################################################################# # # PPP Sample Configuration File # # Originally written by Toshiharu OHNO # # $Id: ppp.conf.sample,v 1.27 1997/12/30 23:34:35 brian Exp $ # ################################################################# # This file is separated into sections. Each section is named with # a label starting in column 0 and followed directly by a ``:''. The # section continues until the next section. Blank lines and lines # beginning with ``#'' are ignored. # # Lines beginning with "!include" will ``include'' another file. You # may want to ``!include ~/.ppp.conf'' for backwards compatibility. # # Default setup. Always executed when PPP is invoked. # This section is *not* loaded by the ``load'' or ``dial'' commands. # # This is the best place to specify your modem device, it's DTR rate, # and any logging specification. Logging specs should be done first # so that subsequent commands are logged. # default: set log Phase Chat Connect Carrier LCP IPCP CCP tun command set device /dev/cuaa1 set speed 115200 deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" # Client side PPP # # Although the PPP protocol is a peer to peer protocol, we normally # consider the side that makes the connection as the client and the # side that receives the connection as the server. Authentication # is required by the server either using a unix-style login proceedure # or by demanding PAP or CHAP authentication from the client. # # An on demand example where we have dynamic IP addresses: # If the peer assigns us an arbitrary IP (most ISPs do this) and we # can't predict what their IP will be either, take a wild guess at # some IPs that you can't currently route to. Ensure that the "delete" # and "add" lines are also present in the pmdemand section of ppp.linkup # so that when we connect, things will be put straight. # # This will work with static IP numbers too. You can also use this entry # if you don't want on-demand dialup. The "set ifaddr", "delete" and # "add" lines are required for on-demand. Note, for dynamic IP numbers, # whether dialing manually or on demand, there should *always* be an entry # in ppp.linkup. # # The /0 bit in "set ifaddr" says that we insist on 0 bits of the # specified IP actually being correct, therefore, the other side can assign # any IP numbers. # # The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested # IP number, forcing the peer to make the decision. # pmdemand: set phone 1234567 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp" set timeout 120 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 delete ALL add 0 0 HISADDR # When we want to use PAP or CHAP instead of using a unix-style login # proceedure, we do the following. Note, the peer suggests whether we # should send PAP or CHAP. By default, we send whatever we're asked for. # PAPorCHAPpmdemand: set phone 1234567 set login set authname MyName set authkey MyKey set timeout 120 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 delete ALL add 0 0 HISADDR # On demand dialup example with static IP addresses: # Here, the local side uses 192.244.185.226 and the remote side # uses 192.244.176.44. # # # ppp -auto ondemand # # It is not necessary to have an entry in ppp.linkup when both IP numbers # are static. Be warned though, the MYADDR: label is executed from # ppp.linkup if the "ondemand:" and "192.244.176.44" labels are not found. # ondemand: set phone 1234567 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp" set timeout 120 set ifaddr 192.244.185.226 192.244.176.44 255.255.255.0 delete ALL add 0 0 HISADDR # Example segments # # The following lines may be included as part of your configuration # section and aren't themselves complete. They're provided as examples # of how to achieve different things. examples: # Multi-phone example. Numbers separated by a : are used sequentially. # Numbers separated by a | are used if the previous dial or login script # failed. Usually, you will prefer to use only one of | or :, but both # are allowed. # set phone 12345678|12345679:12345670|12345671 # # When in -auto, -ddial, -direct or -background mode, ppp can accept # control instructions from the ``pppctl'' program. First, you must # set up your control socket. It's safest to use a UNIX domain socket, # and watch the permissions: # set server /var/tmp/internet 0177 # # Although a TCP port may be used if you want to allow control # connections from other machines: # set server 6670 # # If you don't like ppp's builtin chat, use an external one: # set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\"" # # If we have a ``strange'' modem that must be re-initialized when we # hangup: # set hangup "\"\" AT OK-AT-OK ATZ OK" # # To adjust logging withouth blasting the setting in default: # set log -command +tcp/ip # # To see log messages on the screen in interactive mode: # set log local LCP IPCP CCP # # If you're seeing a lot of magic number problems and failed connections, # try this (check out the FAQ): # set openmode passive # # For noisy lines, we may want to reconnect (up to 20 times) after loss # of carrier: # set reconnect 3 20 # # When playing server for M$ clients, tell them who our name servers are: # set ns 10.0.0.1 10.0.0.2 set nbns 10.0.0.1 10.0.0.2 enable msext # # If we're using the -alias switch, redirect ftp and http to an internal # machine: # alias port 10.0.0.2:ftp ftp alias port 10.0.0.2:http http # # or don't trust the outside at all # alias deny_incoming yes # # I trust user brian to run ppp, so this goes in the `default' section: # allow user brian # # But label `internet' contains passwords that even brian can't have, so # I empty out the user access list in that section: # allow users # # I also may wish to set up my ppp login script so that it asks the client # for the label they wish to use. I may only want user ``dodgy'' to access # their own label in direct mode: # dodgy: allow user dodgy allow mode direct # # If we don't want ICMP and DNS packets to keep the connection alive: # set afilter 0 deny icmp set afilter 1 deny udp src eq 53 set afilter 2 deny udp dst eq 53 set afilter 3 permit 0/0 0/0 # # And we don't want ICMPs to cause a dialup: # set dfilter 0 deny icmp set dfilter 1 permit 0/0 0/0 # # Once the line's up, allow connections for ident (113), telnet (23), # ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24), # ICMP (ping) and traceroute (>33433). # # Anything else is blocked by default # set ifilter 0 permit tcp dst eq 113 set ofilter 0 permit tcp src eq 113 set ifilter 1 permit tcp src eq 23 estab set ofilter 1 permit tcp dst eq 23 set ifilter 2 permit tcp src eq 21 estab set ofilter 2 permit tcp dst eq 21 set ifilter 3 permit tcp src eq 20 dst gt 1023 set ofilter 3 permit tcp dst eq 20 set ifilter 4 permit udp src eq 53 set ofilter 4 permit udp dst eq 53 set ifilter 5 permit 192.244.191.0/24 0/0 set ofilter 5 permit 0/0 192.244.191.0/24 set ifilter 6 permit icmp set ofilter 6 permit icmp set ifilter 7 permit udp dst gt 33433 set ofilter 7 permit udp dst gt 33433 # Server side PPP # If you want the remote system to authenticate itself, you insist # that the peer uses CHAP (or PAP) with the "enable" keyword. Both CHAP and # PAP are disabled by default (we usually only "enable" on of them if the # other side is dialing into our server). # When the peer authenticates itself, we use ppp.secret for verification. # # Ppp is launched with: # # ppp -direct CHAPserver # # Note: We can supply a third field in ppp.secret specifying the IP address # for that user. # CHAPserver: enable chap enable proxy set ifaddr 192.244.176.44 292.244.184.31 # If we wish to act as a server, allowing PAP access according to # accounts in /etc/passwd, we do this: # PAPServerwithPASSWD: enable pap enable passwdauth enable proxy set ifaddr 192.244.176.44 292.244.184.31 # Example to connect using a null-modem cable: # The important thing here is to allow the lqr packets on both sides. # Without them enabled, we can't tell if the line's dropped - there # should always be carrier on a direct connection. # Here, the server sends lqr's every 10 seconds and quits if three in a # row fail. # # Make sure you don't have "deny lqr" in your default: on the client ! # direct-client: set dial "" set line /dev/cuaa0 set sp 115200 set timeout 900 10 3 set log Phase Chat LQM set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" set ifaddr 10.0.4.2 10.0.4.1 enable lqr accept lqr direct-server: set timeout 900 10 3 set log Phase LQM set ifaddr 10.0.4.1 10.0.4.2 enable lqr accept lqr # Example for PPP over TCP. # We assume that inetd on tcpsrv.mynet has been # configured to run "ppp -direct tcp-server" when it gets a connection on # port 1234. Read the man page for further details # tcp-client: set device tcpsrv.mynet:1234 set dial set login set escape 0xff set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 tcp-server: set escape 0xff set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 # If you want to test ppp, do it through a loopback: # # Requires a line in /etc/services: # ppploop 6671/tcp # loopback ppp daemon # # and a line in /etc/inetd.conf: # ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in # loop: set timeout 0 set log phase chat connect lcp ipcp command set device localhost:ppploop set dial set login set escape 0xff set ifaddr 127.0.0.2 127.0.0.3 set openmode passive set server /var/tmp/loop "" 0177 loop-in: set timeout 0 set log phase chat connect lcp ipcp command set escape 0xff allow mode direct