#################################################################
#
#  	PPP  Sample Configuration File
#
#	  Originally written by Toshiharu OHNO
#
# $Id: ppp.conf.sample,v 1.28 1997/12/31 03:58:45 brian Exp $
#
#################################################################

# This file is separated into sections.  Each section is named with
# a label starting in column 0 and followed directly by a ``:''.  The
# section continues until the next section.  Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file.  You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#

# Default setup. Always executed when PPP is invoked.
#  This section is *not* loaded by the ``load'' or ``dial'' commands.
#
#  This is the best place to specify your modem device, it's DTR rate,
#  and any logging specification.  Logging specs should be done first
#  so that subsequent commands are logged.
#
default:
 set log Phase Chat Connect Carrier LCP IPCP CCP tun command
 set device /dev/cuaa1
 set speed 115200
 deny lqr
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

# Client side PPP
#
#  Although the PPP protocol is a peer to peer protocol, we normally
#  consider the side that makes the connection as the client and the
#  side that receives the connection as the server.  Authentication
#  is required by the server either using a unix-style login proceedure
#  or by demanding PAP or CHAP authentication from the client.
#

# An on demand example where we have dynamic IP addresses:
#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
#  can't predict what their IP will be either, take a wild guess at
#  some IPs that you can't currently route to.  Ensure that the "delete"
#  and "add" lines are also present in the pmdemand section of ppp.linkup
#  so that when we connect, things will be put straight.
#
#  This will work with static IP numbers too.  You can also use this entry
#  if you don't want on-demand dialup.  The "set ifaddr", "delete" and
#  "add" lines are required for on-demand.  Note, for dynamic IP numbers,
#  whether dialing manually or on demand, there should *always* be an entry
#  in ppp.linkup.
#
#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
#  specified IP actually being correct, therefore, the other side can assign
#  any IP numbers.
#
#  The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
#  IP number, forcing the peer to make the decision.
#
pmdemand:
 set phone 1234567
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 delete ALL
 add 0 0 HISADDR

# When we want to use PAP or CHAP instead of using a unix-style login
# proceedure, we do the following.  Note, the peer suggests whether we
# should send PAP or CHAP.  By default, we send whatever we're asked for.
#
PAPorCHAPpmdemand:
 set phone 1234567
 set login
 set authname MyName
 set authkey MyKey
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 delete ALL
 add 0 0 HISADDR

# On demand dialup example with static IP addresses:
#  Here, the local side uses 192.244.185.226 and the remote side
#  uses 192.244.176.44.
#
#  # ppp -auto ondemand
#
#  It is not necessary to have an entry in ppp.linkup when both IP numbers
#  are static.  Be warned though, the MYADDR: label is executed from
#  ppp.linkup if the "ondemand:" and "192.244.176.44" labels are not found.
#
ondemand:
 set phone 1234567
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 192.244.185.226 192.244.176.44 255.255.255.0
 delete ALL
 add 0 0 HISADDR

#                          Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete.  They're provided as examples
# of how to achieve different things.

examples:
# Multi-phone example.  Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed.  Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
    set phone 12345678|12345679:12345670|12345671
#
# When in -auto, -ddial, -direct or -background mode, ppp can accept
# control instructions from the ``pppctl'' program.  First, you must
# set up your control socket.  It's safest to use a UNIX domain socket,
# and watch the permissions:
#
    set server /var/tmp/internet 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
    set server 6670
#
# If you don't like ppp's builtin chat, use an external one:
#
    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
    set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
    set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
    set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (check out the FAQ):
#
    set openmode passive
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier:
#
    set reconnect 3 20
#
# When playing server for M$ clients, tell them who our name servers are:
#
    set ns 10.0.0.1 10.0.0.2
    set nbns 10.0.0.1 10.0.0.2
    enable msext
#
# If we're using the -alias switch, redirect ftp and http to an internal
# machine:
#
    alias port 10.0.0.2:ftp ftp
    alias port 10.0.0.2:http http
#
# or don't trust the outside at all
#
    alias deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
    allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section:
#
    allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use.  I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
    allow user dodgy
    allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
    set afilter 0 deny icmp
    set afilter 1 deny udp src eq 53
    set afilter 2 deny udp dst eq 53
    set afilter 3 permit 0/0 0/0
#
# And we don't want ICMPs to cause a dialup:
#
    set dfilter 0 deny icmp
    set dfilter 1 permit 0/0 0/0
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
    set ifilter 0 permit tcp dst eq 113
    set ofilter 0 permit tcp src eq 113
    set ifilter 1 permit tcp src eq 23 estab
    set ofilter 1 permit tcp dst eq 23
    set ifilter 2 permit tcp src eq 21 estab
    set ofilter 2 permit tcp dst eq 21
    set ifilter 3 permit tcp src eq 20 dst gt 1023
    set ofilter 3 permit tcp dst eq 20
    set ifilter 4 permit udp src eq 53
    set ofilter 4 permit udp dst eq 53
    set ifilter 5 permit 192.244.191.0/24 0/0
    set ofilter 5 permit 0/0 192.244.191.0/24
    set ifilter 6 permit icmp
    set ofilter 6 permit icmp
    set ifilter 7 permit udp dst gt 33433
    set ofilter 7 permit udp dst gt 33433


# Server side PPP
#  If you want the remote system to authenticate itself, you insist
#  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP and
#  PAP are disabled by default (we usually only "enable" on of them if the
#  other side is dialing into our server).
#  When the peer authenticates itself, we use ppp.secret for verification.
#
#  Ppp is launched with:
#   # ppp -direct CHAPserver
#
#  Note:  We can supply a third field in ppp.secret specifying the IP address
#         for that user.
#
CHAPserver:
 enable chap
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31

# If we wish to act as a server, allowing PAP access according to
# accounts in /etc/passwd, we do this:
#
PAPServerwithPASSWD:
 enable pap
 enable passwdauth
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31


# Example to connect using a null-modem cable:
#  The important thing here is to allow the lqr packets on both sides.
#  Without them enabled, we can't tell if the line's dropped - there
#  should always be carrier on a direct connection.
#  Here, the server sends lqr's every 10 seconds and quits if three in a
#  row fail.
#
#  Make sure you don't have "deny lqr" in your default: on the client !
#
direct-client:
 set dial ""
 set line /dev/cuaa0
 set sp 115200
 set timeout 900 10 3
 set log Phase Chat LQM
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
 set ifaddr 10.0.4.2 10.0.4.1
 enable lqr
 accept lqr
 
direct-server:
 set timeout 900 10 3
 set log Phase LQM
 set ifaddr 10.0.4.1 10.0.4.2
 enable lqr
 accept lqr


# Example for PPP over TCP.
#  We assume that inetd on tcpsrv.mynet has been
#  configured to run "ppp -direct tcp-server" when it gets a connection on
#  port 1234.  Read the man page for further details
#
tcp-client:
 set device tcpsrv.mynet:1234
 set dial
 set login
 set escape 0xff
 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0

tcp-server:
 set escape 0xff
 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0

# If you want to test ppp, do it through a loopback:
#
# Requires a line in /etc/services:
#   ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
#   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set device localhost:ppploop
 set dial
 set login
 set escape 0xff
 set ifaddr 127.0.0.2 127.0.0.3
 set openmode passive
 set server /var/tmp/loop "" 0177
 
loop-in:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set escape 0xff
 allow mode direct