- 论坛徽章:
- 0
|
这是 openbsd 4.7 i386 的 /etc/ppp/ppp.conf.sample ,我自己看了几次,还是不太懂。请老大们帮忙。。
- #################################################################
- #
- # PPP Sample Configuration File
- #
- # Originally written by Toshiharu OHNO
- #
- # $OpenBSD: ppp.conf.sample,v 1.24 2006/07/30 18:02:01 david Exp $
- #
- #################################################################
- # This file is separated into sections. Each section is named with
- # a label starting in column 0 and followed directly by a ``:''. The
- # section continues until the next section. Blank lines and lines
- # beginning with ``#'' are ignored.
- #
- # Lines beginning with "!include" will ``include'' another file. You
- # may want to ``!include ~/.ppp.conf'' for backwards compatibility.
- #
- # Default setup. Always executed when PPP is invoked.
- # This section is *not* loaded by the ``load'' or ``dial'' commands.
- #
- # This is the best place to specify your modem device, its DTR rate,
- # and any logging specification. Logging specs should be done first
- # so that subsequent commands are logged.
- #
- default:
- set log Phase Chat LCP IPCP CCP tun command
- set device /dev/cua01
- set speed 115200
- set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
- # Client side PPP
- #
- # Although the PPP protocol is a peer to peer protocol, we normally
- # consider the side that makes the connection as the client and the
- # side that receives the connection as the server. Authentication
- # is required by the server either using a unix-style login procedure
- # or by demanding PAP or CHAP authentication from the client.
- #
- # An on demand example where we have dynamic IP addresses:
- # If the peer assigns us an arbitrary IP (most ISPs do this) and we
- # can't predict what their IP will be either, take a wild guess at
- # some IPs that you can't currently route to.
- #
- # The /0 bit in "set ifaddr" says that we insist on 0 bits of the
- # specified IP actually being correct, therefore, the other side can assign
- # any IP numbers.
- #
- # The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
- # IP number, forcing the peer to make the decision.
- #
- # This entry also works with static IP numbers or when not in -auto mode.
- # The ``add'' line adds a `sticky' default route that will be updated if
- # and when any of the IP numbers are changed in IPCP negotiations.
- # The "set ifaddr" is required in -auto mode.
- #
- # Finally, the ``enable dns'' bit tells ppp to ask the peer for the
- # nameserver addresses that should be used. This isn't always supported
- # by the other side, but if it is, /etc/resolv.conf will automatically be
- # updated.
- #
- pmdemand:
- set phone 1234567
- set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
- set timeout 120
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
- # When we want to use PAP or CHAP instead of using a unix-style login
- # procedure, we do the following. Note, the peer suggests whether we
- # should send PAP or CHAP. By default, we send whatever we're asked for.
- #
- PAPorCHAPpmdemand:
- set phone 1234567
- set login
- set authname MyName
- set authkey MyKey
- set timeout 120
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
- # On demand dialup example with static IP addresses:
- # Here, the local side uses 192.244.185.226 and the remote side
- # uses 192.244.176.44.
- #
- # # ppp -auto ondemand
- #
- # With static IP numbers, our setup is similar to dynamic:
- # Remember, ppp.linkup is searched for a "192.244.176.44" label, then
- # a "ondemand" label, and finally the "MYADDR" label.
- #
- ondemand:
- set phone 1234567
- set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
- set timeout 120
- set ifaddr 192.244.185.226 192.244.176.44
- add default HISADDR
- enable dns
- # To connect via a GPRS or UMTS device (e.g. a mobile phone or a PC Card),
- # it's often necessary to set the access-point name (in this case 'internet')
- # which requires quotes in the dial string. This section shows the escaping
- # required. Devices that have not already authenticated the SIM card (like a
- # PC Card) need to issue the "AT+CPIN=xxxx" (xxxx being the PIN for the SIM
- # card) first.
- # For certain devices it is necessary to adjust the baud rate (speed setting)
- # and/or change the dial string to "*99***1#".
- # UMTS devices often allow control of the connect mode (UMTS only, GPRS only
- # or default to which is available); this can be controlled with the number
- # passed to the AT+CGDCONT command and is device dependant.
- # Some ISPs do special things in their IPCP session in order to negotiate
- # the IP addresses; in this case it may be necessary to play with the ifaddr
- # setting.
- # See also: com(4), ubsa(4), ucom(4) and umodem(4)
- #
- mobile:
- set device /dev/cuaU0
- set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
- \"\" ATZ OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \\dATD\\T TIMEOUT 40 CONNECT"
- set phone "*99#"
- set speed 115200
- set login
- set timeout 0
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
- # Example segments
- #
- # The following lines may be included as part of your configuration
- # section and aren't themselves complete. They're provided as examples
- # of how to achieve different things.
- examples:
- # Multi-phone example. Numbers separated by a : are used sequentially.
- # Numbers separated by a | are used if the previous dial or login script
- # failed. Usually, you will prefer to use only one of | or :, but both
- # are allowed.
- #
- set phone 12345678|12345679:12345670|12345671
- #
- # Ppp can accept control instructions from the ``pppctl'' program.
- # First, you must set up your control socket. It's safest to use
- # a UNIX domain socket, and watch the permissions:
- #
- set server /var/tmp/internet MySecretPassword 0177
- #
- # Although a TCP port may be used if you want to allow control
- # connections from other machines:
- #
- set server 6670 MySecretpassword
- #
- # If you don't like ppp's builtin chat, use an external one:
- #
- set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
- #
- # If we have a ``strange'' modem that must be re-initialized when we
- # hangup:
- #
- set hangup "\"\" AT OK-AT-OK ATZ OK"
- #
- # To adjust logging withouth blasting the setting in default:
- #
- set log -command +tcp/ip
- #
- # To see log messages on the screen in interactive mode:
- #
- set log local LCP IPCP CCP
- #
- # If you're seeing a lot of magic number problems and failed connections,
- # try this (see the man page):
- #
- set openmode active 5
- #
- # For noisy lines, we may want to reconnect (up to 20 times) after loss
- # of carrier, with 3 second delays between each attempt:
- #
- set reconnect 3 20
- #
- # When playing server for M$ clients, tell them who our NetBIOS name
- # servers are:
- #
- set nbns 10.0.0.1 10.0.0.2
- #
- # Inform the client if they ask for our DNS IP numbers:
- #
- enable dns
- #
- # If you don't want to tell them what's in your /etc/resolv.conf file
- # with `enable dns', override the values:
- #
- set dns 10.0.0.1 10.0.0.2
- #
- # If we're using the -alias switch, redirect ftp and http to an internal
- # machine:
- #
- alias port 10.0.0.2:ftp ftp
- alias port 10.0.0.2:http http
- #
- # or don't trust the outside at all
- #
- alias deny_incoming yes
- #
- # I trust user brian to run ppp, so this goes in the `default' section:
- #
- allow user brian
- #
- # But label `internet' contains passwords that even brian can't have, so
- # I empty out the user access list in that section so that only root can
- # have access:
- #
- allow users
- #
- # I also may wish to set up my ppp login script so that it asks the client
- # for the label they wish to use. I may only want user ``dodgy'' to access
- # their own label in direct mode:
- #
- dodgy:
- allow user dodgy
- allow mode direct
- #
- # If we don't want ICMP and DNS packets to keep the connection alive:
- #
- set filter alive 0 deny icmp
- set filter alive 1 deny udp src eq 53
- set filter alive 2 deny udp dst eq 53
- set filter alive 3 permit 0 0
- #
- # And we don't want ICMPs to cause a dialup:
- #
- set filter dial 0 deny icmp
- set filter dial 1 permit 0 0
- #
- # or any TCP SYN or RST packets (badly closed TCP channels):
- #
- set filter dial 2 deny 0 0 tcp syn finrst
- #
- # Once the line's up, allow connections for ident (113), telnet (23),
- # ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
- # ICMP (ping) and traceroute (>33433).
- #
- # Anything else is blocked by default
- #
- set filter in 0 permit tcp dst eq 113
- set filter out 0 permit tcp src eq 113
- set filter in 1 permit tcp src eq 23 estab
- set filter out 1 permit tcp dst eq 23
- set filter in 2 permit tcp src eq 21 estab
- set filter out 2 permit tcp dst eq 21
- set filter in 3 permit tcp src eq 20 dst gt 1023
- set filter out 3 permit tcp dst eq 20
- set filter in 4 permit udp src eq 53
- set filter out 4 permit udp dst eq 53
- set filter in 5 permit 192.244.191.0/24 0/0
- set filter out 5 permit 0/0 192.244.191.0/24
- set filter in 6 permit icmp
- set filter out 6 permit icmp
- set filter in 7 permit udp dst gt 33433
- set filter out 7 permit udp dst gt 33433
- #
- # ``dodgynet'' is an example intended for an autodial configuration which
- # is connecting a local network to a host on an untrusted network.
- dodgynet:
- # Log link uptime
- set log Phase
- # For autoconnect only
- allow modes auto
- # Define modem device and speed
- set device /dev/cua01
- set speed 115200
- # Don't support LQR
- deny lqr
- # Remote system phone number, login and password
- set phone 0W1194
- set authname pppLogin
- set authkey MyPassword
- # Chat script to dial remote system
- set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
- ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
- # Chat script to login to remote Unix system
- set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
- # Drop the link after 15 minutes of inactivity
- # Inactivity is defined by the `set filter alive' line below
- set timeout 900
- # Hard-code remote system to appear within local subnet and use proxy arp
- # to make this system the gateway
- set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
- enable proxy
- # Allow any TCP packet to keep the link alive
- set filter alive 0 permit tcp
- # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
- # private TCP ports 24 and 4000
- set filter dial 0 7 0 0 tcp dst eq http
- set filter dial 1 7 0 0 tcp dst eq login
- set filter dial 2 7 0 0 tcp dst eq shell
- set filter dial 3 7 0 0 tcp dst eq telnet
- set filter dial 4 7 0 0 tcp dst eq ftp
- set filter dial 5 7 0 0 tcp dst eq 24
- set filter dial 6 deny ! 0 0 tcp dst eq 4000
- # From hosts on a couple of local subnets to the remote peer
- # If the remote host allowed IP forwarding and we wanted to use it, the
- # following rules could be split into two groups to separately validate
- # the source and destination addresses.
- set filter dial 7 permit 172.17.16.0/20 172.17.20.248
- set filter dial 8 permit 172.17.36.0/22 172.17.20.248
- set filter dial 9 permit 172.17.118.0/26 172.17.20.248
- set filter dial 10 permit 10.123.5.0/24 172.17.20.248
- # Once the link's up, limit outgoing access to the specified hosts
- set filter out 0 4 172.17.16.0/20 172.17.20.248
- set filter out 1 4 172.17.36.0/22 172.17.20.248
- set filter out 2 4 172.17.118.0/26 172.17.20.248
- set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
- # Allow established TCP connections
- set filter out 4 permit 0 0 tcp estab
- # And new connections to http, rlogin, rsh, telnet, ftp and ports
- # 24 and 4000
- set filter out 5 permit 0 0 tcp dst eq http
- set filter out 6 permit 0 0 tcp dst eq login
- set filter out 7 permit 0 0 tcp dst eq shell
- set filter out 8 permit 0 0 tcp dst eq telnet
- set filter out 9 permit 0 0 tcp dst eq ftp
- set filter out 10 permit 0 0 tcp dst eq 24
- set filter out 11 permit 0 0 tcp dst eq 4000
-
复制代码 |
|