hosts on a couple of local subnets to the remote peer
# If the remote host allowed IP forwarding and we wanted to use it, the
# following rules could be split into two groups to separately validate
# the source and destination addresses.
set filter dial 7 permit 172.17.16.0/20 172.17.20.248
set filter dial 8 permit 172.17.36.0/22 172.17.20.248
set filter dial 9 permit 172.17.118.0/26 172.17.20.248
set filter dial 10 permit 10.123.5.0/24 172.17.20.248
# Once the link's up, limit outgoing access to the specified hosts
set filter out 0 4 172.17.16.0/20 172.17.20.248
set filter out 1 4 172.17.36.0/22 172.17.20.248
set filter out 2 4 172.17.118.0/26 172.17.20.248
set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
# Allow established TCP connections
set filter out 4 permit 0 0 tcp estab
# And new connections to http, rlogin, rsh, telnet, ftp and ports
# 24 and 4000
set filter out 5 permit 0 0 tcp dst eq http
set filter out 6 permit 0 0 tcp dst eq login
set filter out 7 permit 0 0 tcp dst eq shell
set filter out 8 permit 0 0 tcp dst eq telnet
set filter out 9 permit 0 0 tcp dst eq ftp
set filter out 10 permit 0 0 tcp dst eq 24
set filter out 11 permit 0 0 tcp dst eq 4000
# And outgoing icmp
set filter out 12 permit 0 0 icmp
# Once the link's up, limit incoming access to the specified hosts
set filter in 0 4 172.17.20.248 172.17.16.0/20
set filter in 1 4 172.17.20.248 172.17.36.0/22
set filter in 2 4 172.17.20.248 172.17.118.0/26
set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
# Established TCP connections and non-PASV FTP
set filter in 4 permit 0/0 0/0 tcp estab
set filter in 5 permit 0/0 0/0 tcp src eq 20
# Useful ICMP messages
set filter in 6 permit 0/0 0/0 icmp src eq 3
set filter in 7 permit 0/0 0/0 icmp src eq 4
set filter in 8 permit 0/0 0/0 icmp src eq 11
set filter in 9 permit 0/0 0/0 icmp src eq 12
# Echo reply (local systems can ping the remote host)
set filter in 10 permit 0/0 0/0 icmp src eq 0
# And the remote host can ping the local gateway (only)
set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
# Server side PPP
# If you want the remote system to authenticate itself, you insist
# that the peer uses CHAP (or PAP) with the "enable" keyword. Both CHAP and
# PAP are disabled by default (we usually only "enable" one of them if the
# other side is dialing into our server).
# When the peer authenticates itself, we use ppp.secret for verification.
#
# Ppp is launched with:
# # ppp -direct CHAPserver
#
# Note: We can supply a third field in ppp.secret specifying the IP address
# for that user. We can even specify a fourth field to specify the
# ppp.link{up,down} label to use.
#
CHAPserver:
enable chap
enable proxy
set ifaddr 192.244.176.44 292.244.184.31
accept dns
# If we wish to act as a server, allowing PAP access according to
# accounts in /etc/passwd, we do this (Without `enable passwdauth',
# you may still enter ``*'' as the users password in ppp.secret and
# ppp will look it up in the passwd database. This is useful if you
# need to assign a special label or IP number or range):
#
PAPServerwithPASSWD:
enable pap
enable passwdauth
enable proxy
set ifaddr 192.244.176.44 292.244.184.31
accept dns
# Example to connect using a null-modem cable:
# The important thing here is to allow the lqr packets on both sides.
# Without them enabled, we can't tell if the line's dropped - there
# should always be carrier on a direct connection.
# Here, the server sends lqr's every 10 seconds and quits if five in a
# row fail.
#
# Make sure you don't have "deny lqr" in your default: on the client !
# If the peer denies LQR, we still send ECHO LQR packets at the given
# lqrperiod interval (ppp-style-pings).
#
direct-client:
set dial ""
set device /dev/cua00
set sp 115200
set timeout 900
set lqrperiod 10
set log Phase Chat LQM
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
set ifaddr 10.0.4.2 10.0.4.1
enable lqr
accept lqr
direct-server:
set timeout 0
set lqrperiod 10
set log Phase LQM
set ifaddr 10.0.4.1 10.0.4.2
enable lqr
accept lqr
# Example to connect via compuserve (who insist on 7 bits even parity
# during the chat phase).
#
compuserve:
set phone 1234567
set parity even
set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
word: XXXXXXXX PPP"
set timeout 300
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
delete ALL
add default HISADDR
# Example for PPP over TCP.
# We assume that inetd on tcpsrv.mynet has been
# configured to run "ppp -direct tcp-server" when it gets a connection on
# port 1234. Read the man page for further details
#
# Note, we assume we're using a binary-clean connection. If something
# such as `rlogin' is involved, you may need to ``set escape 0xff''
#
tcp-client:
set device tcpsrv.mynet:1234
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
tcp-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
# If you want to test ppp, do it through a loopback:
#
# Requires a line in /etc/services:
# ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:ppploop
set dial
set login
set ifaddr 127.0.0.2 127.0.0.3
set server /var/tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
# Example of a VPN.
# If you're going to create a tunnel through a public network, your VPN
# should be set up something like this:
#
# You should already have set up ssh using ssh-agent & ssh-add.
#
#
sloop:
load loop
# Passive mode allows ssh plenty of time to establish the connection
set openmode passive
set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
# If you wish to connect to a server that will dial back *without* using
# the ppp callback facility (rfc1570), take advantage of the fact that
# ppp doesn't look for carrier 'till `set login' is complete:
#
# Here, we expect the server to say DIALBACK then disconnect after
# we've authenticated ourselves. When this has happened, we wait
# 60 seconds for a RING.
#
dialback:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATDT\\T TIMEOUT 60 CONNECT"
set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
\"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
# Alternatively, if the peer is using the PPP callback protocol, use
# normal dial and login scripts and add
#
set callback auth cbcp e.164 1234567
set cbcp 1234567
# If we're running a ppp server that wants to only call back microsoft
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
#
set callback cbcp
set cbcp
set log +cbcp
set redial 3 1
set device /dev/cua00
set speed 115200
set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
# Or if we want to allow authenticated clients to specify their own
# callback number, use this ``set cbcp'' line instead:
#
set cbcp *
# Multilink mode is available (rfc1990).
# To enable multilink capabilities, you must specify a MRRU. 1500 is
# a reasonable value. To create new links, use the ``clone'' command
# to duplicate an existing link. If you already have more than one
# link, you must specify which link you wish to run the command on via
# the ``link'' command.
#
# You can now ``dial'' specific links, or even dial all links at the
# same time. The `dial' command may also be prefixed with a specific
# link that should do the dialing.
#
mloop:
load loop
set mode interactive
set mrru 1500
set mru 1504 # Room for the MP header
clone 1 2 3
link deflink remove
# dial
# link 2 dial
# link 3 dial
mloop-in:
set timeout 0
set log tun phase
allow mode direct
set mrru 1500
set mru 1504 # Room for the MP header
# A PPPoE (PPP over Ethernet) setup may look like this:
#
pppoe:
set device "!/usr/sbin/pppoe"
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
|