1#################################################################
2#
3#  	PPP  Sample Configuration File
4#
5#	  Originally written by Toshiharu OHNO
6#
7# $MirSecuCron$
8# $MirOS: src/etc/ppp/ppp.conf.sample,v 1.6 2012/07/06 16:44:51 tg Exp $
9# $OpenBSD: ppp.conf.sample,v 1.21 2002/06/09 06:15:15 todd Exp $
10#
11#################################################################
12
13# This file is separated into sections.  Each section is named with
14# a label starting in column 0 and followed directly by a ``:''.  The
15# section continues until the next section.  Blank lines and lines
16# beginning with ``#'' are ignored.
17#
18# Lines beginning with "!include" will ``include'' another file.  You
19# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
20#
21
22# Default setup. Always executed when PPP is invoked.
23#  This section is *not* loaded by the ``load'' or ``dial'' commands.
24#
25#  This is the best place to specify your modem device, its DTR rate,
26#  and any logging specification.  Logging specs should be done first
27#  so that subsequent commands are logged.
28#
29default:
30 set log Phase Chat LCP IPCP CCP tun command
31
32previous:
33 # This was part of 'default' but got removed from there in MirBSD.
34 set device /dev/cua01
35 set speed 115200
36 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
37
38# Client side PPP
39#
40#  Although the PPP protocol is a peer to peer protocol, we normally
41#  consider the side that makes the connection as the client and the
42#  side that receives the connection as the server.  Authentication
43#  is required by the server either using a unix-style login procedure
44#  or by demanding PAP or CHAP authentication from the client.
45#
46
47# An on demand example where we have dynamic IP addresses:
48#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
49#  can't predict what their IP will be either, take a wild guess at
50#  some IPs that you can't currently route to.
51#
52#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
53#  specified IP actually being correct, therefore, the other side can assign
54#  any IP numbers.
55#
56#  The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
57#  IP number, forcing the peer to make the decision.
58#
59#  This entry also works with static IP numbers or when not in -auto mode.
60#  The ``add'' line adds a `sticky' default route that will be updated if
61#  and when any of the IP numbers are changed in IPCP negotiations.
62#  The "set ifaddr" is required in -auto mode.
63#
64#  Finally, the ``enable dns'' bit tells ppp to ask the peer for the
65#  nameserver addresses that should be used.  This isn't always supported
66#  by the other side, but if it is, /etc/resolv.conf will automatically be
67#  updated.
68#
69pmdemand:
70 set phone 1234567
71 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
72 set timeout 120
73 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
74 add default HISADDR
75 enable dns
76
77# When we want to use PAP or CHAP instead of using a unix-style login
78# procedure, we do the following.  Note, the peer suggests whether we
79# should send PAP or CHAP.  By default, we send whatever we're asked for.
80#
81PAPorCHAPpmdemand:
82 set phone 1234567
83 set login
84 set authname MyName
85 set authkey MyKey
86 set timeout 120
87 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
88 add default HISADDR
89 enable dns
90
91# On demand dialup example with static IP addresses:
92#  Here, the local side uses 192.244.185.226 and the remote side
93#  uses 192.244.176.44.
94#
95#  # ppp -auto ondemand
96#
97#  With static IP numbers, our setup is similar to dynamic:
98#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
99#  a "ondemand" label, and finally the "MYADDR" label.
100#
101ondemand:
102 set phone 1234567
103 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
104 set timeout 120
105 set ifaddr 192.244.185.226 192.244.176.44
106 add default HISADDR
107 enable dns
108
109#                          Example segments
110#
111# The following lines may be included as part of your configuration
112# section and aren't themselves complete.  They're provided as examples
113# of how to achieve different things.
114
115examples:
116# Multi-phone example.  Numbers separated by a : are used sequentially.
117# Numbers separated by a | are used if the previous dial or login script
118# failed.  Usually, you will prefer to use only one of | or :, but both
119# are allowed.
120#
121    set phone 12345678|12345679:12345670|12345671
122#
123# Ppp can accept control instructions from the ``pppctl'' program.
124# First, you must set up your control socket.  It's safest to use
125# a UNIX domain socket, and watch the permissions:
126#
127    set server /var/tmp/internet MySecretPassword 0177
128#
129# Although a TCP port may be used if you want to allow control
130# connections from other machines:
131#
132    set server 6670 MySecretpassword
133#
134# If you don't like ppp's builtin chat, use an external one:
135#
136    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
137#
138# If we have a ``strange'' modem that must be re-initialized when we
139# hangup:
140#
141    set hangup "\"\" AT OK-AT-OK ATZ OK"
142#
143# To adjust logging withouth blasting the setting in default:
144#
145    set log -command +tcp/ip
146#
147# To see log messages on the screen in interactive mode:
148#
149    set log local LCP IPCP CCP
150#
151# If you're seeing a lot of magic number problems and failed connections,
152# try this (see the man page):
153#
154    set openmode active 5
155#
156# For noisy lines, we may want to reconnect (up to 20 times) after loss
157# of carrier, with 3 second delays between each attempt:
158#
159    set reconnect 3 20
160#
161# When playing server for M$ clients, tell them who our NetBIOS name
162# servers are:
163#
164    set nbns 10.0.0.1 10.0.0.2
165#
166# Inform the client if they ask for our DNS IP numbers:
167#
168    enable dns
169#
170# If you don't want to tell them what's in your /etc/resolv.conf file
171# with `enable dns', override the values:
172#
173    set dns 10.0.0.1 10.0.0.2
174#
175# If we're using the -alias switch, redirect ftp and http to an internal
176# machine:
177#
178    alias port 10.0.0.2:ftp ftp
179    alias port 10.0.0.2:http http
180#
181# or don't trust the outside at all
182#
183    alias deny_incoming yes
184#
185# I trust user brian to run ppp, so this goes in the `default' section:
186#
187    allow user brian
188#
189# But label `internet' contains passwords that even brian can't have, so
190# I empty out the user access list in that section so that only root can
191# have access:
192#
193    allow users
194#
195# I also may wish to set up my ppp login script so that it asks the client
196# for the label they wish to use.  I may only want user ``dodgy'' to access
197# their own label in direct mode:
198#
199dodgy:
200    allow user dodgy
201    allow mode direct
202#
203# If we don't want ICMP and DNS packets to keep the connection alive:
204#
205    set filter alive 0 deny icmp
206    set filter alive 1 deny udp src eq 53
207    set filter alive 2 deny udp dst eq 53
208    set filter alive 3 permit 0 0
209#
210# And we don't want ICMPs to cause a dialup:
211#
212    set filter dial 0 deny icmp
213    set filter dial 1 permit 0 0
214#
215# or any TCP SYN or RST packets (badly closed TCP channels):
216#
217    set filter dial 2 deny 0 0 tcp syn finrst
218#
219# Once the line's up, allow connections for ident (113), telnet (23),
220# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
221# ICMP (ping) and traceroute (>33433).
222#
223# Anything else is blocked by default
224#
225    set filter in  0 permit tcp dst eq 113
226    set filter out 0 permit tcp src eq 113
227    set filter in  1 permit tcp src eq 23 estab
228    set filter out 1 permit tcp dst eq 23
229    set filter in  2 permit tcp src eq 21 estab
230    set filter out 2 permit tcp dst eq 21
231    set filter in  3 permit tcp src eq 20 dst gt 1023
232    set filter out 3 permit tcp dst eq 20
233    set filter in  4 permit udp src eq 53
234    set filter out 4 permit udp dst eq 53
235    set filter in  5 permit 192.244.191.0/24 0/0
236    set filter out 5 permit 0/0 192.244.191.0/24
237    set filter in  6 permit icmp
238    set filter out 6 permit icmp
239    set filter in  7 permit udp dst gt 33433
240    set filter out 7 permit udp dst gt 33433
241
242#
243# ``dodgynet'' is an example intended for an autodial configuration which
244# is connecting a local network to a host on an untrusted network.
245dodgynet:
246    # Log link uptime
247    set log Phase
248    # For autoconnect only
249    allow modes auto
250    # Define modem device and speed
251    set device /dev/cua01
252    set speed 115200
253    # Don't support LQR
254    deny lqr
255    # Remote system phone number, login and password
256    set phone 0W1194
257    set authname pppLogin
258    set authkey MyPassword
259    # Chat script to dial remote system
260    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
261              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
262    # Chat script to login to remote Unix system
263    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
264    # Drop the link after 15 minutes of inactivity
265    # Inactivity is defined by the `set filter alive' line below
266    set timeout 900
267    # Hard-code remote system to appear within local subnet and use proxy arp
268    # to make this system the gateway
269    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
270    enable proxy
271
272    # Allow any TCP packet to keep the link alive
273    set filter alive 0 permit tcp
274
275    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
276    # private TCP ports 24 and 4000
277    set filter dial  0 7      0 0 tcp dst eq http
278    set filter dial  1 7      0 0 tcp dst eq login
279    set filter dial  2 7      0 0 tcp dst eq shell
280    set filter dial  3 7      0 0 tcp dst eq telnet
281    set filter dial  4 7      0 0 tcp dst eq ftp
282    set filter dial  5 7      0 0 tcp dst eq 24
283    set filter dial  6 deny ! 0 0 tcp dst eq 4000
284    # From hosts on a couple of local subnets to the remote peer
285    # If the remote host allowed IP forwarding and we wanted to use it, the
286    # following rules could be split into two groups to separately validate
287    # the source and destination addresses.
288    set filter dial  7 permit 172.17.16.0/20  172.17.20.248
289    set filter dial  8 permit 172.17.36.0/22  172.17.20.248
290    set filter dial  9 permit 172.17.118.0/26 172.17.20.248
291    set filter dial 10 permit 10.123.5.0/24   172.17.20.248
292
293    # Once the link's up, limit outgoing access to the specified hosts
294    set filter out  0 4      172.17.16.0/20  172.17.20.248
295    set filter out  1 4      172.17.36.0/22  172.17.20.248
296    set filter out  2 4      172.17.118.0/26 172.17.20.248
297    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248
298    # Allow established TCP connections
299    set filter out  4 permit 0 0 tcp estab
300    # And new connections to http, rlogin, rsh, telnet, ftp and ports
301    # 24 and 4000
302    set filter out  5 permit 0 0 tcp dst eq http
303    set filter out  6 permit 0 0 tcp dst eq login
304    set filter out  7 permit 0 0 tcp dst eq shell
305    set filter out  8 permit 0 0 tcp dst eq telnet
306    set filter out  9 permit 0 0 tcp dst eq ftp
307    set filter out 10 permit 0 0 tcp dst eq 24
308    set filter out 11 permit 0 0 tcp dst eq 4000
309    # And outgoing icmp
310    set filter out 12 permit 0 0 icmp
311
312    # Once the link's up, limit incoming access to the specified hosts
313    set filter in   0 4      172.17.20.248  172.17.16.0/20
314    set filter in   1 4      172.17.20.248  172.17.36.0/22
315    set filter in   2 4      172.17.20.248  172.17.118.0/26
316    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
317    # Established TCP connections and non-PASV FTP
318    set filter in   4 permit 0/0  0/0  tcp estab
319    set filter in   5 permit 0/0  0/0  tcp src eq 20
320    # Useful ICMP messages
321    set filter in   6 permit 0/0  0/0  icmp src eq 3
322    set filter in   7 permit 0/0  0/0  icmp src eq 4
323    set filter in   8 permit 0/0  0/0  icmp src eq 11
324    set filter in   9 permit 0/0  0/0  icmp src eq 12
325    # Echo reply (local systems can ping the remote host)
326    set filter in  10 permit 0/0  0/0  icmp src eq 0
327    # And the remote host can ping the local gateway (only)
328    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
329
330
331# Server side PPP
332#  If you want the remote system to authenticate itself, you insist
333#  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP and
334#  PAP are disabled by default (we usually only "enable" one of them if the
335#  other side is dialing into our server).
336#  When the peer authenticates itself, we use ppp.secret for verification.
337#
338#  Ppp is launched with:
339#   # ppp -direct CHAPserver
340#
341#  Note:  We can supply a third field in ppp.secret specifying the IP address
342#         for that user.  We can even specify a fourth field to specify the
343#         ppp.link{up,down} label to use.
344#
345CHAPserver:
346 enable chap
347 enable proxy
348 set ifaddr 192.244.176.44 292.244.184.31
349 accept dns
350
351# If we wish to act as a server, allowing PAP access according to
352# accounts in /etc/passwd, we do this  (Without `enable passwdauth',
353# you may still enter ``*'' as the users password in ppp.secret and
354# ppp will look it up in the passwd database.  This is useful if you
355# need to assign a special label or IP number or range):
356#
357PAPServerwithPASSWD:
358 enable pap
359 enable passwdauth
360 enable proxy
361 set ifaddr 192.244.176.44 292.244.184.31
362 accept dns
363
364
365# Example to connect using a null-modem cable:
366#  The important thing here is to allow the lqr packets on both sides.
367#  Without them enabled, we can't tell if the line's dropped - there
368#  should always be carrier on a direct connection.
369#  Here, the server sends LQRs every 10 seconds and quits if five in a
370#  row fail.
371#
372#  Make sure you don't have "deny lqr" in your default: on the client !
373#  If the peer denies LQR, we still send ECHO LQR packets at the given
374#  lqrperiod interval (ppp-style-pings).
375#
376direct-client:
377 set dial ""
378 set device /dev/cua00
379 set sp 115200
380 set timeout 900
381 set lqrperiod 10
382 set log Phase Chat LQM
383 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
384 set ifaddr 10.0.4.2 10.0.4.1
385 enable lqr
386 accept lqr
387
388direct-server:
389 set timeout 0
390 set lqrperiod 10
391 set log Phase LQM
392 set ifaddr 10.0.4.1 10.0.4.2
393 enable lqr
394 accept lqr
395
396
397# Example to connect via compuserve (who insist on 7 bits even parity
398#  during the chat phase).
399#
400compuserve:
401 set phone 1234567
402 set parity even
403 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
404            word: XXXXXXXX PPP"
405 set timeout 300
406 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
407 delete ALL
408 add default HISADDR
409
410
411# Example for PPP over TCP.
412#  We assume that inetd on tcpsrv.mynet has been
413#  configured to run "ppp -direct tcp-server" when it gets a connection on
414#  port 1234.  Read the man page for further details
415#
416#  Note, we assume we're using a binary-clean connection.  If something
417#  such as `rlogin' is involved, you may need to ``set escape 0xff''
418#
419tcp-client:
420 set device tcpsrv.mynet:1234
421 set dial
422 set login
423 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
424
425tcp-server:
426 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
427
428# If you want to test ppp, do it through a loopback:
429#
430# Requires a line in /etc/services:
431#   ppploop 6671/tcp # loopback ppp daemon
432#
433# and a line in /etc/inetd.conf:
434#   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
435#
436loop:
437 set timeout 0
438 set log phase chat connect lcp ipcp command
439 set device localhost:ppploop
440 set dial
441 set login
442 set ifaddr 127.0.0.2 127.0.0.3
443 set server /var/tmp/loop "" 0177
444
445loop-in:
446 set timeout 0
447 set log phase lcp ipcp command
448 allow mode direct
449
450# Example of a VPN.
451#  If you're going to create a tunnel through a public network, your VPN
452#  should be set up something like this:
453#
454#  You should already have set up ssh using ssh-agent & ssh-add.
455#
456#
457sloop:
458 load loop
459 # Passive mode allows ssh plenty of time to establish the connection
460 set openmode passive
461 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
462
463# If you wish to connect to a server that will dial back *without* using
464# the ppp callback facility (rfc1570), take advantage of the fact that
465# ppp doesn't look for carrier 'till `set login' is complete:
466#
467# Here, we expect the server to say DIALBACK then disconnect after
468# we've authenticated ourselves.  When this has happened, we wait
469# 60 seconds for a RING.
470#
471dialback:
472 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
473           ATDT\\T TIMEOUT 60 CONNECT"
474 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
475           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
476
477# Alternatively, if the peer is using the PPP callback protocol, use
478# normal dial and login scripts and add
479#
480 set callback auth cbcp e.164 1234567
481 set cbcp 1234567
482
483# If we're running a ppp server that wants to only call back microsoft
484# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
485#
486 set callback cbcp
487 set cbcp
488 set log +cbcp
489 set redial 3 1
490 set device /dev/cua00
491 set speed 115200
492 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
493
494# Or if we want to allow authenticated clients to specify their own
495# callback number, use this ``set cbcp'' line instead:
496#
497 set cbcp *
498
499# Multilink mode is available (rfc1990).
500# To enable multilink capabilities, you must specify a MRRU.  1500 is
501# a reasonable value.  To create new links, use the ``clone'' command
502# to duplicate an existing link.  If you already have more than one
503# link, you must specify which link you wish to run the command on via
504# the ``link'' command.
505#
506# You can now ``dial'' specific links, or even dial all links at the
507# same time.  The `dial' command may also be prefixed with a specific
508# link that should do the dialing.
509#
510mloop:
511 load loop
512 set mode interactive
513 set mrru 1500
514 set mru 1504			# Room for the MP header
515 clone 1 2 3
516 link deflink remove
517 # dial
518 # link 2 dial
519 # link 3 dial
520
521mloop-in:
522 set timeout 0
523 set log tun phase
524 allow mode direct
525 set mrru 1500
526 set mru 1504			# Room for the MP header
527
528############################################################
529# MirBSD particulars
530############################################################
531
532# 0. PPP over modem lines
533# Sorry, I use pppd(8) for this purpose.
534
535# 1. ADSL with PPPoE
536MirADSL:
537 # Adjust: ne3 => NIC where your ADSL modem sits on
538 set device "!/usr/sbin/pppoe -i ne3"
539 set speed sync
540 disable ipv6cp
541 set timeout 0
542 set mtu max 1454
543 set mru max 1454
544 disable acfcomp protocomp ipv6cp
545 deny acfcomp
546 enable lqr mssfixup # dns
547 accept lqr
548 # Adjust: the entire string in quotes => your user name
549 # Adjust (T-Online users): 0-3 = Anschluszkennung
550 #                          4-9 = T-Online-Nummer
551 #                         0001 = Mitbenutzerkennung
552 set authname "0001112223339988776655440001@t-online.de"
553 set authkey "secret-passsword"
554
555# 2. ISDN with SyncPPP and Dial-On-Demand
556MirISDN:
557 set device /dev/isdnbchan0
558 set speed sync
559 disable ipv6cp mppe
560 set timeout 0
561 #set cd 6
562 set login
563 set ifaddr 0.0.0.0/0 0.0.0.1/0 255.255.255.0 0.0.0.0
564 add default HISADDR
565 set authname "0001112223339988776655440001@t-online.de"
566 set authkey "secret-passsword"
567 set phone 0191011
568
569# 3. UMTS with a USB Surfstick
570MirUMTS:
571 set device /dev/cuaU0
572 set speed 115200
573# set speed 921600
574 set crtscts on
575 accept lqr
576 enable lqr
577 deny deflate mppe pred1
578 disable deflate mppe pred1 ipv6cp
579 set timeout 0
580 set mtu max 640
581 set mru max 640
582 enable mssfixup
583 set dial "ABORT BUSY ABORT VOICE ABORT NO\\sCARRIER ABORT NO\\sDIALTONE \
584	ABORT NO\\sDIAL\\sTONE ABORT NO\\sANSWER ABORT DELAYED ABORT ERROR \
585	ABORT +CGATT:\\s0 TIMEOUT 12 \"\" AT OK ATH OK ATE1 \
586	OK AT+CGDCONT=1,\\\"IP\\\",\\\"\\T\\\",\\\"\\\",0,0 \
587	OK ATD*99# TIMEOUT 22 CONNECT"
588 set ifaddr 0.0.0.0/0 0.0.0.1/0 255.255.255.0 0.0.0.0
589 add default HISADDR
590
591viag:
592 load MirISDN
593 set authname "anonymer"
594 set authkey "surfer"
595 set phone 010900191799
596 set timeout 300
597 dial
598msn:
599 load MirISDN
600 set authname "msn"
601 set authkey "msn"
602 set phone 010880192658
603 set timeout 300
604 dial
605telekom:
606 load MirISDN
607 set authname "0001112223339988776655440001@t-online.de"
608 set authkey "secret-passsword"
609 set phone 0191011
610 set timeout 300
611 dial
612
613vodafone:
614 set phone web.vodafone.de
615 load MirUMTS
616