1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: src/usr.sbin/ppp/ppp.8.m4,v 1.301.2.1 2002/09/01 02:12:31 brian Exp $ 29.\" 30.Dd October 10, 2019 31.Dt PPP 8 32.Os 33.Sh NAME 34.Nm ppp 35.Nd Point to Point Protocol (a.k.a. user-ppp) 36.Sh SYNOPSIS 37.Nm 38.Op Fl Va mode 39.Op Fl nat 40.Op Fl quiet 41.Op Fl unit Ns Ar N 42.Op Ar system ... 43.Sh DESCRIPTION 44This is a user process 45.Em PPP 46software package with the help of the tunnel device driver 47.Xr ( tun 4 ) . 48.Pp 49The 50.Fl nat 51flag does the equivalent of a 52.Dq nat enable yes , 53enabling 54.Nm Ns No 's 55network address translation features. 56This allows 57.Nm 58to act as a NAT or masquerading engine for all machines on an internal 59LAN. 60ifdef({LOCALNAT},{},{Refer to 61.Xr libalias 3 62for details on the technical side of the NAT engine. 63})dnl 64Refer to the 65.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 66section of this manual page for details on how to configure NAT in 67.Nm . 68.Pp 69The 70.Fl quiet 71flag tells 72.Nm 73to be silent at startup rather than displaying the mode and interface 74to standard output. 75.Pp 76The 77.Fl unit 78flag tells 79.Nm 80to only attempt to open 81.Pa /dev/tun Ns Ar N . 82Normally, 83.Nm 84will start with a value of 0 for 85.Ar N , 86and keep trying to open a tunnel device by incrementing the value of 87.Ar N 88by one each time until it succeeds. 89If it fails three times in a row 90because the device file is missing, it gives up. 91.Pp 92The following 93.Va mode Ns No s 94are understood by 95.Nm : 96.Bl -tag -width XXX -offset XXX 97.It Fl auto 98.Nm 99opens the tun interface, configures it then goes into the background. 100The link isn't brought up until outgoing data is detected on the tun 101interface at which point 102.Nm 103attempts to bring up the link. 104Packets received (including the first one) while 105.Nm 106is trying to bring the link up will remain queued for a default of 1072 minutes. 108See the 109.Dq set choked 110command below. 111.Pp 112In 113.Fl auto 114mode, at least one 115.Dq system 116must be given on the command line (see below) and a 117.Dq set ifaddr 118must be done in the system profile that specifies a peer IP address to 119use when configuring the interface. 120Something like 121.Dq 10.0.0.1/0 122is usually appropriate. 123See the 124.Dq pmdemand 125system in 126.Pa /usr/share/examples/ppp/ppp.conf.sample 127for an example. 128.It Fl background 129Here, 130.Nm 131attempts to establish a connection with the peer immediately. 132If it succeeds, 133.Nm 134goes into the background and the parent process returns an exit code 135of 0. 136If it fails, 137.Nm 138exits with a non-zero result. 139.It Fl foreground 140In foreground mode, 141.Nm 142attempts to establish a connection with the peer immediately, but never 143becomes a daemon. 144The link is created in background mode. 145This is useful if you wish to control 146.Nm Ns No 's 147invocation from another process. 148.It Fl direct 149This is used for receiving incoming connections. 150.Nm 151ignores the 152.Dq set device 153line and uses descriptor 0 as the link. 154.Pp 155If callback is configured, 156.Nm 157will use the 158.Dq set device 159information when dialing back. 160.It Fl dedicated 161This option is designed for machines connected with a dedicated 162wire. 163.Nm 164will always keep the device open and will never use any configured 165chat scripts. 166.It Fl ddial 167This mode is equivalent to 168.Fl auto 169mode except that 170.Nm 171will bring the link back up any time it's dropped for any reason. 172.It Fl interactive 173This is a no-op, and gives the same behaviour as if none of the above 174modes have been specified. 175.Nm 176loads any sections specified on the command line then provides an 177interactive prompt. 178.El 179.Pp 180One or more configuration entries or systems 181(as specified in 182.Pa /etc/ppp/ppp.conf ) 183may also be specified on the command line. 184.Nm 185will read the 186.Dq default 187system from 188.Pa /etc/ppp/ppp.conf 189at startup, followed by each of the systems specified on the command line. 190.Sh Major Features 191.Bl -diag 192.It Provides an interactive user interface. 193Using its command mode, the user can 194easily enter commands to establish the connection with the remote end, check 195the status of connection and close the connection. 196All functions can also be optionally password protected for security. 197.It Supports both manual and automatic dialing. 198Interactive mode has a 199.Dq term 200command which enables you to talk to the device directly. 201When you are connected to the remote peer and it starts to talk 202.Em PPP , 203.Nm 204detects it and switches to packet mode automatically. 205Once you have 206determined the proper sequence for connecting with the remote host, you 207can write a chat script to {define} the necessary dialing and login 208procedure for later convenience. 209.It Supports on-demand dialup capability. 210By using 211.Fl auto 212mode, 213.Nm 214will act as a daemon and wait for a packet to be sent over the 215.Em PPP 216link. 217When this happens, the daemon automatically dials and establishes the 218connection. 219In almost the same manner 220.Fl ddial 221mode (direct-dial mode) also automatically dials and establishes the 222connection. 223However, it differs in that it will dial the remote site 224any time it detects the link is down, even if there are no packets to be 225sent. 226This mode is useful for full-time connections where we worry less 227about line charges and more about being connected full time. 228A third 229.Fl dedicated 230mode is also available. 231This mode is targeted at a dedicated link between two machines. 232.Nm 233will never voluntarily quit from dedicated mode - you must send it the 234.Dq quit all 235command via its diagnostic socket. 236A 237.Dv SIGHUP 238will force an LCP renegotiation, and a 239.Dv SIGTERM 240will force it to exit. 241.It Supports client callback. 242.Nm 243can use either the standard LCP callback protocol or the Microsoft 244CallBack Control Protocol 245.Pa ( ftp://ftp.microsoft.com/developr/rfc/cbcp.txt ) . 246.It Supports NAT or packet aliasing. 247Packet aliasing (a.k.a. IP masquerading) allows computers on a 248private, unregistered network to access the Internet. 249The 250.Em PPP 251host acts as a masquerading gateway. 252IP addresses as well as TCP and 253UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 254returning packets. 255.It Supports background PPP connections. 256In background mode, if 257.Nm 258successfully establishes the connection, it will become a daemon. 259Otherwise, it will exit with an error. 260This allows the setup of 261scripts that wish to execute certain commands only if the connection 262is successfully established. 263.It Supports server-side PPP connections. 264In direct mode, 265.Nm 266acts as server which accepts incoming 267.Em PPP 268connections on stdin/stdout. 269.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication." 270With PAP or CHAP, it is possible to skip the Unix style 271.Xr login 1 272procedure, and use the 273.Em PPP 274protocol for authentication instead. 275If the peer requests Microsoft CHAP authentication and 276.Nm 277is compiled with DES support, an appropriate MD4/DES response will be 278made. 279.It Supports RADIUS (rfc 2138 & 2548) authentication. 280An extension to PAP and CHAP, 281.Em \&R Ns No emote 282.Em \&A Ns No ccess 283.Em \&D Ns No ial 284.Em \&I Ns No n 285.Em \&U Ns No ser 286.Em \&S Ns No ervice 287allows authentication information to be stored in a central or 288distributed database along with various per-user framed connection 289characteristics. 290ifdef({LOCALRAD},{},{If 291.Em RADIUS 292support was enabled at compile time, 293.Nm 294will use it to make 295.Em RADIUS 296requests when configured to do so. 297})dnl 298.It Supports Proxy Arp. 299.Nm 300can be configured to make one or more proxy arp entries on behalf of 301the peer. 302This allows routing from the peer to the LAN without 303configuring each machine on that LAN. 304.It Supports packet filtering. 305User can {define} four kinds of filters: the 306.Em in 307filter for incoming packets, the 308.Em out 309filter for outgoing packets, the 310.Em dial 311filter to {define} a dialing trigger packet and the 312.Em alive 313filter for keeping a connection alive with the trigger packet. 314.It Tunnel driver supports bpf. 315The user can use 316.Xr tcpdump 1 317to check the packet flow over the 318.Em PPP 319link. 320.It Supports PPP over TCP and PPP over UDP. 321If a device name is specified as 322.Em host Ns No : Ns Em port Ns 323.Xo 324.Op / Ns tcp|udp , 325.Xc 326.Nm 327will open a TCP or UDP connection for transporting data rather than using a 328conventional serial device. 329UDP connections force 330.Nm 331into synchronous mode. 332.It Supports PPP over Ethernet (rfc 2516). 333If 334.Nm 335is given a device specification of the format 336.No PPPoE: Ns Ar iface Ns Xo 337.Op \&: Ns Ar provider Ns 338.Xc 339and if 340.Xr netgraph 4 341is available, 342.Nm 343will attempt talk 344.Em PPP 345over Ethernet to 346.Ar provider 347using the 348.Ar iface 349network interface. 350.Pp 351On systems that do not support 352.Xr netgraph 4 , 353an external program such as 354.Xr pppoe 8 355may be used. 356.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 357.Nm 358supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 359Normally, a modem has built-in compression (e.g., v42.bis) and the system 360may receive higher data rates from it as a result of such compression. 361While this is generally a good thing in most other situations, this 362higher speed data imposes a penalty on the system by increasing the 363number of serial interrupts the system has to process in talking to the 364modem and also increases latency. 365Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 366.Em all 367network traffic flowing through the link, thus reducing overheads to a 368minimum. 369.It Supports Microsoft's IPCP extensions (rfc 1877). 370Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 371with clients using the Microsoft 372.Em PPP 373stack (i.e., Win95, WinNT) 374.It Supports Multi-link PPP (rfc 1990) 375It is possible to configure 376.Nm 377to open more than one physical connection to the peer, combining the 378bandwidth of all links for better throughput. 379.It Supports MPPE (draft-ietf-pppext-mppe) 380MPPE is Microsoft Point to Point Encryption scheme. 381It is possible to configure 382.Nm 383to participate in Microsoft's Windows VPN. 384For now, 385.Nm 386can only get encryption keys from CHAP 81 authentication. 387.Nm 388must be compiled with DES for MPPE to operate. 389.It Supports IPV6CP (rfc 2023). 390An IPv6 connection can be made in addition to or instead of the normal 391IPv4 connection. 392.El 393.Sh PERMISSIONS 394.Nm 395is installed as user 396.Dv root 397and group 398.Dv network , 399with permissions 400.Dv 04554 . 401By default, 402.Nm 403will not run if the invoking user id is not zero. 404This may be overridden by using the 405.Dq allow users 406command in 407.Pa /etc/ppp/ppp.conf . 408When running as a normal user, 409.Nm 410switches to user id 0 in order to alter the system routing table, set up 411system lock files and read the ppp configuration files. 412All external commands (executed via the "shell" or "!bg" commands) are executed 413as the user id that invoked 414.Nm . 415Refer to the 416.Sq ID0 417logging facility if you're interested in what exactly is done as user id 418zero. 419.Sh GETTING STARTED 420When you first run 421.Nm 422you may need to deal with some initial configuration details. 423.Bl -bullet 424.It 425Your kernel must {include} a tunnel device (the X86_64_GENERIC kernel includes 426one by default). 427If it doesn't, or if you require more than one tun 428interface, you'll need to rebuild your kernel with the following line in 429your kernel configuration file: 430.Pp 431.Dl pseudo-device tun N 432.Pp 433where 434.Ar N 435is the maximum number of 436.Em PPP 437connections you wish to support. 438.It 439Make sure that your system has a group named 440.Dq network 441in the 442.Pa /etc/group 443file and that the group contains the names of all users expected to use 444.Nm . 445Refer to the 446.Xr group 5 447manual page for details. 448Each of these users must also be given access using the 449.Dq allow users 450command in 451.Pa /etc/ppp/ppp.conf . 452.It 453Create a log file. 454.Nm 455uses 456.Xr syslog 3 457to log information. 458A common log file name is 459.Pa /var/log/ppp.log . 460To make output go to this file, put the following lines in the 461.Pa /etc/syslog.conf 462file: 463.Bd -literal -offset indent 464!ppp 465*.*<TAB>/var/log/ppp.log 466.Ed 467.Pp 468It is possible to have more than one 469.Em PPP 470log file by creating a link to the 471.Nm 472executable: 473.Pp 474.Dl # cd /usr/sbin 475.Dl # ln ppp ppp0 476.Pp 477and using 478.Bd -literal -offset indent 479!ppp0 480*.*<TAB>/var/log/ppp0.log 481.Ed 482.Pp 483in 484.Pa /etc/syslog.conf . 485Don't forget to send a 486.Dv HUP 487signal to 488.Xr syslogd 8 489after altering 490.Pa /etc/syslog.conf . 491.It 492Although not strictly relevant to 493.Nm Ns No 's 494operation, you should configure your resolver so that it works correctly. 495This can be done by configuring a local DNS 496(using 497.Xr named 8 ) 498or by adding the correct 499.Sq nameserver 500lines to the file 501.Pa /etc/resolv.conf . 502Refer to the 503.Xr resolv.conf 5 504manual page for details. 505.Pp 506Alternatively, if the peer supports it, 507.Nm 508can be configured to ask the peer for the nameserver address(es) and to 509update 510.Pa /etc/resolv.conf 511automatically. 512Refer to the 513.Dq enable dns 514and 515.Dq resolv 516commands below for details. 517.El 518.Sh MANUAL DIALING 519In the following examples, we assume that your machine name is 520.Dv awfulhak . 521when you invoke 522.Nm 523(see 524.Sx PERMISSIONS 525above) with no arguments, you are presented with a prompt: 526.Bd -literal -offset indent 527ppp ON awfulhak> 528.Ed 529.Pp 530The 531.Sq ON 532part of your prompt should always be in upper case. 533If it is in lower case, it means that you must supply a password using the 534.Dq passwd 535command. 536This only ever happens if you connect to a running version of 537.Nm 538and have not authenticated yourself using the correct password. 539.Pp 540You can start by specifying the device name and speed: 541.Bd -literal -offset indent 542ppp ON awfulhak> set device /dev/cuaa0 543ppp ON awfulhak> set speed 38400 544.Ed 545.Pp 546Normally, hardware flow control (CTS/RTS) is used. 547However, under 548certain circumstances (as may happen when you are connected directly 549to certain PPP-capable terminal servers), this may result in 550.Nm 551hanging as soon as it tries to write data to your communications link 552as it is waiting for the CTS (clear to send) signal - which will never 553come. 554Thus, if you have a direct line and can't seem to make a 555connection, try turning CTS/RTS off with 556.Dq set ctsrts off . 557If you need to do this, check the 558.Dq set accmap 559description below too - you'll probably need to 560.Dq set accmap 000a0000 . 561.Pp 562Usually, parity is set to 563.Dq none , 564and this is 565.Nm Ns No 's 566default. 567Parity is a rather archaic error checking mechanism that is no 568longer used because modern modems do their own error checking, and most 569link-layer protocols (that's what 570.Nm 571is) use much more reliable checking mechanisms. 572Parity has a relatively 573huge overhead (a 12.5% increase in traffic) and as a result, it is always 574disabled 575(set to 576.Dq none ) 577when 578.Dv PPP 579is opened. 580However, some ISPs (Internet Service Providers) may use 581specific parity settings at connection time (before 582.Dv PPP 583is opened). 584Notably, Compuserve insist on even parity when logging in: 585.Bd -literal -offset indent 586ppp ON awfulhak> set parity even 587.Ed 588.Pp 589You can now see what your current device settings look like: 590.Bd -literal -offset indent 591ppp ON awfulhak> show physical 592Name: deflink 593 State: closed 594 Device: N/A 595 Link Type: interactive 596 Connect Count: 0 597 Queued Packets: 0 598 Phone Number: N/A 599 600Defaults: 601 Device List: /dev/cuaa0 602 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 603 604Connect time: 0 secs 6050 octets in, 0 octets out 606Overall 0 bytes/sec 607ppp ON awfulhak> 608.Ed 609.Pp 610The term command can now be used to talk directly to the device: 611.Bd -literal -offset indent 612ppp ON awfulhak> term 613at 614OK 615atdt123456 616CONNECT 617login: myispusername 618Password: myisppassword 619Protocol: ppp 620.Ed 621.Pp 622When the peer starts to talk in 623.Em PPP , 624.Nm 625detects this automatically and returns to command mode. 626.Bd -literal -offset indent 627ppp ON awfulhak> # No link has been established 628Ppp ON awfulhak> # We've connected & finished LCP 629PPp ON awfulhak> # We've authenticated 630PPP ON awfulhak> # We've agreed IP numbers 631.Ed 632.Pp 633If it does not, it's probable that the peer is waiting for your end to 634start negotiating. 635To force 636.Nm 637to start sending 638.Em PPP 639configuration packets to the peer, use the 640.Dq ~p 641command to drop out of terminal mode and enter packet mode. 642.Pp 643If you never even receive a login prompt, it is quite likely that the 644peer wants to use PAP or CHAP authentication instead of using Unix-style 645login/password authentication. 646To set things up properly, drop back to 647the prompt and set your authentication name and key, then reconnect: 648.Bd -literal -offset indent 649~. 650ppp ON awfulhak> set authname myispusername 651ppp ON awfulhak> set authkey myisppassword 652ppp ON awfulhak> term 653at 654OK 655atdt123456 656CONNECT 657.Ed 658.Pp 659You may need to tell ppp to initiate negotiations with the peer here too: 660.Bd -literal -offset indent 661~p 662ppp ON awfulhak> # No link has been established 663Ppp ON awfulhak> # We've connected & finished LCP 664PPp ON awfulhak> # We've authenticated 665PPP ON awfulhak> # We've agreed IP numbers 666.Ed 667.Pp 668You are now connected! 669Note that 670.Sq PPP 671in the prompt has changed to capital letters to indicate that you have 672a peer connection. 673If only some of the three Ps go uppercase, wait until 674either everything is uppercase or lowercase. 675If they revert to lowercase, it means that 676.Nm 677couldn't successfully negotiate with the peer. 678A good first step for troubleshooting at this point would be to 679.Bd -literal -offset indent 680ppp ON awfulhak> set log local phase lcp ipcp 681.Ed 682.Pp 683and try again. 684Refer to the 685.Dq set log 686command description below for further details. 687If things fail at this point, 688it is quite important that you turn logging on and try again. 689It is also 690important that you note any prompt changes and report them to anyone trying 691to help you. 692.Pp 693When the link is established, the show command can be used to see how 694things are going: 695.Bd -literal -offset indent 696PPP ON awfulhak> show physical 697* Modem related information is shown here * 698PPP ON awfulhak> show ccp 699* CCP (compression) related information is shown here * 700PPP ON awfulhak> show lcp 701* LCP (line control) related information is shown here * 702PPP ON awfulhak> show ipcp 703* IPCP (IP) related information is shown here * 704PPP ON awfulhak> show ipv6cp 705* IPV6CP (IPv6) related information is shown here * 706PPP ON awfulhak> show link 707* Link (high level) related information is shown here * 708PPP ON awfulhak> show bundle 709* Logical (high level) connection related information is shown here * 710.Ed 711.Pp 712At this point, your machine has a host route to the peer. 713This means 714that you can only make a connection with the host on the other side 715of the link. 716If you want to add a default route entry (telling your 717machine to send all packets without another routing entry to the other 718side of the 719.Em PPP 720link), enter the following command: 721.Bd -literal -offset indent 722PPP ON awfulhak> add default HISADDR 723.Ed 724.Pp 725The string 726.Sq HISADDR 727represents the IP address of the connected peer. 728If the 729.Dq add 730command fails due to an existing route, you can overwrite the existing 731route using 732.Bd -literal -offset indent 733PPP ON awfulhak> add! default HISADDR 734.Ed 735.Pp 736This command can also be executed before actually making the connection. 737If a new IP address is negotiated at connection time, 738.Nm 739will update your default route accordingly. 740.Pp 741You can now use your network applications (ping, telnet, ftp etc.) 742in other windows or terminals on your machine. 743If you wish to reuse the current terminal, you can put 744.Nm 745into the background using your standard shell suspend and background 746commands (usually 747.Dq ^Z 748followed by 749.Dq bg ) . 750.Pp 751Refer to the 752.Sx PPP COMMAND LIST 753section for details on all available commands. 754.Sh AUTOMATIC DIALING 755To use automatic dialing, you must prepare some Dial and Login chat scripts. 756See the example definitions in 757.Pa /usr/share/examples/ppp/ppp.conf.sample 758(the format of 759.Pa /etc/ppp/ppp.conf 760is pretty simple). 761Each line contains one comment, inclusion, label or command: 762.Bl -bullet 763.It 764A line starting with a 765.Pq Dq # 766character is treated as a comment line. 767Leading whitespace are ignored when identifying comment lines. 768.It 769An inclusion is a line beginning with the word 770.Sq {!include} . 771It must have one argument - the file to {include}. 772You may wish to 773.Dq {!include} ~/.ppp.conf 774for compatibility with older versions of 775.Nm . 776.It 777A label name starts in the first column and is followed by 778a colon 779.Pq Dq \&: . 780.It 781A command line must contain a space or tab in the first column. 782.El 783.Pp 784The 785.Pa /etc/ppp/ppp.conf 786file should consist of at least a 787.Dq default 788section. 789This section is always executed. 790It should also contain 791one or more sections, named according to their purpose, for example, 792.Dq MyISP 793would represent your ISP, and 794.Dq ppp-in 795would represent an incoming 796.Nm 797configuration. 798You can now specify the destination label name when you invoke 799.Nm . 800Commands associated with the 801.Dq default 802label are executed, followed by those associated with the destination 803label provided. 804When 805.Nm 806is started with no arguments, the 807.Dq default 808section is still executed. 809The load command can be used to manually load a section from the 810.Pa /etc/ppp/ppp.conf 811file: 812.Bd -literal -offset indent 813ppp ON awfulhak> load MyISP 814.Ed 815.Pp 816Note, no action is taken by 817.Nm 818after a section is loaded, whether it's the result of passing a label on 819the command line or using the 820.Dq load 821command. 822Only the commands specified for that label in the configuration 823file are executed. 824However, when invoking 825.Nm 826with the 827.Fl background , 828.Fl ddial , 829or 830.Fl dedicated 831switches, the link mode tells 832.Nm 833to establish a connection. 834Refer to the 835.Dq set mode 836command below for further details. 837.Pp 838Once the connection is made, the 839.Sq ppp 840portion of the prompt will change to 841.Sq PPP : 842.Bd -literal -offset indent 843# ppp MyISP 844\&... 845ppp ON awfulhak> dial 846Ppp ON awfulhak> 847PPp ON awfulhak> 848PPP ON awfulhak> 849.Ed 850.Pp 851The Ppp prompt indicates that 852.Nm 853has entered the authentication phase. 854The PPp prompt indicates that 855.Nm 856has entered the network phase. 857The PPP prompt indicates that 858.Nm 859has successfully negotiated a network layer protocol and is in 860a usable state. 861.Pp 862If the 863.Pa /etc/ppp/ppp.linkup 864file is available, its contents are executed 865when the 866.Em PPP 867connection is established. 868See the provided 869.Dq pmdemand 870example in 871.Pa /usr/share/examples/ppp/ppp.conf.sample 872which runs a script in the background after the connection is established 873(refer to the 874.Dq shell 875and 876.Dq bg 877commands below for a description of possible substitution strings). 878Similarly, when a connection is closed, the contents of the 879.Pa /etc/ppp/ppp.linkdown 880file are executed. 881Both of these files have the same format as 882.Pa /etc/ppp/ppp.conf . 883.Pp 884In previous versions of 885.Nm , 886it was necessary to re-add routes such as the default route in the 887.Pa ppp.linkup 888file. 889.Nm 890supports 891.Sq sticky routes , 892where all routes that contain the 893.Dv HISADDR , 894.Dv MYADDR , 895.Dv HISADDR6 896or 897.Dv MYADDR6 898literals will automatically be updated when the values of these variables 899change. 900.Sh BACKGROUND DIALING 901If you want to establish a connection using 902.Nm 903non-interactively (such as from a 904.Xr crontab 5 905entry or an 906.Xr at 1 907job) you should use the 908.Fl background 909option. 910When 911.Fl background 912is specified, 913.Nm 914attempts to establish the connection immediately. 915If multiple phone 916numbers are specified, each phone number will be tried once. 917If the attempt fails, 918.Nm 919exits immediately with a non-zero exit code. 920If it succeeds, then 921.Nm 922becomes a daemon, and returns an exit status of zero to its caller. 923The daemon exits automatically if the connection is dropped by the 924remote system, or it receives a 925.Dv TERM 926signal. 927.Sh DIAL ON DEMAND 928Demand dialing is enabled with the 929.Fl auto 930or 931.Fl ddial 932options. 933You must also specify the destination label in 934.Pa /etc/ppp/ppp.conf 935to use. 936It must contain the 937.Dq set ifaddr 938command to {define} the remote peers IP address. 939(refer to 940.Pa /usr/share/examples/ppp/ppp.conf.sample ) 941.Bd -literal -offset indent 942# ppp -auto pmdemand 943.Ed 944.Pp 945When 946.Fl auto 947or 948.Fl ddial 949is specified, 950.Nm 951runs as a daemon but you can still configure or examine its 952configuration by using the 953.Dq set server 954command in 955.Pa /etc/ppp/ppp.conf , 956(for example, 957.Dq Li "set server +3000 mypasswd" ) 958and connecting to the diagnostic port as follows: 959.Bd -literal -offset indent 960# pppctl 3000 (assuming tun0) 961Password: 962PPP ON awfulhak> show who 963tcp (127.0.0.1:1028) * 964.Ed 965.Pp 966The 967.Dq show who 968command lists users that are currently connected to 969.Nm 970itself. 971If the diagnostic socket is closed or changed to a different 972socket, all connections are immediately dropped. 973.Pp 974In 975.Fl auto 976mode, when an outgoing packet is detected, 977.Nm 978will perform the dialing action (chat script) and try to connect 979with the peer. 980In 981.Fl ddial 982mode, the dialing action is performed any time the line is found 983to be down. 984If the connect fails, the default behaviour is to wait 30 seconds 985and then attempt to connect when another outgoing packet is detected. 986This behaviour can be changed using the 987.Dq set redial 988command: 989.Pp 990.No set redial Ar secs Ns Xo 991.Oo + Ns Ar inc Ns 992.Op - Ns Ar max Ns 993.Oc Ns Op . Ns Ar next 994.Op Ar attempts 995.Xc 996.Pp 997.Bl -tag -width attempts -compact 998.It Ar secs 999is the number of seconds to wait before attempting 1000to connect again. 1001If the argument is the literal string 1002.Sq Li random , 1003the delay period is a random value between 1 and 30 seconds inclusive. 1004.It Ar inc 1005is the number of seconds that 1006.Ar secs 1007should be incremented each time a new dial attempt is made. 1008The timeout reverts to 1009.Ar secs 1010only after a successful connection is established. 1011The default value for 1012.Ar inc 1013is zero. 1014.It Ar max 1015is the maximum number of times 1016.Nm 1017should increment 1018.Ar secs . 1019The default value for 1020.Ar max 1021is 10. 1022.It Ar next 1023is the number of seconds to wait before attempting 1024to dial the next number in a list of numbers (see the 1025.Dq set phone 1026command). 1027The default is 3 seconds. 1028Again, if the argument is the literal string 1029.Sq Li random , 1030the delay period is a random value between 1 and 30 seconds. 1031.It Ar attempts 1032is the maximum number of times to try to connect for each outgoing packet 1033that triggers a dial. 1034The previous value is unchanged if this parameter is omitted. 1035If a value of zero is specified for 1036.Ar attempts , 1037.Nm 1038will keep trying until a connection is made. 1039.El 1040.Pp 1041So, for example: 1042.Bd -literal -offset indent 1043set redial 10.3 4 1044.Ed 1045.Pp 1046will attempt to connect 4 times for each outgoing packet that causes 1047a dial attempt with a 3 second delay between each number and a 10 second 1048delay after all numbers have been tried. 1049If multiple phone numbers 1050are specified, the total number of attempts is still 4 (it does not 1051attempt each number 4 times). 1052.Pp 1053Alternatively, 1054.Bd -literal -offset indent 1055set redial 10+10-5.3 20 1056.Ed 1057.Pp 1058tells 1059.Nm 1060to attempt to connect 20 times. 1061After the first attempt, 1062.Nm 1063pauses for 10 seconds. 1064After the next attempt it pauses for 20 seconds 1065and so on until after the sixth attempt it pauses for 1 minute. 1066The next 14 pauses will also have a duration of one minute. 1067If 1068.Nm 1069connects, disconnects and fails to connect again, the timeout starts again 1070at 10 seconds. 1071.Pp 1072Modifying the dial delay is very useful when running 1073.Nm 1074in 1075.Fl auto 1076mode on both ends of the link. 1077If each end has the same timeout, 1078both ends wind up calling each other at the same time if the link 1079drops and both ends have packets queued. 1080At some locations, the serial link may not be reliable, and carrier 1081may be lost at inappropriate times. 1082It is possible to have 1083.Nm 1084redial should carrier be unexpectedly lost during a session. 1085.Bd -literal -offset indent 1086set reconnect timeout ntries 1087.Ed 1088.Pp 1089This command tells 1090.Nm 1091to re-establish the connection 1092.Ar ntries 1093times on loss of carrier with a pause of 1094.Ar timeout 1095seconds before each try. 1096For example, 1097.Bd -literal -offset indent 1098set reconnect 3 5 1099.Ed 1100.Pp 1101tells 1102.Nm 1103that on an unexpected loss of carrier, it should wait 1104.Ar 3 1105seconds before attempting to reconnect. 1106This may happen up to 1107.Ar 5 1108times before 1109.Nm 1110gives up. 1111The default value of ntries is zero (no reconnect). 1112Care should be taken with this option. 1113If the local timeout is slightly 1114longer than the remote timeout, the reconnect feature will always be 1115triggered (up to the given number of times) after the remote side 1116times out and hangs up. 1117NOTE: In this context, losing too many LQRs constitutes a loss of 1118carrier and will trigger a reconnect. 1119If the 1120.Fl background 1121flag is specified, all phone numbers are dialed at most once until 1122a connection is made. 1123The next number redial period specified with the 1124.Dq set redial 1125command is honoured, as is the reconnect tries value. 1126If your redial 1127value is less than the number of phone numbers specified, not all 1128the specified numbers will be tried. 1129To terminate the program, type 1130.Bd -literal -offset indent 1131PPP ON awfulhak> close 1132ppp ON awfulhak> quit all 1133.Ed 1134.Pp 1135A simple 1136.Dq quit 1137command will terminate the 1138.Xr pppctl 8 1139or 1140.Xr telnet 1 1141connection but not the 1142.Nm 1143program itself. 1144You must use 1145.Dq quit all 1146to terminate 1147.Nm 1148as well. 1149.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1150To handle an incoming 1151.Em PPP 1152connection request, follow these steps: 1153.Bl -enum 1154.It 1155Make sure the modem and (optionally) 1156.Pa /etc/rc.d/serial 1157is configured correctly. 1158.Bl -bullet -compact 1159.It 1160Use Hardware Handshake (CTS/RTS) for flow control. 1161.It 1162Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1163.El 1164.It 1165Edit 1166.Pa /etc/ttys 1167to enable a 1168.Xr getty 8 1169on the port where the modem is attached. 1170For example: 1171.Pp 1172.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1173.Pp 1174Don't forget to send a 1175.Dv HUP 1176signal to the 1177.Xr init 8 1178process to start the 1179.Xr getty 8 : 1180.Pp 1181.Dl # kill -HUP 1 1182.Pp 1183It is usually also necessary to train your modem to the same DTR speed 1184as the getty: 1185.Bd -literal -offset indent 1186# ppp 1187ppp ON awfulhak> set device /dev/cuaa1 1188ppp ON awfulhak> set speed 38400 1189ppp ON awfulhak> term 1190deflink: Entering terminal mode on /dev/cuaa1 1191Type `~?' for help 1192at 1193OK 1194at 1195OK 1196atz 1197OK 1198at 1199OK 1200~. 1201ppp ON awfulhak> quit 1202.Ed 1203.It 1204Create a 1205.Pa /usr/local/bin/ppplogin 1206file with the following contents: 1207.Bd -literal -offset indent 1208#! /bin/sh 1209exec /usr/sbin/ppp -direct incoming 1210.Ed 1211.Pp 1212Direct mode 1213.Pq Fl direct 1214lets 1215.Nm 1216work with stdin and stdout. 1217You can also use 1218.Xr pppctl 8 1219to connect to a configured diagnostic port, in the same manner as with 1220client-side 1221.Nm . 1222.Pp 1223Here, the 1224.Ar incoming 1225section must be set up in 1226.Pa /etc/ppp/ppp.conf . 1227.Pp 1228Make sure that the 1229.Ar incoming 1230section contains the 1231.Dq allow users 1232command as appropriate. 1233.It 1234Prepare an account for the incoming user. 1235.Bd -literal 1236ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1237.Ed 1238.Pp 1239Refer to the manual entries for 1240.Xr adduser 8 1241and 1242.Xr vipw 8 1243for details. 1244.It 1245Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1246can be enabled using the 1247.Dq accept dns 1248and 1249.Dq set nbns 1250commands. 1251Refer to their descriptions below. 1252.El 1253.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1254This method differs in that we use 1255.Nm 1256to authenticate the connection rather than 1257.Xr login 1 : 1258.Bl -enum 1259.It 1260Configure your default section in 1261.Pa /etc/gettytab 1262with automatic ppp recognition by specifying the 1263.Dq pp 1264capability: 1265.Bd -literal 1266default:\\ 1267 :pp=/usr/local/bin/ppplogin:\\ 1268 ..... 1269.Ed 1270.It 1271Configure your serial device(s), enable a 1272.Xr getty 8 1273and create 1274.Pa /usr/local/bin/ppplogin 1275as in the first three steps for method 1 above. 1276.It 1277Add either 1278.Dq enable chap 1279or 1280.Dq enable pap 1281(or both) 1282to 1283.Pa /etc/ppp/ppp.conf 1284under the 1285.Sq incoming 1286label (or whatever label 1287.Pa ppplogin 1288uses). 1289.It 1290Create an entry in 1291.Pa /etc/ppp/ppp.secret 1292for each incoming user: 1293.Bd -literal 1294Pfred<TAB>xxxx 1295Pgeorge<TAB>yyyy 1296.Ed 1297.El 1298.Pp 1299Now, as soon as 1300.Xr getty 8 1301detects a ppp connection (by recognising the HDLC frame headers), it runs 1302.Dq /usr/local/bin/ppplogin . 1303.Pp 1304It is 1305.Em VITAL 1306that either PAP or CHAP are enabled as above. 1307If they are not, you are 1308allowing anybody to establish a ppp session with your machine 1309.Em without 1310a password, opening yourself up to all sorts of potential attacks. 1311.Sh AUTHENTICATING INCOMING CONNECTIONS 1312Normally, the receiver of a connection requires that the peer 1313authenticates itself. 1314This may be done using 1315.Xr login 1 , 1316but alternatively, you can use PAP or CHAP. 1317CHAP is the more secure of the two, but some clients may not support it. 1318Once you decide which you wish to use, add the command 1319.Sq enable chap 1320or 1321.Sq enable pap 1322to the relevant section of 1323.Pa ppp.conf . 1324.Pp 1325You must then configure the 1326.Pa /etc/ppp/ppp.secret 1327file. 1328This file contains one line per possible client, each line 1329containing up to five fields: 1330.Pp 1331.Ar name Ar key Oo 1332.Ar hisaddr Op Ar label Op Ar callback-number 1333.Oc 1334.Pp 1335The 1336.Ar name 1337and 1338.Ar key 1339specify the client username and password. 1340If 1341.Ar key 1342is 1343.Dq \&* 1344and PAP is being used, 1345.Nm 1346will look up the password database 1347.Pq Xr passwd 5 1348when authenticating. 1349If the client does not offer a suitable response based on any 1350.Ar name Ns No / Ns Ar key 1351combination in 1352.Pa ppp.secret , 1353authentication fails. 1354.Pp 1355If authentication is successful, 1356.Ar hisaddr 1357(if specified) 1358is used when negotiating IP numbers. 1359See the 1360.Dq set ifaddr 1361command for details. 1362.Pp 1363If authentication is successful and 1364.Ar label 1365is specified, the current system label is changed to match the given 1366.Ar label . 1367This will change the subsequent parsing of the 1368.Pa ppp.linkup 1369and 1370.Pa ppp.linkdown 1371files. 1372.Pp 1373If authentication is successful and 1374.Ar callback-number 1375is specified and 1376.Dq set callback 1377has been used in 1378.Pa ppp.conf , 1379the client will be called back on the given number. 1380If CBCP is being used, 1381.Ar callback-number 1382may also contain a list of numbers or a 1383.Dq \&* , 1384as if passed to the 1385.Dq set cbcp 1386command. 1387The value will be used in 1388.Nm Ns No 's 1389subsequent CBCP phase. 1390.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1391Instead of running 1392.Nm 1393over a serial link, it is possible to 1394use a TCP connection instead by specifying the host, port and protocol as the 1395device: 1396.Pp 1397.Dl set device ui-gate:6669/tcp 1398.Pp 1399Instead of opening a serial device, 1400.Nm 1401will open a TCP connection to the given machine on the given 1402socket. 1403It should be noted however that 1404.Nm 1405doesn't use the telnet protocol and will be unable to negotiate 1406with a telnet server. 1407You should set up a port for receiving this 1408.Em PPP 1409connection on the receiving machine (ui-gate). 1410This is done by first updating 1411.Pa /etc/services 1412to name the service: 1413.Pp 1414.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1415.Pp 1416and updating 1417.Pa /etc/inetd.conf 1418to tell 1419.Xr inetd 8 1420how to deal with incoming connections on that port: 1421.Pp 1422.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1423.Pp 1424Don't forget to send a 1425.Dv HUP 1426signal to 1427.Xr inetd 8 1428after you've updated 1429.Pa /etc/inetd.conf . 1430Here, we use a label named 1431.Dq ppp-in . 1432The entry in 1433.Pa /etc/ppp/ppp.conf 1434on ui-gate (the receiver) should contain the following: 1435.Bd -literal -offset indent 1436ppp-in: 1437 set timeout 0 1438 set ifaddr 10.0.4.1 10.0.4.2 1439.Ed 1440.Pp 1441and the entry in 1442.Pa /etc/ppp/ppp.linkup 1443should contain: 1444.Bd -literal -offset indent 1445ppp-in: 1446 add 10.0.1.0/24 HISADDR 1447.Ed 1448.Pp 1449It is necessary to put the 1450.Dq add 1451command in 1452.Pa ppp.linkup 1453to ensure that the route is only added after 1454.Nm 1455has negotiated and assigned addresses to its interface. 1456.Pp 1457You may also want to enable PAP or CHAP for security. 1458To enable PAP, add the following line: 1459.Bd -literal -offset indent 1460 enable PAP 1461.Ed 1462.Pp 1463You'll also need to create the following entry in 1464.Pa /etc/ppp/ppp.secret : 1465.Bd -literal -offset indent 1466MyAuthName MyAuthPasswd 1467.Ed 1468.Pp 1469If 1470.Ar MyAuthPasswd 1471is a 1472.Dq * , 1473the password is looked up in the 1474.Xr passwd 5 1475database. 1476.Pp 1477The entry in 1478.Pa /etc/ppp/ppp.conf 1479on awfulhak (the initiator) should contain the following: 1480.Bd -literal -offset indent 1481ui-gate: 1482 set escape 0xff 1483 set device ui-gate:ppp-in/tcp 1484 set dial 1485 set timeout 30 1486 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1487 set ifaddr 10.0.4.2 10.0.4.1 1488.Ed 1489.Pp 1490with the route setup in 1491.Pa /etc/ppp/ppp.linkup : 1492.Bd -literal -offset indent 1493ui-gate: 1494 add 10.0.2.0/24 HISADDR 1495.Ed 1496.Pp 1497Again, if you're enabling PAP, you'll also need this in the 1498.Pa /etc/ppp/ppp.conf 1499profile: 1500.Bd -literal -offset indent 1501 set authname MyAuthName 1502 set authkey MyAuthKey 1503.Ed 1504.Pp 1505We're assigning the address of 10.0.4.1 to ui-gate, and the address 150610.0.4.2 to awfulhak. 1507To open the connection, just type 1508.Pp 1509.Dl awfulhak # ppp -background ui-gate 1510.Pp 1511The result will be an additional "route" on awfulhak to the 151210.0.2.0/24 network via the TCP connection, and an additional 1513"route" on ui-gate to the 10.0.1.0/24 network. 1514The networks are effectively bridged - the underlying TCP 1515connection may be across a public network (such as the 1516Internet), and the 1517.Em PPP 1518traffic is conceptually encapsulated 1519(although not packet by packet) inside the TCP stream between 1520the two gateways. 1521.Pp 1522The major disadvantage of this mechanism is that there are two 1523"guaranteed delivery" mechanisms in place - the underlying TCP 1524stream and whatever protocol is used over the 1525.Em PPP 1526link - probably TCP again. 1527If packets are lost, both levels will 1528get in each others way trying to negotiate sending of the missing 1529packet. 1530.Pp 1531To avoid this overhead, it is also possible to do all this using 1532UDP instead of TCP as the transport by simply changing the protocol 1533from "tcp" to "udp". 1534When using UDP as a transport, 1535.Nm 1536will operate in synchronous mode. 1537This is another gain as the incoming 1538data does not have to be rearranged into packets. 1539.Pp 1540Care should be taken when adding a default route through a tunneled 1541setup like this. 1542It is quite common for the default route 1543(added in 1544.Pa /etc/ppp/ppp.linkup ) 1545to end up routing the link's TCP connection through the tunnel, 1546effectively garrotting the connection. 1547To avoid this, make sure you add a static route for the benefit of 1548the link: 1549.Bd -literal -offset indent 1550ui-gate: 1551 set escape 0xff 1552 set device ui-gate:ppp-in/tcp 1553 add ui-gate x.x.x.x 1554 ..... 1555.Ed 1556.Pp 1557where 1558.Dq x.x.x.x 1559is the IP number that your route to 1560.Dq ui-gate 1561would normally use. 1562.Pp 1563When routing your connection across a public network such as the Internet, 1564it is preferable to encrypt the data. 1565This can be done with the help of the MPPE protocol, although currently this 1566means that you will not be able to also compress the traffic as MPPE is 1567implemented as a compression layer (thank Microsoft for this). 1568To enable MPPE encryption, add the following lines to 1569.Pa /etc/ppp/ppp.conf 1570on the server: 1571.Bd -literal -offset indent 1572 enable MSCHAPv2 1573 disable deflate pred1 1574 deny deflate pred1 1575.Ed 1576.Pp 1577ensuring that you've put the requisite entry in 1578.Pa /etc/ppp/ppp.secret 1579(MSCHAPv2 is challenge based, so 1580.Xr passwd 5 1581cannot be used) 1582.Pp 1583MSCHAPv2 and MPPE are accepted by default, so the client end should work 1584without any additional changes (although ensure you have 1585.Dq set authname 1586and 1587.Dq set authkey 1588in your profile). 1589.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1590The 1591.Fl nat 1592command line option enables network address translation (a.k.a. packet 1593aliasing). 1594This allows the 1595.Nm 1596host to act as a masquerading gateway for other computers over 1597a local area network. 1598Outgoing IP packets are NAT'd so that they appear to come from the 1599.Nm 1600host, and incoming packets are de-NAT'd so that they are routed 1601to the correct machine on the local area network. 1602NAT allows computers on private, unregistered subnets to have Internet 1603access, although they are invisible from the outside world. 1604In general, correct 1605.Nm 1606operation should first be verified with network address translation disabled. 1607Then, the 1608.Fl nat 1609option should be switched on, and network applications (web browser, 1610.Xr telnet 1 , 1611.Xr ftp 1 , 1612.Xr ping 8 , 1613.Xr traceroute 8 ) 1614should be checked on the 1615.Nm 1616host. 1617Finally, the same or similar applications should be checked on other 1618computers in the LAN. 1619If network applications work correctly on the 1620.Nm 1621host, but not on other machines in the LAN, then the masquerading 1622software is working properly, but the host is either not forwarding 1623or possibly receiving IP packets. 1624Check that IP forwarding is enabled in 1625.Pa /etc/rc.conf 1626and that other machines have designated the 1627.Nm 1628host as the gateway for the LAN. 1629.Sh PACKET FILTERING 1630This implementation supports packet filtering. 1631There are four kinds of 1632filters: the 1633.Em in 1634filter, the 1635.Em out 1636filter, the 1637.Em dial 1638filter and the 1639.Em alive 1640filter. 1641Here are the basics: 1642.Bl -bullet 1643.It 1644A filter definition has the following syntax: 1645.Pp 1646set filter 1647.Ar name 1648.Ar rule-no 1649.Ar action 1650.Op !\& 1651.Oo 1652.Op host 1653.Ar src_addr Ns Op / Ns Ar width 1654.Op Ar dst_addr Ns Op / Ns Ar width 1655.Oc 1656.Ar [ proto Op src Ar cmp port 1657.Op dst Ar cmp port 1658.Op estab 1659.Op syn 1660.Op finrst 1661.Op timeout Ar secs ] 1662.Bl -enum 1663.It 1664.Ar Name 1665should be one of 1666.Sq in , 1667.Sq out , 1668.Sq dial 1669or 1670.Sq alive . 1671.It 1672.Ar Rule-no 1673is a numeric value between 1674.Sq 0 1675and 1676.Sq 39 1677specifying the rule number. 1678Rules are specified in numeric order according to 1679.Ar rule-no , 1680but only if rule 1681.Sq 0 1682is defined. 1683.It 1684.Ar Action 1685may be specified as 1686.Sq permit 1687or 1688.Sq deny , 1689in which case, if a given packet matches the rule, the associated action 1690is taken immediately. 1691.Ar Action 1692can also be specified as 1693.Sq clear 1694to clear the action associated with that particular rule, or as a new 1695rule number greater than the current rule. 1696In this case, if a given 1697packet matches the current rule, the packet will next be matched against 1698the new rule number (rather than the next rule number). 1699.Pp 1700The 1701.Ar action 1702may optionally be followed with an exclamation mark 1703.Pq Dq !\& , 1704telling 1705.Nm 1706to reverse the sense of the following match. 1707.It 1708.Op Ar src_addr Ns Op / Ns Ar width 1709and 1710.Op Ar dst_addr Ns Op / Ns Ar width 1711are the source and destination IP number specifications. 1712If 1713.Op / Ns Ar width 1714is specified, it gives the number of relevant netmask bits, 1715allowing the specification of an address range. 1716.Pp 1717Either 1718.Ar src_addr 1719or 1720.Ar dst_addr 1721may be given the values 1722.Dv MYADDR , 1723.Dv HISADDR , 1724.Dv MYADDR6 1725or 1726.Dv HISADDR6 1727(refer to the description of the 1728.Dq bg 1729command for a description of these values). 1730When these values are used, 1731the filters will be updated any time the values change. 1732This is similar to the behaviour of the 1733.Dq add 1734command below. 1735.It 1736.Ar Proto 1737may be any protocol from 1738.Xr protocols 5 . 1739.It 1740.Ar Cmp 1741is one of 1742.Sq \< , 1743.Sq \&eq 1744or 1745.Sq \> , 1746meaning less-than, equal and greater-than respectively. 1747.Ar Port 1748can be specified as a numeric port or by service name from 1749.Pa /etc/services . 1750.It 1751The 1752.Sq estab , 1753.Sq syn , 1754and 1755.Sq finrst 1756flags are only allowed when 1757.Ar proto 1758is set to 1759.Sq tcp , 1760and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1761.It 1762The timeout value adjusts the current idle timeout to at least 1763.Ar secs 1764seconds. 1765If a timeout is given in the alive filter as well as in the in/out 1766filter, the in/out value is used. 1767If no timeout is given, the default timeout (set using 1768.Ic set timeout 1769and defaulting to 180 seconds) is used. 1770.El 1771.It 1772Each filter can hold up to 40 rules, starting from rule 0. 1773The entire rule set is not effective until rule 0 is defined, 1774i.e., the default is to allow everything through. 1775.It 1776If no rule in a defined set of rules matches a packet, that packet will 1777be discarded (blocked). 1778If there are no rules in a given filter, the packet will be permitted. 1779.It 1780It's possible to filter based on the payload of UDP frames where those 1781frames contain a 1782.Em PROTO_IP 1783.Em PPP 1784frame header. 1785See the 1786.Ar filter-decapsulation 1787option below for further details. 1788.It 1789Use 1790.Dq set filter Ar name No -1 1791to flush all rules. 1792.El 1793.Pp 1794See 1795.Pa /usr/share/examples/ppp/ppp.conf.sample . 1796.Sh SETTING THE IDLE TIMER 1797To check/set the idle timer, use the 1798.Dq show bundle 1799and 1800.Dq set timeout 1801commands: 1802.Bd -literal -offset indent 1803ppp ON awfulhak> set timeout 600 1804.Ed 1805.Pp 1806The timeout period is measured in seconds, the default value for which 1807is 180 seconds 1808(or 3 min). 1809To disable the idle timer function, use the command 1810.Bd -literal -offset indent 1811ppp ON awfulhak> set timeout 0 1812.Ed 1813.Pp 1814In 1815.Fl ddial 1816and 1817.Fl dedicated 1818modes, the idle timeout is ignored. 1819In 1820.Fl auto 1821mode, when the idle timeout causes the 1822.Em PPP 1823session to be 1824closed, the 1825.Nm 1826program itself remains running. 1827Another trigger packet will cause it to attempt to re-establish the link. 1828.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1829.Nm 1830supports both Predictor type 1 and deflate compression. 1831By default, 1832.Nm 1833will attempt to use (or be willing to accept) both compression protocols 1834when the peer agrees 1835(or requests them). 1836The deflate protocol is preferred by 1837.Nm . 1838Refer to the 1839.Dq disable 1840and 1841.Dq deny 1842commands if you wish to disable this functionality. 1843.Pp 1844It is possible to use a different compression algorithm in each direction 1845by using only one of 1846.Dq disable deflate 1847and 1848.Dq deny deflate 1849(assuming that the peer supports both algorithms). 1850.Pp 1851By default, when negotiating DEFLATE, 1852.Nm 1853will use a window size of 15. 1854Refer to the 1855.Dq set deflate 1856command if you wish to change this behaviour. 1857.Pp 1858A special algorithm called DEFLATE24 is also available, and is disabled 1859and denied by default. 1860This is exactly the same as DEFLATE except that 1861it uses CCP ID 24 to negotiate. 1862This allows 1863.Nm 1864to successfully negotiate DEFLATE with 1865.Nm pppd 1866version 2.3.*. 1867.Sh CONTROLLING IP ADDRESS 1868For IPv4, 1869.Nm 1870uses IPCP to negotiate IP addresses. 1871Each side of the connection 1872specifies the IP address that it's willing to use, and if the requested 1873IP address is acceptable then 1874.Nm 1875returns an ACK to the requester. 1876Otherwise, 1877.Nm 1878returns NAK to suggest that the peer use a different IP address. 1879When 1880both sides of the connection agree to accept the received request (and 1881send an ACK), IPCP is set to the open state and a network level connection 1882is established. 1883To control this IPCP behaviour, this implementation has the 1884.Dq set ifaddr 1885command for defining the local and remote IP address: 1886.Bd -ragged -offset indent 1887.No set ifaddr Oo Ar src_addr Ns 1888.Op / Ns Ar \&nn 1889.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1890.Oo Ar netmask 1891.Op Ar trigger_addr 1892.Oc 1893.Oc 1894.Oc 1895.Ed 1896.Pp 1897where, 1898.Sq src_addr 1899is the IP address that the local side is willing to use, 1900.Sq dst_addr 1901is the IP address which the remote side should use and 1902.Sq netmask 1903is the netmask that should be used. 1904.Sq Src_addr 1905defaults to the current 1906.Xr hostname 1 , 1907.Sq dst_addr 1908defaults to 0.0.0.0, and 1909.Sq netmask 1910defaults to whatever mask is appropriate for 1911.Sq src_addr . 1912It is only possible to make 1913.Sq netmask 1914smaller than the default. 1915The usual value is 255.255.255.255, as 1916most kernels ignore the netmask of a POINTOPOINT interface. 1917.Pp 1918Some incorrect 1919.Em PPP 1920implementations require that the peer negotiates a specific IP 1921address instead of 1922.Sq src_addr . 1923If this is the case, 1924.Sq trigger_addr 1925may be used to specify this IP number. 1926This will not affect the 1927routing table unless the other side agrees with this proposed number. 1928.Bd -literal -offset indent 1929set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1930.Ed 1931.Pp 1932The above specification means: 1933.Pp 1934.Bl -bullet -compact 1935.It 1936I will first suggest that my IP address should be 0.0.0.0, but I 1937will only accept an address of 192.244.177.38. 1938.It 1939I strongly insist that the peer uses 192.244.177.2 as his own 1940address and won't permit the use of any IP address but 192.244.177.2. 1941When the peer requests another IP address, I will always suggest that 1942it uses 192.244.177.2. 1943.It 1944The routing table entry will have a netmask of 0xffffffff. 1945.El 1946.Pp 1947This is all fine when each side has a pre-determined IP address, however 1948it is often the case that one side is acting as a server which controls 1949all IP addresses and the other side should go along with it. 1950In order to allow more flexible behaviour, the 1951.Dq set ifaddr 1952command allows the user to specify IP addresses more loosely: 1953.Pp 1954.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1955.Pp 1956A number followed by a slash 1957.Pq Dq / 1958represents the number of bits significant in the IP address. 1959The above example means: 1960.Pp 1961.Bl -bullet -compact 1962.It 1963I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1964also accept any IP address between 192.244.177.0 and 192.244.177.255. 1965.It 1966I'd like to make him use 192.244.177.2 as his own address, but I'll also 1967permit him to use any IP address between 192.244.176.0 and 1968192.244.191.255. 1969.It 1970As you may have already noticed, 192.244.177.2 is equivalent to saying 1971192.244.177.2/32. 1972.It 1973As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 1974preferred IP address and will obey the remote peers selection. 1975When using zero, no routing table entries will be made until a connection 1976is established. 1977.It 1978192.244.177.2/0 means that I'll accept/permit any IP address but I'll 1979suggest that 192.244.177.2 be used first. 1980.El 1981.Pp 1982When negotiating IPv6 addresses, no control is given to the user. 1983IPV6CP negotiation is fully automatic. 1984.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 1985The following steps should be taken when connecting to your ISP: 1986.Bl -enum 1987.It 1988Describe your providers phone number(s) in the dial script using the 1989.Dq set phone 1990command. 1991This command allows you to set multiple phone numbers for 1992dialing and redialing separated by either a pipe 1993.Pq Dq \&| 1994or a colon 1995.Pq Dq \&: : 1996.Bd -ragged -offset indent 1997.No set phone Ar telno Ns Xo 1998.Oo \&| Ns Ar backupnumber 1999.Oc Ns ... Ns Oo : Ns Ar nextnumber 2000.Oc Ns ... 2001.Xc 2002.Ed 2003.Pp 2004Numbers after the first in a pipe-separated list are only used if the 2005previous number was used in a failed dial or login script. 2006Numbers 2007separated by a colon are used sequentially, irrespective of what happened 2008as a result of using the previous number. 2009For example: 2010.Bd -literal -offset indent 2011set phone "1234567|2345678:3456789|4567890" 2012.Ed 2013.Pp 2014Here, the 1234567 number is attempted. 2015If the dial or login script fails, 2016the 2345678 number is used next time, but *only* if the dial or login script 2017fails. 2018On the dial after this, the 3456789 number is used. 2019The 4567890 2020number is only used if the dial or login script using the 3456789 fails. 2021If the login script of the 2345678 number fails, the next number is still the 20223456789 number. 2023As many pipes and colons can be used as are necessary 2024(although a given site would usually prefer to use either the pipe or the 2025colon, but not both). 2026The next number redial timeout is used between all numbers. 2027When the end of the list is reached, the normal redial period is 2028used before starting at the beginning again. 2029The selected phone number is substituted for the \\\\T string in the 2030.Dq set dial 2031command (see below). 2032.It 2033Set up your redial requirements using 2034.Dq set redial . 2035For example, if you have a bad telephone line or your provider is 2036usually engaged (not so common these days), you may want to specify 2037the following: 2038.Bd -literal -offset indent 2039set redial 10 4 2040.Ed 2041.Pp 2042This says that up to 4 phone calls should be attempted with a pause of 10 2043seconds before dialing the first number again. 2044.It 2045Describe your login procedure using the 2046.Dq set dial 2047and 2048.Dq set login 2049commands. 2050The 2051.Dq set dial 2052command is used to talk to your modem and establish a link with your 2053ISP, for example: 2054.Bd -literal -offset indent 2055set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2056 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2057.Ed 2058.Pp 2059This modem "chat" string means: 2060.Bl -bullet 2061.It 2062Abort if the string "BUSY" or "NO CARRIER" are received. 2063.It 2064Set the timeout to 4 seconds. 2065.It 2066Expect nothing. 2067.It 2068Send ATZ. 2069.It 2070Expect OK. 2071If that's not received within the 4 second timeout, send ATZ 2072and expect OK. 2073.It 2074Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2075above. 2076.It 2077Set the timeout to 60. 2078.It 2079Wait for the CONNECT string. 2080.El 2081.Pp 2082Once the connection is established, the login script is executed. 2083This script is written in the same style as the dial script, but care should 2084be taken to avoid having your password logged: 2085.Bd -literal -offset indent 2086set authkey MySecret 2087set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2088 word: \\\\P ocol: PPP HELLO" 2089.Ed 2090.Pp 2091This login "chat" string means: 2092.Bl -bullet 2093.It 2094Set the timeout to 15 seconds. 2095.It 2096Expect "login:". 2097If it's not received, send a carriage return and expect 2098"login:" again. 2099.It 2100Send "awfulhak" 2101.It 2102Expect "word:" (the tail end of a "Password:" prompt). 2103.It 2104Send whatever our current 2105.Ar authkey 2106value is set to. 2107.It 2108Expect "ocol:" (the tail end of a "Protocol:" prompt). 2109.It 2110Send "PPP". 2111.It 2112Expect "HELLO". 2113.El 2114.Pp 2115The 2116.Dq set authkey 2117command is logged specially. 2118When 2119.Ar command 2120or 2121.Ar chat 2122logging is enabled, the actual password is not logged; 2123.Sq ******** 2124is logged instead. 2125.Pp 2126Login scripts vary greatly between ISPs. 2127If you're setting one up for the first time, 2128.Em ENABLE CHAT LOGGING 2129so that you can see if your script is behaving as you expect. 2130.It 2131Use 2132.Dq set device 2133and 2134.Dq set speed 2135to specify your serial line and speed, for example: 2136.Bd -literal -offset indent 2137set device /dev/cuaa0 2138set speed 115200 2139.Ed 2140.Pp 2141Cuaa0 is the first serial port on 2142.Dx . 2143If you're running 2144.Nm 2145on 2146.Ox , 2147cua00 is the first. 2148A speed of 115200 should be specified 2149if you have a modem capable of bit rates of 28800 or more. 2150In general, the serial speed should be about four times the modem speed. 2151.It 2152Use the 2153.Dq set ifaddr 2154command to {define} the IP address. 2155.Bl -bullet 2156.It 2157If you know what IP address your provider uses, then use it as the remote 2158address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2159.It 2160If your provider has assigned a particular IP address to you, then use 2161it as your address (src_addr). 2162.It 2163If your provider assigns your address dynamically, choose a suitably 2164unobtrusive and unspecific IP number as your address. 216510.0.0.1/0 would be appropriate. 2166The bit after the / specifies how many bits of the 2167address you consider to be important, so if you wanted to insist on 2168something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2169.It 2170If you find that your ISP accepts the first IP number that you suggest, 2171specify third and forth arguments of 2172.Dq 0.0.0.0 . 2173This will force your ISP to assign a number. 2174(The third argument will 2175be ignored as it is less restrictive than the default mask for your 2176.Sq src_addr ) . 2177.El 2178.Pp 2179An example for a connection where you don't know your IP number or your 2180ISPs IP number would be: 2181.Bd -literal -offset indent 2182set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2183.Ed 2184.It 2185In most cases, your ISP will also be your default router. 2186If this is the case, add the line 2187.Bd -literal -offset indent 2188add default HISADDR 2189.Ed 2190.Pp 2191to 2192.Pa /etc/ppp/ppp.conf 2193(or to 2194.Pa /etc/ppp/ppp.linkup 2195for setups that don't use 2196.Fl auto 2197mode). 2198.Pp 2199This tells 2200.Nm 2201to add a default route to whatever the peer address is 2202(10.0.0.2 in this example). 2203This route is 2204.Sq sticky , 2205meaning that should the value of 2206.Dv HISADDR 2207change, the route will be updated accordingly. 2208.It 2209If your provider requests that you use PAP/CHAP authentication methods, add 2210the next lines to your 2211.Pa /etc/ppp/ppp.conf 2212file: 2213.Bd -literal -offset indent 2214set authname MyName 2215set authkey MyPassword 2216.Ed 2217.Pp 2218Both are accepted by default, so 2219.Nm 2220will provide whatever your ISP requires. 2221.Pp 2222It should be noted that a login script is rarely (if ever) required 2223when PAP or CHAP are in use. 2224.It 2225Ask your ISP to authenticate your nameserver address(es) with the line 2226.Bd -literal -offset indent 2227enable dns 2228.Ed 2229.Pp 2230Do 2231.Em NOT 2232do this if you are running a local DNS unless you also either use 2233.Dq resolv readonly 2234or have 2235.Dq resolv restore 2236in 2237.Pa /etc/ppp/ppp.linkdown , 2238as 2239.Nm 2240will simply circumvent its use by entering some nameserver lines in 2241.Pa /etc/resolv.conf . 2242.El 2243.Pp 2244Please refer to 2245.Pa /usr/share/examples/ppp/ppp.conf.sample 2246and 2247.Pa /usr/share/examples/ppp/ppp.linkup.sample 2248for some real examples. 2249The pmdemand label should be appropriate for most ISPs. 2250.Sh LOGGING FACILITY 2251.Nm 2252is able to generate the following log info either via 2253.Xr syslog 3 2254or directly to the screen: 2255.Pp 2256.Bl -tag -width XXXXXXXXX -offset XXX -compact 2257.It Li All 2258Enable all logging facilities. 2259This generates a lot of log. 2260The most common use of 'all' is as a basis, where you remove some facilities 2261after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2262.It Li Async 2263Dump async level packet in hex. 2264.It Li CBCP 2265Generate CBCP (CallBack Control Protocol) logs. 2266.It Li CCP 2267Generate a CCP packet trace. 2268.It Li Chat 2269Generate 2270.Sq dial , 2271.Sq login , 2272.Sq logout 2273and 2274.Sq hangup 2275chat script trace logs. 2276.It Li Command 2277Log commands executed either from the command line or any of the configuration 2278files. 2279.It Li Connect 2280Log Chat lines containing the string "CONNECT". 2281.It Li Debug 2282Log debug information. 2283.It Li DNS 2284Log DNS QUERY packets. 2285.It Li Filter 2286Log packets permitted by the dial filter and denied by any filter. 2287.It Li HDLC 2288Dump HDLC packet in hex. 2289.It Li ID0 2290Log all function calls specifically made as user id 0. 2291.It Li IPCP 2292Generate an IPCP packet trace. 2293.It Li LCP 2294Generate an LCP packet trace. 2295.It Li LQM 2296Generate LQR reports. 2297.It Li Phase 2298Phase transition log output. 2299.It Li Physical 2300Dump physical level packet in hex. 2301.It Li Sync 2302Dump sync level packet in hex. 2303.It Li TCP/IP 2304Dump all TCP/IP packets. 2305.It Li Timer 2306Log timer manipulation. 2307.It Li TUN 2308Include the tun device on each log line. 2309.It Li Warning 2310Output to the terminal device. 2311If there is currently no terminal, 2312output is sent to the log file using syslogs 2313.Dv LOG_WARNING . 2314.It Li Error 2315Output to both the terminal device 2316and the log file using syslogs 2317.Dv LOG_ERROR . 2318.It Li Alert 2319Output to the log file using 2320.Dv LOG_ALERT . 2321.El 2322.Pp 2323The 2324.Dq set log 2325command allows you to set the logging output level. 2326Multiple levels can be specified on a single command line. 2327The default is equivalent to 2328.Dq set log Phase . 2329.Pp 2330It is also possible to log directly to the screen. 2331The syntax is the same except that the word 2332.Dq local 2333should immediately follow 2334.Dq set log . 2335The default is 2336.Dq set log local 2337(i.e., only the un-maskable warning, error and alert output). 2338.Pp 2339If The first argument to 2340.Dq set log Op local 2341begins with a 2342.Sq + 2343or a 2344.Sq - 2345character, the current log levels are 2346not cleared, for example: 2347.Bd -literal -offset indent 2348PPP ON awfulhak> set log phase 2349PPP ON awfulhak> show log 2350Log: Phase Warning Error Alert 2351Local: Warning Error Alert 2352PPP ON awfulhak> set log +tcp/ip -warning 2353PPP ON awfulhak> set log local +command 2354PPP ON awfulhak> show log 2355Log: Phase TCP/IP Warning Error Alert 2356Local: Command Warning Error Alert 2357.Ed 2358.Pp 2359Log messages of level Warning, Error and Alert are not controllable 2360using 2361.Dq set log Op local . 2362.Pp 2363The 2364.Ar Warning 2365level is special in that it will not be logged if it can be displayed 2366locally. 2367.Sh SIGNAL HANDLING 2368.Nm 2369deals with the following signals: 2370.Bl -tag -width "USR2" 2371.It INT 2372Receipt of this signal causes the termination of the current connection 2373(if any). 2374This will cause 2375.Nm 2376to exit unless it is in 2377.Fl auto 2378or 2379.Fl ddial 2380mode. 2381.It HUP, TERM & QUIT 2382These signals tell 2383.Nm 2384to exit. 2385.It USR1 2386This signal, tells 2387.Nm 2388to re-open any existing server socket, dropping all existing diagnostic 2389connections. 2390Sockets that couldn't previously be opened will be retried. 2391.It USR2 2392This signal, tells 2393.Nm 2394to close any existing server socket, dropping all existing diagnostic 2395connections. 2396.Dv SIGUSR1 2397can still be used to re-open the socket. 2398.El 2399.Sh MULTI-LINK PPP 2400If you wish to use more than one physical link to connect to a 2401.Em PPP 2402peer, that peer must also understand the 2403.Em MULTI-LINK PPP 2404protocol. 2405Refer to RFC 1990 for specification details. 2406.Pp 2407The peer is identified using a combination of his 2408.Dq endpoint discriminator 2409and his 2410.Dq authentication id . 2411Either or both of these may be specified. 2412It is recommended that 2413at least one is specified, otherwise there is no way of ensuring that 2414all links are actually connected to the same peer program, and some 2415confusing lock-ups may result. 2416Locally, these identification variables are specified using the 2417.Dq set enddisc 2418and 2419.Dq set authname 2420commands. 2421The 2422.Sq authname 2423(and 2424.Sq authkey ) 2425must be agreed in advance with the peer. 2426.Pp 2427Multi-link capabilities are enabled using the 2428.Dq set mrru 2429command (set maximum reconstructed receive unit). 2430Once multi-link is enabled, 2431.Nm 2432will attempt to negotiate a multi-link connection with the peer. 2433.Pp 2434By default, only one 2435.Sq link 2436is available 2437(called 2438.Sq deflink ) . 2439To create more links, the 2440.Dq clone 2441command is used. 2442This command will clone existing links, where all 2443characteristics are the same except: 2444.Bl -enum 2445.It 2446The new link has its own name as specified on the 2447.Dq clone 2448command line. 2449.It 2450The new link is an 2451.Sq interactive 2452link. 2453Its mode may subsequently be changed using the 2454.Dq set mode 2455command. 2456.It 2457The new link is in a 2458.Sq closed 2459state. 2460.El 2461.Pp 2462A summary of all available links can be seen using the 2463.Dq show links 2464command. 2465.Pp 2466Once a new link has been created, command usage varies. 2467All link specific commands must be prefixed with the 2468.Dq link Ar name 2469command, specifying on which link the command is to be applied. 2470When only a single link is available, 2471.Nm 2472is smart enough not to require the 2473.Dq link Ar name 2474prefix. 2475.Pp 2476Some commands can still be used without specifying a link - resulting 2477in an operation at the 2478.Sq bundle 2479level. 2480For example, once two or more links are available, the command 2481.Dq show ccp 2482will show CCP configuration and statistics at the multi-link level, and 2483.Dq link deflink show ccp 2484will show the same information at the 2485.Dq deflink 2486link level. 2487.Pp 2488Armed with this information, the following configuration might be used: 2489.Bd -literal -offset indent 2490mp: 2491 set timeout 0 2492 set log phase chat 2493 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2494 set phone "123456789" 2495 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2496 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2497 set login 2498 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2499 set authname ppp 2500 set authkey ppppassword 2501 2502 set mrru 1500 2503 clone 1,2,3 # Create 3 new links - duplicates of the default 2504 link deflink remove # Delete the default link (called ``deflink'') 2505.Ed 2506.Pp 2507Note how all cloning is done at the end of the configuration. 2508Usually, the link will be configured first, then cloned. 2509If you wish all links 2510to be up all the time, you can add the following line to the end of your 2511configuration. 2512.Bd -literal -offset indent 2513 link 1,2,3 set mode ddial 2514.Ed 2515.Pp 2516If you want the links to dial on demand, this command could be used: 2517.Bd -literal -offset indent 2518 link * set mode auto 2519.Ed 2520.Pp 2521Links may be tied to specific names by removing the 2522.Dq set device 2523line above, and specifying the following after the 2524.Dq clone 2525command: 2526.Bd -literal -offset indent 2527 link 1 set device /dev/cuaa0 2528 link 2 set device /dev/cuaa1 2529 link 3 set device /dev/cuaa2 2530.Ed 2531.Pp 2532Use the 2533.Dq help 2534command to see which commands require context (using the 2535.Dq link 2536command), which have optional 2537context and which should not have any context. 2538.Pp 2539When 2540.Nm 2541has negotiated 2542.Em MULTI-LINK 2543mode with the peer, it creates a local domain socket in the 2544.Pa /var/run 2545directory. 2546This socket is used to pass link information (including 2547the actual link file descriptor) between different 2548.Nm 2549invocations. 2550This facilitates 2551.Nm Ns No 's 2552ability to be run from a 2553.Xr getty 8 2554or directly from 2555.Pa /etc/gettydefs 2556(using the 2557.Sq pp= 2558capability), without needing to have initial control of the serial 2559line. 2560Once 2561.Nm 2562negotiates multi-link mode, it will pass its open link to any 2563already running process. 2564If there is no already running process, 2565.Nm 2566will act as the master, creating the socket and listening for new 2567connections. 2568.Sh PPP COMMAND LIST 2569This section lists the available commands and their effect. 2570They are usable either from an interactive 2571.Nm 2572session, from a configuration file or from a 2573.Xr pppctl 8 2574or 2575.Xr telnet 1 2576session. 2577.Bl -tag -width 2n 2578.It accept|deny|enable|disable Ar option.... 2579These directives tell 2580.Nm 2581how to negotiate the initial connection with the peer. 2582Each 2583.Dq option 2584has a default of either accept or deny and enable or disable. 2585.Dq Accept 2586means that the option will be ACK'd if the peer asks for it. 2587.Dq Deny 2588means that the option will be NAK'd if the peer asks for it. 2589.Dq Enable 2590means that the option will be requested by us. 2591.Dq Disable 2592means that the option will not be requested by us. 2593.Pp 2594.Dq Option 2595may be one of the following: 2596.Bl -tag -width 2n 2597.It acfcomp 2598Default: Enabled and Accepted. 2599ACFComp stands for Address and Control Field Compression. 2600Non LCP packets will usually have an address 2601field of 0xff (the All-Stations address) and a control field of 26020x03 (the Unnumbered Information command). 2603If this option is 2604negotiated, these two bytes are simply not sent, thus minimising 2605traffic. 2606.Pp 2607See 2608.Pa rfc1662 2609for details. 2610.It chap Ns Op \&05 2611Default: Disabled and Accepted. 2612CHAP stands for Challenge Handshake Authentication Protocol. 2613Only one of CHAP and PAP (below) may be negotiated. 2614With CHAP, the authenticator sends a "challenge" message to its peer. 2615The peer uses a one-way hash function to encrypt the 2616challenge and sends the result back. 2617The authenticator does the same, and compares the results. 2618The advantage of this mechanism is that no 2619passwords are sent across the connection. 2620A challenge is made when the connection is first made. 2621Subsequent challenges may occur. 2622If you want to have your peer authenticate itself, you must 2623.Dq enable chap . 2624in 2625.Pa /etc/ppp/ppp.conf , 2626and have an entry in 2627.Pa /etc/ppp/ppp.secret 2628for the peer. 2629.Pp 2630When using CHAP as the client, you need only specify 2631.Dq AuthName 2632and 2633.Dq AuthKey 2634in 2635.Pa /etc/ppp/ppp.conf . 2636CHAP is accepted by default. 2637Some 2638.Em PPP 2639implementations use "MS-CHAP" rather than MD5 when encrypting the 2640challenge. 2641MS-CHAP is a combination of MD4 and DES. 2642If 2643.Nm 2644was built on a machine with DES libraries available, it will respond 2645to MS-CHAP authentication requests, but will never request them. 2646.It deflate 2647Default: Enabled and Accepted. 2648This option decides if deflate 2649compression will be used by the Compression Control Protocol (CCP). 2650This is the same algorithm as used by the 2651.Xr gzip 1 2652program. 2653Note: There is a problem negotiating 2654.Ar deflate 2655capabilities with 2656.Nm pppd 2657- a 2658.Em PPP 2659implementation available under many operating systems. 2660.Nm pppd 2661(version 2.3.1) incorrectly attempts to negotiate 2662.Ar deflate 2663compression using type 2664.Em 24 2665as the CCP configuration type rather than type 2666.Em 26 2667as specified in 2668.Pa rfc1979 . 2669Type 2670.Ar 24 2671is actually specified as 2672.Dq PPP Magna-link Variable Resource Compression 2673in 2674.Pa rfc1975 ! 2675.Nm 2676is capable of negotiating with 2677.Nm pppd , 2678but only if 2679.Dq deflate24 2680is 2681.Ar enable Ns No d 2682and 2683.Ar accept Ns No ed . 2684.It deflate24 2685Default: Disabled and Denied. 2686This is a variance of the 2687.Ar deflate 2688option, allowing negotiation with the 2689.Nm pppd 2690program. 2691Refer to the 2692.Ar deflate 2693section above for details. 2694It is disabled by default as it violates 2695.Pa rfc1975 . 2696.It dns 2697Default: Disabled and Denied. 2698This option allows DNS negotiation. 2699.Pp 2700If 2701.Dq enable Ns No d, 2702.Nm 2703will request that the peer confirms the entries in 2704.Pa /etc/resolv.conf . 2705If the peer NAKs our request (suggesting new IP numbers), 2706.Pa /etc/resolv.conf 2707is updated and another request is sent to confirm the new entries. 2708.Pp 2709If 2710.Dq accept Ns No ed, 2711.Nm 2712will answer any DNS queries requested by the peer rather than rejecting 2713them. 2714The answer is taken from 2715.Pa /etc/resolv.conf 2716unless the 2717.Dq set dns 2718command is used as an override. 2719.It enddisc 2720Default: Enabled and Accepted. 2721This option allows control over whether we 2722negotiate an endpoint discriminator. 2723We only send our discriminator if 2724.Dq set enddisc 2725is used and 2726.Ar enddisc 2727is enabled. 2728We reject the peers discriminator if 2729.Ar enddisc 2730is denied. 2731.It LANMan|chap80lm 2732Default: Disabled and Accepted. 2733The use of this authentication protocol 2734is discouraged as it partially violates the authentication protocol by 2735implementing two different mechanisms (LANMan & NT) under the guise of 2736a single CHAP type (0x80). 2737.Dq LANMan 2738uses a simple DES encryption mechanism and is the least secure of the 2739CHAP alternatives (although is still more secure than PAP). 2740.Pp 2741Refer to the 2742.Dq MSChap 2743description below for more details. 2744.It lqr 2745Default: Disabled and Accepted. 2746This option decides if Link Quality Requests will be sent or accepted. 2747LQR is a protocol that allows 2748.Nm 2749to determine that the link is down without relying on the modems 2750carrier detect. 2751When LQR is enabled, 2752.Nm 2753sends the 2754.Em QUALPROTO 2755option (see 2756.Dq set lqrperiod 2757below) as part of the LCP request. 2758If the peer agrees, both sides will 2759exchange LQR packets at the agreed frequency, allowing detailed link 2760quality monitoring by enabling LQM logging. 2761If the peer doesn't agree, 2762.Nm 2763will send ECHO LQR requests instead. 2764These packets pass no information of interest, but they 2765.Em MUST 2766be replied to by the peer. 2767.Pp 2768Whether using LQR or ECHO LQR, 2769.Nm 2770will abruptly drop the connection if 5 unacknowledged packets have been 2771sent rather than sending a 6th. 2772A message is logged at the 2773.Em PHASE 2774level, and any appropriate 2775.Dq reconnect 2776values are honoured as if the peer were responsible for dropping the 2777connection. 2778.It mppe 2779Default: Enabled and Accepted. 2780This is Microsoft Point to Point Encryption scheme. 2781MPPE key size can be 278240-, 56- and 128-bits. 2783Refer to 2784.Dq set mppe 2785command. 2786.It MSChapV2|chap81 2787Default: Disabled and Accepted. 2788It is very similar to standard CHAP (type 0x05) 2789except that it issues challenges of a fixed 16 bytes in length and uses a 2790combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2791standard MD5 mechanism. 2792.It MSChap|chap80nt 2793Default: Disabled and Accepted. 2794The use of this authentication protocol 2795is discouraged as it partially violates the authentication protocol by 2796implementing two different mechanisms (LANMan & NT) under the guise of 2797a single CHAP type (0x80). 2798It is very similar to standard CHAP (type 0x05) 2799except that it issues challenges of a fixed 8 bytes in length and uses a 2800combination of MD4 and DES to encrypt the challenge rather than using the 2801standard MD5 mechanism. 2802CHAP type 0x80 for LANMan is also supported - see 2803.Dq enable LANMan 2804for details. 2805.Pp 2806Because both 2807.Dq LANMan 2808and 2809.Dq NT 2810use CHAP type 0x80, when acting as authenticator with both 2811.Dq enable Ns No d , 2812.Nm 2813will rechallenge the peer up to three times if it responds using the wrong 2814one of the two protocols. 2815This gives the peer a chance to attempt using both protocols. 2816.Pp 2817Conversely, when 2818.Nm 2819acts as the authenticatee with both protocols 2820.Dq accept Ns No ed , 2821the protocols are used alternately in response to challenges. 2822.Pp 2823Note: If only LANMan is enabled, 2824.Nm pppd 2825(version 2.3.5) misbehaves when acting as authenticatee. 2826It provides both 2827the NT and the LANMan answers, but also suggests that only the NT answer 2828should be used. 2829.It pap 2830Default: Disabled and Accepted. 2831PAP stands for Password Authentication Protocol. 2832Only one of PAP and CHAP (above) may be negotiated. 2833With PAP, the ID and Password are sent repeatedly to the peer until 2834authentication is acknowledged or the connection is terminated. 2835This is a rather poor security mechanism. 2836It is only performed when the connection is first established. 2837If you want to have your peer authenticate itself, you must 2838.Dq enable pap . 2839in 2840.Pa /etc/ppp/ppp.conf , 2841and have an entry in 2842.Pa /etc/ppp/ppp.secret 2843for the peer (although see the 2844.Dq passwdauth 2845and 2846.Dq set radius 2847options below). 2848.Pp 2849When using PAP as the client, you need only specify 2850.Dq AuthName 2851and 2852.Dq AuthKey 2853in 2854.Pa /etc/ppp/ppp.conf . 2855PAP is accepted by default. 2856.It pred1 2857Default: Enabled and Accepted. 2858This option decides if Predictor 1 2859compression will be used by the Compression Control Protocol (CCP). 2860.It protocomp 2861Default: Enabled and Accepted. 2862This option is used to negotiate 2863PFC (Protocol Field Compression), a mechanism where the protocol 2864field number is reduced to one octet rather than two. 2865.It shortseq 2866Default: Enabled and Accepted. 2867This option determines if 2868.Nm 2869will request and accept requests for short 2870(12 bit) 2871sequence numbers when negotiating multi-link mode. 2872This is only applicable if our MRRU is set (thus enabling multi-link). 2873.It vjcomp 2874Default: Enabled and Accepted. 2875This option determines if Van Jacobson header compression will be used. 2876.El 2877.Pp 2878The following options are not actually negotiated with the peer. 2879Therefore, accepting or denying them makes no sense. 2880.Bl -tag -width 2n 2881.It filter-decapsulation 2882Default: Disabled. 2883When this option is enabled, 2884.Nm 2885will examine UDP frames to see if they actually contain a 2886.Em PPP 2887frame as their payload. 2888If this is the case, all filters will operate on the payload rather 2889than the actual packet. 2890.Pp 2891This is useful if you want to send PPPoUDP traffic over a 2892.Em PPP 2893link, but want that link to do smart things with the real data rather than 2894the UDP wrapper. 2895.Pp 2896The UDP frame payload must not be compressed in any way, otherwise 2897.Nm 2898will not be able to interpret it. 2899It's therefore recommended that you 2900.Ic disable vj pred1 deflate 2901and 2902.Ic deny vj pred1 deflate 2903in the configuration for the 2904.Nm 2905invocation with the udp link. 2906.It idcheck 2907Default: Enabled. 2908When 2909.Nm 2910exchanges low-level LCP, CCP and IPCP configuration traffic, the 2911.Em Identifier 2912field of any replies is expected to be the same as that of the request. 2913By default, 2914.Nm 2915drops any reply packets that do not contain the expected identifier 2916field, reporting the fact at the respective log level. 2917If 2918.Ar idcheck 2919is disabled, 2920.Nm 2921will ignore the identifier field. 2922.It iface-alias 2923Default: Enabled if 2924.Fl nat 2925is specified. 2926This option simply tells 2927.Nm 2928to add new interface addresses to the interface rather than replacing them. 2929The option can only be enabled if network address translation is enabled 2930.Pq Dq nat enable yes . 2931.Pp 2932With this option enabled, 2933.Nm 2934will pass traffic for old interface addresses through the NAT 2935ifdef({LOCALNAT},{engine,},{engine 2936(see 2937.Xr libalias 3 ) ,}) 2938resulting in the ability (in 2939.Fl auto 2940mode) to properly connect the process that caused the PPP link to 2941come up in the first place. 2942.Pp 2943Disabling NAT with 2944.Dq nat enable no 2945will also disable 2946.Sq iface-alias . 2947.It ipcp 2948Default: Enabled. 2949This option allows 2950.Nm 2951to attempt to negotiate IP control protocol capabilities and if 2952successful to exchange IP datagrams with the peer. 2953.It ipv6cp 2954Default: Enabled. 2955This option allows 2956.Nm 2957to attempt to negotiate IPv6 control protocol capabilities and if 2958successful to exchange IPv6 datagrams with the peer. 2959.It keep-session 2960Default: Disabled. 2961When 2962.Nm 2963runs as a Multi-link server, a different 2964.Nm 2965instance initially receives each connection. 2966After determining that 2967the link belongs to an already existing bundle (controlled by another 2968.Nm 2969invocation), 2970.Nm 2971will transfer the link to that process. 2972.Pp 2973If the link is a tty device or if this option is enabled, 2974.Nm 2975will not exit, but will change its process name to 2976.Dq session owner 2977and wait for the controlling 2978.Nm 2979to finish with the link and deliver a signal back to the idle process. 2980This prevents the confusion that results from 2981.Nm Ns No 's 2982parent considering the link resource available again. 2983.Pp 2984For tty devices that have entries in 2985.Pa /etc/ttys , 2986this is necessary to prevent another 2987.Xr getty 8 2988from being started, and for program links such as 2989.Xr sshd 8 , 2990it prevents 2991.Xr sshd 8 2992from exiting due to the death of its child. 2993As 2994.Nm 2995cannot determine its parents requirements (except for the tty case), this 2996option must be enabled manually depending on the circumstances. 2997.It loopback 2998Default: Enabled. 2999When 3000.Ar loopback 3001is enabled, 3002.Nm 3003will automatically loop back packets being sent 3004out with a destination address equal to that of the 3005.Em PPP 3006interface. 3007If disabled, 3008.Nm 3009will send the packet, probably resulting in an ICMP redirect from 3010the other end. 3011It is convenient to have this option enabled when 3012the interface is also the default route as it avoids the necessity 3013of a loopback route. 3014.It passwdauth 3015Default: Disabled. 3016Enabling this option will tell the PAP authentication 3017code to use the password database (see 3018.Xr passwd 5 ) 3019to authenticate the caller if they cannot be found in the 3020.Pa /etc/ppp/ppp.secret 3021file. 3022.Pa /etc/ppp/ppp.secret 3023is always checked first. 3024If you wish to use passwords from 3025.Xr passwd 5 , 3026but also to specify an IP number or label for a given client, use 3027.Dq \&* 3028as the client password in 3029.Pa /etc/ppp/ppp.secret . 3030.It proxy 3031Default: Disabled. 3032Enabling this option will tell 3033.Nm 3034to proxy ARP for the peer. 3035This means that 3036.Nm 3037will make an entry in the ARP table using 3038.Dv HISADDR 3039and the 3040.Dv MAC 3041address of the local network in which 3042.Dv HISADDR 3043appears. 3044This allows other machines connected to the LAN to talk to 3045the peer as if the peer itself was connected to the LAN. 3046The proxy entry cannot be made unless 3047.Dv HISADDR 3048is an address from a LAN. 3049.It proxyall 3050Default: Disabled. 3051Enabling this will tell 3052.Nm 3053to add proxy arp entries for every IP address in all class C or 3054smaller subnets routed via the tun interface. 3055.Pp 3056Proxy arp entries are only made for sticky routes that are added 3057using the 3058.Dq add 3059command. 3060No proxy arp entries are made for the interface address itself 3061(as created by the 3062.Dq set ifaddr 3063command). 3064.It sroutes 3065Default: Enabled. 3066When the 3067.Dq add 3068command is used with the 3069.Dv HISADDR , 3070.Dv MYADDR , 3071.Dv HISADDR6 3072or 3073.Dv MYADDR6 3074values, entries are stored in the 3075.Sq sticky route 3076list. 3077Each time these variables change, this list is re-applied to the routing table. 3078.Pp 3079Disabling this option will prevent the re-application of sticky routes, 3080although the 3081.Sq stick route 3082list will still be maintained. 3083.It Oo tcp Oc Ns Xo 3084.No mssfixup 3085.Xc 3086Default: Enabled. 3087This option tells 3088.Nm 3089to adjust TCP SYN packets so that the maximum receive segment 3090size is not greater than the amount allowed by the interface MTU. 3091.It throughput 3092Default: Enabled. 3093This option tells 3094.Nm 3095to gather throughput statistics. 3096Input and output is sampled over 3097a rolling 5 second window, and current, best and total figures are retained. 3098This data is output when the relevant 3099.Em PPP 3100layer shuts down, and is also available using the 3101.Dq show 3102command. 3103Throughput statistics are available at the 3104.Dq IPCP 3105and 3106.Dq physical 3107levels. 3108.It utmp 3109Default: Enabled. 3110Normally, when a user is authenticated using PAP or CHAP, and when 3111.Nm 3112is running in 3113.Fl direct 3114mode, an entry is made in the utmpx and wtmpx files for that user. 3115Disabling this option will tell 3116.Nm 3117not to make any utmpx or wtmpx entries. 3118This is usually only necessary if 3119you require the user to both login and authenticate themselves. 3120.El 3121.It add Ns Xo 3122.Op !\& 3123.Ar dest Ns Op / Ns Ar nn 3124.Op Ar mask 3125.Op Ar gateway 3126.Xc 3127.Ar Dest 3128is the destination IP address. 3129The netmask is specified either as a number of bits with 3130.Ar /nn 3131or as an IP number using 3132.Ar mask . 3133.Ar 0 0 3134or simply 3135.Ar 0 3136with no mask refers to the default route. 3137It is also possible to use the literal name 3138.Sq default 3139instead of 3140.Ar 0 . 3141.Ar Gateway 3142is the next hop gateway to get to the given 3143.Ar dest 3144machine/network. 3145Refer to the 3146.Xr route 8 3147command for further details. 3148.Pp 3149It is possible to use the symbolic names 3150.Sq MYADDR , 3151.Sq HISADDR , 3152.Sq MYADDR6 3153or 3154.Sq HISADDR6 3155as the destination, and 3156.Sq HISADDR 3157or 3158.Sq HISADDR6 3159as the 3160.Ar gateway . 3161.Sq MYADDR 3162is replaced with the interface IP address, 3163.Sq HISADDR 3164is replaced with the interface IP destination (peer) address, 3165.Sq MYADDR6 3166is replaced with the interface IPv6 address, and 3167.Sq HISADDR6 3168is replaced with the interface IPv6 destination address, 3169.Pp 3170If the 3171.Ar add!\& 3172command is used 3173(note the trailing 3174.Dq !\& ) , 3175then if the route already exists, it will be updated as with the 3176.Sq route change 3177command (see 3178.Xr route 8 3179for further details). 3180.Pp 3181Routes that contain the 3182.Dq HISADDR , 3183.Dq MYADDR , 3184.Dq HISADDR6 , 3185.Dq MYADDR6 , 3186.Dq DNS0 , 3187or 3188.Dq DNS1 3189constants are considered 3190.Sq sticky . 3191They are stored in a list (use 3192.Dq show ncp 3193to see the list), and each time the value of one of these variables 3194changes, the appropriate routing table entries are updated. 3195This facility may be disabled using 3196.Dq disable sroutes . 3197.It allow Ar command Op Ar args 3198This command controls access to 3199.Nm 3200and its configuration files. 3201It is possible to allow user-level access, 3202depending on the configuration file label and on the mode that 3203.Nm 3204is being run in. 3205For example, you may wish to configure 3206.Nm 3207so that only user 3208.Sq fred 3209may access label 3210.Sq fredlabel 3211in 3212.Fl background 3213mode. 3214.Pp 3215User id 0 is immune to these commands. 3216.Bl -tag -width 2n 3217.It allow user Ns Xo 3218.Op s 3219.Ar logname Ns No ... 3220.Xc 3221By default, only user id 0 is allowed access to 3222.Nm . 3223If this command is used, all of the listed users are allowed access to 3224the section in which the 3225.Dq allow users 3226command is found. 3227The 3228.Sq default 3229section is always checked first (even though it is only ever automatically 3230loaded at startup). 3231.Dq allow users 3232commands are cumulative in a given section, but users allowed in any given 3233section override users allowed in the default section, so it's possible to 3234allow users access to everything except a given label by specifying default 3235users in the 3236.Sq default 3237section, and then specifying a new user list for that label. 3238.Pp 3239If user 3240.Sq * 3241is specified, access is allowed to all users. 3242.It allow mode Ns Xo 3243.Op s 3244.Ar mode Ns No ... 3245.Xc 3246By default, access using any 3247.Nm 3248mode is possible. 3249If this command is used, it restricts the access 3250.Ar modes 3251allowed to load the label under which this command is specified. 3252Again, as with the 3253.Dq allow users 3254command, each 3255.Dq allow modes 3256command overrides any previous settings, and the 3257.Sq default 3258section is always checked first. 3259.Pp 3260Possible modes are: 3261.Sq interactive , 3262.Sq auto , 3263.Sq direct , 3264.Sq dedicated , 3265.Sq ddial , 3266.Sq background 3267and 3268.Sq * . 3269.Pp 3270When running in multi-link mode, a section can be loaded if it allows 3271.Em any 3272of the currently existing line modes. 3273.El 3274.It nat Ar command Op Ar args 3275This command allows the control of the network address translation (also 3276known as masquerading or IP aliasing) facilities that are built into 3277.Nm . 3278NAT is done on the external interface only, and is unlikely to make sense 3279if used with the 3280.Fl direct 3281flag. 3282.Pp 3283If nat is enabled on your system (it may be omitted at compile time), 3284the following commands are possible: 3285.Bl -tag -width 2n 3286.It nat enable yes|no 3287This command either switches network address translation on or turns it off. 3288The 3289.Fl nat 3290command line flag is synonymous with 3291.Dq nat enable yes . 3292.It nat addr Op Ar addr_local addr_alias 3293This command allows data for 3294.Ar addr_alias 3295to be redirected to 3296.Ar addr_local . 3297It is useful if you own a small number of real IP numbers that 3298you wish to map to specific machines behind your gateway. 3299.It nat deny_incoming yes|no 3300If set to yes, this command will refuse all incoming packets where an 3301aliasing link doesn't already exist. 3302ifdef({LOCALNAT},{},{Refer to the 3303.Sx CONCEPTUAL BACKGROUND 3304section of 3305.Xr libalias 3 3306for a description of what an 3307.Dq aliasing link 3308is. 3309})dnl 3310.Pp 3311It should be noted under what circumstances an aliasing link is 3312ifdef({LOCALNAT},{created.},{created by 3313.Xr libalias 3 .}) 3314It may be necessary to further protect your network from outside 3315connections using the 3316.Dq set filter 3317or 3318.Dq nat target 3319commands. 3320.It nat help|? 3321This command gives a summary of available nat commands. 3322.It nat log yes|no 3323This option causes various NAT statistics and information to 3324be logged to the file 3325.Pa /var/log/alias.log . 3326.It nat port Ar proto Ar targetIP Ns Xo 3327.No : Ns Ar targetPort Ns 3328.Oo 3329.No - Ns Ar targetPort 3330.Oc Ar aliasPort Ns 3331.Oo 3332.No - Ns Ar aliasPort 3333.Oc Oo Ar remoteIP : Ns 3334.Ar remotePort Ns 3335.Oo 3336.No - Ns Ar remotePort 3337.Oc Ns 3338.Oc 3339.Xc 3340This command causes incoming 3341.Ar proto 3342connections to 3343.Ar aliasPort 3344to be redirected to 3345.Ar targetPort 3346on 3347.Ar targetIP . 3348.Ar proto 3349is either 3350.Dq tcp 3351or 3352.Dq udp . 3353.Pp 3354A range of port numbers may be specified as shown above. 3355The ranges must be of the same size. 3356.Pp 3357If 3358.Ar remoteIP 3359is specified, only data coming from that IP number is redirected. 3360.Ar remotePort 3361must either be 3362.Dq 0 3363(indicating any source port) 3364or a range of ports the same size as the other ranges. 3365.Pp 3366This option is useful if you wish to run things like Internet phone on 3367machines behind your gateway, but is limited in that connections to only 3368one interior machine per source machine and target port are possible. 3369.It nat proto Ar proto localIP Oo 3370.Ar publicIP Op Ar remoteIP 3371.Oc 3372This command tells 3373.Nm 3374to redirect packets of protocol type 3375.Ar proto 3376(see 3377.Xr protocols 5 ) 3378to the internal address 3379.Ar localIP . 3380.Pp 3381If 3382.Ar publicIP 3383is specified, only packets destined for that address are matched, 3384otherwise the default alias address is used. 3385.Pp 3386If 3387.Ar remoteIP 3388is specified, only packets matching that source address are matched, 3389.Pp 3390This command is useful for redirecting tunnel endpoints to an internal machine, 3391for example: 3392.Pp 3393.Dl nat proto ipencap 10.0.0.1 3394.It "nat proxy cmd" Ar arg Ns No ... 3395This command tells 3396.Nm 3397to proxy certain connections, redirecting them to a given server. 3398ifdef({LOCALNAT},{},{Refer to the description of 3399.Fn PacketAliasProxyRule 3400in 3401.Xr libalias 3 3402for details of the available commands. 3403})dnl 3404.It nat punch_fw Op Ar base count 3405This command tells 3406.Nm 3407to punch holes in the firewall for FTP or IRC DCC connections. 3408This is done dynamically by installing temporary firewall rules which 3409allow a particular connection (and only that connection) to go through 3410the firewall. 3411The rules are removed once the corresponding connection terminates. 3412.Pp 3413A maximum of 3414.Ar count 3415rules starting from rule number 3416.Ar base 3417will be used for punching firewall holes. 3418The range will be cleared when the 3419.Dq nat punch_fw 3420command is run. 3421.Pp 3422If no arguments are given, firewall punching is disabled. 3423.It nat same_ports yes|no 3424When enabled, this command will tell the network address translation engine to 3425attempt to avoid changing the port number on outgoing packets. 3426This is useful 3427if you want to support protocols such as RPC and LPD which require 3428connections to come from a well known port. 3429.It nat target Op Ar address 3430Set the given target address or clear it if no address is given. 3431The target address is used 3432ifdef({LOCALNAT},{},{by libalias })dnl 3433to specify how to NAT incoming packets by default. 3434If a target address is not set or if 3435.Dq default 3436is given, packets are not altered and are allowed to route to the internal 3437network. 3438.Pp 3439The target address may be set to 3440.Dq MYADDR , 3441in which case 3442ifdef({LOCALNAT},{all packets will be redirected}, 3443{libalias will redirect all packets}) 3444to the interface address. 3445.It nat use_sockets yes|no 3446When enabled, this option tells the network address translation engine to 3447create a socket so that it can guarantee a correct incoming ftp data or 3448IRC connection. 3449.It nat unregistered_only yes|no 3450Only alter outgoing packets with an unregistered source address. 3451According to RFC 1918, unregistered source addresses 3452are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3453.El 3454.Pp 3455These commands are also discussed in the file 3456.Pa README.nat 3457which comes with the source distribution. 3458.It Oo !\& Oc Ns Xo 3459.No bg Ar command 3460.Xc 3461The given 3462.Ar command 3463is executed in the background with the following words replaced: 3464.Bl -tag -width COMPILATIONDATE 3465.It Li AUTHNAME 3466This is replaced with the local 3467.Ar authname 3468value. 3469See the 3470.Dq set authname 3471command below. 3472.It Li COMPILATIONDATE 3473This is replaced with the date on which 3474.Nm 3475was compiled. 3476.It Li DNS0 & DNS1 3477These are replaced with the primary and secondary nameserver IP numbers. 3478If nameservers are negotiated by IPCP, the values of these macros will change. 3479.It Li ENDDISC 3480This is replaced with the local endpoint discriminator value. 3481See the 3482.Dq set enddisc 3483command below. 3484.It Li HISADDR 3485This is replaced with the peers IP number. 3486.It Li HISADDR6 3487This is replaced with the peers IPv6 number. 3488.It Li INTERFACE 3489This is replaced with the name of the interface that's in use. 3490.It Li IPOCTETSIN 3491This is replaced with the number of IP bytes received since the connection 3492was established. 3493.It Li IPOCTETSOUT 3494This is replaced with the number of IP bytes sent since the connection 3495was established. 3496.It Li IPPACKETSIN 3497This is replaced with the number of IP packets received since the connection 3498was established. 3499.It Li IPPACKETSOUT 3500This is replaced with the number of IP packets sent since the connection 3501was established. 3502.It Li IPV6OCTETSIN 3503This is replaced with the number of IPv6 bytes received since the connection 3504was established. 3505.It Li IPV6OCTETSOUT 3506This is replaced with the number of IPv6 bytes sent since the connection 3507was established. 3508.It Li IPV6PACKETSIN 3509This is replaced with the number of IPv6 packets received since the connection 3510was established. 3511.It Li IPV6PACKETSOUT 3512This is replaced with the number of IPv6 packets sent since the connection 3513was established. 3514.It Li LABEL 3515This is replaced with the last label name used. 3516A label may be specified on the 3517.Nm 3518command line, via the 3519.Dq load 3520or 3521.Dq dial 3522commands and in the 3523.Pa ppp.secret 3524file. 3525.It Li MYADDR 3526This is replaced with the IP number assigned to the local interface. 3527.It Li MYADDR6 3528This is replaced with the IPv6 number assigned to the local interface. 3529.It Li OCTETSIN 3530This is replaced with the number of bytes received since the connection 3531was established. 3532.It Li OCTETSOUT 3533This is replaced with the number of bytes sent since the connection 3534was established. 3535.It Li PACKETSIN 3536This is replaced with the number of packets received since the connection 3537was established. 3538.It Li PACKETSOUT 3539This is replaced with the number of packets sent since the connection 3540was established. 3541.It Li PEER_ENDDISC 3542This is replaced with the value of the peers endpoint discriminator. 3543.It Li PROCESSID 3544This is replaced with the current process id. 3545.It Li SOCKNAME 3546This is replaced with the name of the diagnostic socket. 3547.It Li UPTIME 3548This is replaced with the bundle uptime in HH:MM:SS format. 3549.It Li USER 3550This is replaced with the username that has been authenticated with PAP or 3551CHAP. 3552Normally, this variable is assigned only in -direct mode. 3553This value is available irrespective of whether utmpx logging is enabled. 3554.It Li VERSION 3555This is replaced with the current version number of 3556.Nm . 3557.El 3558.Pp 3559These substitutions are also done by the 3560.Dq set proctitle , 3561.Dq ident 3562and 3563.Dq log 3564commands. 3565.Pp 3566If you wish to pause 3567.Nm 3568while the command executes, use the 3569.Dq shell 3570command instead. 3571.It clear physical|ipcp|ipv6 Op current|overall|peak... 3572Clear the specified throughput values at either the 3573.Dq physical , 3574.Dq ipcp 3575or 3576.Dq ipv6cp 3577level. 3578If 3579.Dq physical 3580is specified, context must be given (see the 3581.Dq link 3582command below). 3583If no second argument is given, all values are cleared. 3584.It clone Ar name Ns Xo 3585.Op \&, Ns Ar name Ns 3586.No ... 3587.Xc 3588Clone the specified link, creating one or more new links according to the 3589.Ar name 3590argument(s). 3591This command must be used from the 3592.Dq link 3593command below unless you've only got a single link (in which case that 3594link becomes the default). 3595Links may be removed using the 3596.Dq remove 3597command below. 3598.Pp 3599The default link name is 3600.Dq deflink . 3601.It close Op lcp|ccp Ns Op !\& 3602If no arguments are given, the relevant protocol layers will be brought 3603down and the link will be closed. 3604If 3605.Dq lcp 3606is specified, the LCP layer is brought down, but 3607.Nm 3608will not bring the link offline. 3609It is subsequently possible to use 3610.Dq term 3611(see below) 3612to talk to the peer machine if, for example, something like 3613.Dq slirp 3614is being used. 3615If 3616.Dq ccp 3617is specified, only the relevant compression layer is closed. 3618If the 3619.Dq !\& 3620is used, the compression layer will remain in the closed state, otherwise 3621it will re-enter the STOPPED state, waiting for the peer to initiate 3622further CCP negotiation. 3623In any event, this command does not disconnect the user from 3624.Nm 3625or exit 3626.Nm . 3627See the 3628.Dq quit 3629command below. 3630.It delete Ns Xo 3631.Op !\& 3632.Ar dest 3633.Xc 3634This command deletes the route with the given 3635.Ar dest 3636IP address. 3637If 3638.Ar dest 3639is specified as 3640.Sq ALL , 3641all non-direct entries in the routing table for the current interface, 3642and all 3643.Sq sticky route 3644entries are deleted. 3645If 3646.Ar dest 3647is specified as 3648.Sq default , 3649the default route is deleted. 3650.Pp 3651If the 3652.Ar delete!\& 3653command is used 3654(note the trailing 3655.Dq !\& ) , 3656.Nm 3657will not complain if the route does not already exist. 3658.It Xo 3659.Ic dial No \&| 3660.Ic call 3661.Op Ar label ... 3662.Xc 3663This command is the equivalent of 3664.Dq load label 3665followed by 3666.Dq open , 3667and is provided for backwards compatibility. 3668.It down Op Ar lcp|ccp 3669Bring the relevant layer down ungracefully, as if the underlying layer 3670had become unavailable. 3671It's not considered polite to use this command on 3672a Finite State Machine that's in the OPEN state. 3673If no arguments are 3674supplied, the entire link is closed (or if no context is given, all links 3675are terminated). 3676If 3677.Sq lcp 3678is specified, the 3679.Em LCP 3680layer is terminated but the device is not brought offline and the link 3681is not closed. 3682If 3683.Sq ccp 3684is specified, only the relevant compression layer(s) are terminated. 3685.It help|? Op Ar command 3686Show a list of available commands. 3687If 3688.Ar command 3689is specified, show the usage string for that command. 3690.It ident Op Ar text Ns No ... 3691Identify the link to the peer using 3692.Ar text . 3693If 3694.Ar text 3695is empty, link identification is disabled. 3696It is possible to use any of the words described for the 3697.Ic bg 3698command above. 3699Refer to the 3700.Ic sendident 3701command for details of when 3702.Nm 3703identifies itself to the peer. 3704.It iface Ar command Op args 3705This command is used to control the interface used by 3706.Nm . 3707.Ar Command 3708may be one of the following: 3709.Bl -tag -width 2n 3710.It iface add Ns Xo 3711.Op !\& 3712.Ar addr Ns Op / Ns Ar bits 3713.Op Ar peer 3714.Xc 3715.It iface add Ns Xo 3716.Op !\& 3717.Ar addr 3718.Ar mask 3719.Ar peer 3720.Xc 3721Add the given 3722.Ar addr mask peer 3723combination to the interface. 3724Instead of specifying 3725.Ar mask , 3726.Ar /bits 3727can be used 3728(with no space between it and 3729.Ar addr ) . 3730If the given address already exists, the command fails unless the 3731.Dq !\& 3732is used - in which case the previous interface address entry is overwritten 3733with the new one, allowing a change of netmask or peer address. 3734.Pp 3735If only 3736.Ar addr 3737is specified, 3738.Ar bits 3739defaults to 3740.Dq 32 3741and 3742.Ar peer 3743defaults to 3744.Dq 255.255.255.255 . 3745This address (the broadcast address) is the only duplicate peer address that 3746.Nm 3747allows. 3748.It iface clear Op INET | INET6 3749If this command is used while 3750.Nm 3751is in the OPENED state or while in 3752.Fl auto 3753mode, all addresses except for the NCP negotiated address are deleted 3754from the interface. 3755If 3756.Nm 3757is not in the OPENED state and is not in 3758.Fl auto 3759mode, all interface addresses are deleted. 3760.Pp 3761If the INET or INET6 arguments are used, only addresses for that address 3762family are cleared. 3763.It iface delete Ns Xo 3764.Op !\& Ns 3765.No |rm Ns Op !\& 3766.Ar addr 3767.Xc 3768This command deletes the given 3769.Ar addr 3770from the interface. 3771If the 3772.Dq !\& 3773is used, no error is given if the address isn't currently assigned to 3774the interface (and no deletion takes place). 3775.It iface show 3776Shows the current state and current addresses for the interface. 3777It is much the same as running 3778.Dq ifconfig INTERFACE . 3779.It iface help Op Ar sub-command 3780This command, when invoked without 3781.Ar sub-command , 3782will show a list of possible 3783.Dq iface 3784sub-commands and a brief synopsis for each. 3785When invoked with 3786.Ar sub-command , 3787only the synopsis for the given sub-command is shown. 3788.El 3789.It Oo Ic data Oc Ns Xo 3790.Ic link 3791.Ar name Ns Op , Ns Ar name Ns 3792.No ... Ar command Op Ar args 3793.Xc 3794This command may prefix any other command if the user wishes to 3795specify which link the command should affect. 3796This is only applicable after multiple links have been created in Multi-link 3797mode using the 3798.Dq clone 3799command. 3800.Pp 3801.Ar Name 3802specifies the name of an existing link. 3803If 3804.Ar name 3805is a comma separated list, 3806.Ar command 3807is executed on each link. 3808If 3809.Ar name 3810is 3811.Dq * , 3812.Ar command 3813is executed on all links. 3814.It Ic load Oo Ar label Oc Ns Xo 3815.No ... 3816.Xc 3817Load the given 3818.Ar label Ns No (s) 3819from the 3820.Pa ppp.conf 3821file. 3822If 3823.Ar label 3824is not given, the 3825.Ar default 3826label is used. 3827.Pp 3828Unless the 3829.Ar label 3830section uses the 3831.Dq set mode , 3832.Dq open 3833or 3834.Dq dial 3835commands, 3836.Nm 3837will not attempt to make an immediate connection. 3838.It log Ar word Ns No ... 3839Send the given word(s) to the log file with the prefix 3840.Dq LOG: . 3841Word substitutions are done as explained under the 3842.Dq !bg 3843command above. 3844.It open Op lcp|ccp|ipcp 3845This is the opposite of the 3846.Dq close 3847command. 3848All closed links are immediately brought up apart from second and subsequent 3849.Ar demand-dial 3850links - these will come up based on the 3851.Dq set autoload 3852command that has been used. 3853.Pp 3854If the 3855.Dq lcp 3856argument is used while the LCP layer is already open, LCP will be 3857renegotiated. 3858This allows various LCP options to be changed, after which 3859.Dq open lcp 3860can be used to put them into effect. 3861After renegotiating LCP, 3862any agreed authentication will also take place. 3863.Pp 3864If the 3865.Dq ccp 3866argument is used, the relevant compression layer is opened. 3867Again, if it is already open, it will be renegotiated. 3868.Pp 3869If the 3870.Dq ipcp 3871argument is used, the link will be brought up as normal, but if 3872IPCP is already open, it will be renegotiated and the network 3873interface will be reconfigured. 3874.Pp 3875It is probably not good practice to re-open the PPP state machines 3876like this as it's possible that the peer will not behave correctly. 3877It 3878.Em is 3879however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3880.It passwd Ar pass 3881Specify the password required for access to the full 3882.Nm 3883command set. 3884This password is required when connecting to the diagnostic port (see the 3885.Dq set server 3886command). 3887.Ar Pass 3888is specified on the 3889.Dq set server 3890command line. 3891The value of 3892.Ar pass 3893is not logged when 3894.Ar command 3895logging is active, instead, the literal string 3896.Sq ******** 3897is logged. 3898.It quit|bye Op all 3899If 3900.Dq quit 3901is executed from the controlling connection or from a command file, 3902ppp will exit after closing all connections. 3903Otherwise, if the user 3904is connected to a diagnostic socket, the connection is simply dropped. 3905.Pp 3906If the 3907.Ar all 3908argument is given, 3909.Nm 3910will exit despite the source of the command after closing all existing 3911connections. 3912.It remove|rm 3913This command removes the given link. 3914It is only really useful in multi-link mode. 3915A link must be in the 3916.Dv CLOSED 3917state before it is removed. 3918.It rename|mv Ar name 3919This command renames the given link to 3920.Ar name . 3921It will fail if 3922.Ar name 3923is already used by another link. 3924.Pp 3925The default link name is 3926.Sq deflink . 3927Renaming it to 3928.Sq modem , 3929.Sq cuaa0 3930or 3931.Sq USR 3932may make the log file more readable. 3933.It resolv Ar command 3934This command controls 3935.Nm Ns No 's 3936manipulation of the 3937.Xr resolv.conf 5 3938file. 3939When 3940.Nm 3941starts up, it loads the contents of this file into memory and retains this 3942image for future use. 3943.Ar command 3944is one of the following: 3945.Bl -tag -width readonly 3946.It Em readonly 3947Treat 3948.Pa /etc/resolv.conf 3949as read only. 3950If 3951.Dq dns 3952is enabled, 3953.Nm 3954will still attempt to negotiate nameservers with the peer, making the results 3955available via the 3956.Dv DNS0 3957and 3958.Dv DNS1 3959macros. 3960This is the opposite of the 3961.Dq resolv writable 3962command. 3963.It Em reload 3964Reload 3965.Pa /etc/resolv.conf 3966into memory. 3967This may be necessary if for example a DHCP client overwrote 3968.Pa /etc/resolv.conf . 3969.It Em restore 3970Replace 3971.Pa /etc/resolv.conf 3972with the version originally read at startup or with the last 3973.Dq resolv reload 3974command. 3975This is sometimes a useful command to put in the 3976.Pa /etc/ppp/ppp.linkdown 3977file. 3978.It Em rewrite 3979Rewrite the 3980.Pa /etc/resolv.conf 3981file. 3982This command will work even if the 3983.Dq resolv readonly 3984command has been used. 3985It may be useful as a command in the 3986.Pa /etc/ppp/ppp.linkup 3987file if you wish to defer updating 3988.Pa /etc/resolv.conf 3989until after other commands have finished. 3990.It Em writable 3991Allow 3992.Nm 3993to update 3994.Pa /etc/resolv.conf 3995if 3996.Dq dns 3997is enabled and 3998.Nm 3999successfully negotiates a DNS. 4000This is the opposite of the 4001.Dq resolv readonly 4002command. 4003.El 4004.It save 4005This option is not (yet) implemented. 4006.It sendident 4007This command tells 4008.Nm 4009to identify itself to the peer. 4010The link must be in LCP state or higher. 4011If no identity has been set (via the 4012.Ic ident 4013command), 4014.Ic sendident 4015will fail. 4016.Pp 4017When an identity has been set, 4018.Nm 4019will automatically identify itself when it sends or receives a configure 4020reject, when negotiation fails or when LCP reaches the opened state. 4021.Pp 4022Received identification packets are logged to the LCP log (see 4023.Ic set log 4024for details) and are never responded to. 4025.It set Ns Xo 4026.Op up 4027.Ar var value 4028.Xc 4029This option allows the setting of any of the following variables: 4030.Bl -tag -width 2n 4031.It set accmap Ar hex-value 4032ACCMap stands for Asynchronous Control Character Map. 4033This is always 4034negotiated with the peer, and defaults to a value of 00000000 in hex. 4035This protocol is required to defeat hardware that depends on passing 4036certain characters from end to end (such as XON/XOFF etc). 4037.Pp 4038For the XON/XOFF scenario, use 4039.Dq set accmap 000a0000 . 4040.It Ic set Oo Ic auth Oc Ns Xo 4041.Ic key Ar value 4042.Xc 4043This sets the authentication key (or password) used in client mode 4044PAP or CHAP negotiation to the given value. 4045It also specifies the 4046password to be used in the dial or login scripts in place of the 4047.Sq \eP 4048sequence, preventing the actual password from being logged. 4049If 4050.Ar command 4051or 4052.Ar chat 4053logging is in effect, 4054.Ar value 4055is logged as 4056.Sq ******** 4057for security reasons. 4058.Pp 4059If the first character of 4060.Ar value 4061is an exclamation mark 4062.Pq Dq !\& , 4063.Nm 4064treats the remainder of the string as a program that must be executed 4065to determine the 4066.Dq authname 4067and 4068.Dq authkey 4069values. 4070.Pp 4071If the 4072.Dq !\& 4073is doubled up 4074(to 4075.Dq !! ) , 4076it is treated as a single literal 4077.Dq !\& , 4078otherwise, ignoring the 4079.Dq !\& , 4080.Ar value 4081is parsed as a program to execute in the same was as the 4082.Dq !bg 4083command above, substituting special names in the same manner. 4084Once executed, 4085.Nm 4086will feed the program three lines of input, each terminated by a newline 4087character: 4088.Bl -bullet 4089.It 4090The host name as sent in the CHAP challenge. 4091.It 4092The challenge string as sent in the CHAP challenge. 4093.It 4094The locally defined 4095.Dq authname . 4096.El 4097.Pp 4098Two lines of output are expected: 4099.Bl -bullet 4100.It 4101The 4102.Dq authname 4103to be sent with the CHAP response. 4104.It 4105The 4106.Dq authkey , 4107which is encrypted with the challenge and request id, the answer being sent 4108in the CHAP response packet. 4109.El 4110.Pp 4111When configuring 4112.Nm 4113in this manner, it's expected that the host challenge is a series of ASCII 4114digits or characters. 4115An encryption device or Secure ID card is usually 4116required to calculate the secret appropriate for the given challenge. 4117.It set authname Ar id 4118This sets the authentication id used in client mode PAP or CHAP negotiation. 4119.Pp 4120If used in 4121.Fl direct 4122mode with CHAP enabled, 4123.Ar id 4124is used in the initial authentication challenge and should normally be set to 4125the local machine name. 4126.It set autoload Xo 4127.Ar min-percent max-percent period 4128.Xc 4129These settings apply only in multi-link mode and default to zero, zero and 4130five respectively. 4131When more than one 4132.Ar demand-dial 4133(also known as 4134.Fl auto ) 4135mode link is available, only the first link is made active when 4136.Nm 4137first reads data from the tun device. 4138The next 4139.Ar demand-dial 4140link will be opened only when the current bundle throughput is at least 4141.Ar max-percent 4142percent of the total bundle bandwidth for 4143.Ar period 4144seconds. 4145When the current bundle throughput decreases to 4146.Ar min-percent 4147percent or less of the total bundle bandwidth for 4148.Ar period 4149seconds, a 4150.Ar demand-dial 4151link will be brought down as long as it's not the last active link. 4152.Pp 4153Bundle throughput is measured as the maximum of inbound and outbound 4154traffic. 4155.Pp 4156The default values cause 4157.Ar demand-dial 4158links to simply come up one at a time. 4159.Pp 4160Certain devices cannot determine their physical bandwidth, so it 4161is sometimes necessary to use the 4162.Dq set bandwidth 4163command (described below) to make 4164.Dq set autoload 4165work correctly. 4166.It set bandwidth Ar value 4167This command sets the connection bandwidth in bits per second. 4168.Ar value 4169must be greater than zero. 4170It is currently only used by the 4171.Dq set autoload 4172command above. 4173.It set callback Ar option Ns No ... 4174If no arguments are given, callback is disabled, otherwise, 4175.Nm 4176will request (or in 4177.Fl direct 4178mode, will accept) one of the given 4179.Ar option Ns No s . 4180In client mode, if an 4181.Ar option 4182is NAK'd 4183.Nm 4184will request a different 4185.Ar option , 4186until no options remain at which point 4187.Nm 4188will terminate negotiations (unless 4189.Dq none 4190is one of the specified 4191.Ar option ) . 4192In server mode, 4193.Nm 4194will accept any of the given protocols - but the client 4195.Em must 4196request one of them. 4197If you wish callback to be optional, you must {include} 4198.Ar none 4199as an option. 4200.Pp 4201The 4202.Ar option Ns No s 4203are as follows (in this order of preference): 4204.Bl -tag -width Ds 4205.It auth 4206The callee is expected to decide the callback number based on 4207authentication. 4208If 4209.Nm 4210is the callee, the number should be specified as the fifth field of 4211the peers entry in 4212.Pa /etc/ppp/ppp.secret . 4213.It cbcp 4214Microsoft's callback control protocol is used. 4215See 4216.Dq set cbcp 4217below. 4218.Pp 4219If you wish to negotiate 4220.Ar cbcp 4221in client mode but also wish to allow the server to request no callback at 4222CBCP negotiation time, you must specify both 4223.Ar cbcp 4224and 4225.Ar none 4226as callback options. 4227.It E.164 *| Ns Xo 4228.Ar number Ns Op , Ns Ar number Ns 4229.No ... 4230.Xc 4231The caller specifies the 4232.Ar number . 4233If 4234.Nm 4235is the callee, 4236.Ar number 4237should be either a comma separated list of allowable numbers or a 4238.Dq \&* , 4239meaning any number is permitted. 4240If 4241.Nm 4242is the caller, only a single number should be specified. 4243.Pp 4244Note, this option is very unsafe when used with a 4245.Dq \&* 4246as a malicious caller can tell 4247.Nm 4248to call any (possibly international) number without first authenticating 4249themselves. 4250.It none 4251If the peer does not wish to do callback at all, 4252.Nm 4253will accept the fact and continue without callback rather than terminating 4254the connection. 4255This is required (in addition to one or more other callback 4256options) if you wish callback to be optional. 4257.El 4258.It set cbcp Oo 4259.No *| Ns Ar number Ns Oo 4260.No , Ns Ar number Ns ...\& Oc 4261.Op Ar delay Op Ar retry 4262.Oc 4263If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4264is disabled - ie, configuring CBCP in the 4265.Dq set callback 4266command will result in 4267.Nm 4268requesting no callback in the CBCP phase. 4269Otherwise, 4270.Nm 4271attempts to use the given phone 4272.Ar number Ns No (s). 4273.Pp 4274In server mode 4275.Pq Fl direct , 4276.Nm 4277will insist that the client uses one of these numbers, unless 4278.Dq \&* 4279is used in which case the client is expected to specify the number. 4280.Pp 4281In client mode, 4282.Nm 4283will attempt to use one of the given numbers (whichever it finds to 4284be agreeable with the peer), or if 4285.Dq \&* 4286is specified, 4287.Nm 4288will expect the peer to specify the number. 4289.It set cd Oo 4290.No off| Ns Ar seconds Ns Op !\& 4291.Oc 4292Normally, 4293.Nm 4294checks for the existence of carrier depending on the type of device 4295that has been opened: 4296.Bl -tag -width XXX -offset XXX 4297.It Terminal Devices 4298Carrier is checked one second after the login script is complete. 4299If it's not set, 4300.Nm 4301assumes that this is because the device doesn't support carrier (which 4302is true for most 4303.Dq laplink 4304NULL-modem cables), logs the fact and stops checking 4305for carrier. 4306.Pp 4307As ptys don't support the 4308.Dv TIOCMGET 4309ioctl, the tty device will switch all 4310carrier detection off when it detects that the device is a pty. 4311.It PPPoE (netgraph) Devices 4312Carrier is checked once per second for 5 seconds. 4313If it's not set after 4314the fifth second, the connection attempt is considered to have failed and 4315the device is closed. 4316Carrier is always required for PPPoE devices. 4317.El 4318.Pp 4319All other device types don't support carrier. 4320Setting a carrier value will 4321result in a warning when the device is opened. 4322.Pp 4323Some modems take more than one second after connecting to assert the carrier 4324signal. 4325If this delay isn't increased, this will result in 4326.Nm Ns No 's 4327inability to detect when the link is dropped, as 4328.Nm 4329assumes that the device isn't asserting carrier. 4330.Pp 4331The 4332.Dq set cd 4333command overrides the default carrier behaviour. 4334.Ar seconds 4335specifies the maximum number of seconds that 4336.Nm 4337should wait after the dial script has finished before deciding if 4338carrier is available or not. 4339.Pp 4340If 4341.Dq off 4342is specified, 4343.Nm 4344will not check for carrier on the device, otherwise 4345.Nm 4346will not proceed to the login script until either carrier is detected 4347or until 4348.Ar seconds 4349has elapsed, at which point 4350.Nm 4351assumes that the device will not set carrier. 4352.Pp 4353If no arguments are given, carrier settings will go back to their default 4354values. 4355.Pp 4356If 4357.Ar seconds 4358is followed immediately by an exclamation mark 4359.Pq Dq !\& , 4360.Nm 4361will 4362.Em require 4363carrier. 4364If carrier is not detected after 4365.Ar seconds 4366seconds, the link will be disconnected. 4367.It set choked Op Ar timeout 4368This sets the number of seconds that 4369.Nm 4370will keep a choked output queue before dropping all pending output packets. 4371If 4372.Ar timeout 4373is less than or equal to zero or if 4374.Ar timeout 4375isn't specified, it is set to the default value of 4376.Em 120 seconds . 4377.Pp 4378A choked output queue occurs when 4379.Nm 4380has read a certain number of packets from the local network for transmission, 4381but cannot send the data due to link failure (the peer is busy etc.). 4382.Nm 4383will not read packets indefinitely. 4384Instead, it reads up to 4385.Em 30 4386packets (or 4387.Em 30 No + 4388.Em nlinks No * 4389.Em 2 4390packets in multi-link mode), then stops reading the network interface 4391until either 4392.Ar timeout 4393seconds have passed or at least one packet has been sent. 4394.Pp 4395If 4396.Ar timeout 4397seconds pass, all pending output packets are dropped. 4398.It set ctsrts|crtscts on|off 4399This sets hardware flow control. 4400Hardware flow control is 4401.Ar on 4402by default. 4403.It set deflate Ar out-winsize Op Ar in-winsize 4404This sets the DEFLATE algorithms default outgoing and incoming window 4405sizes. 4406Both 4407.Ar out-winsize 4408and 4409.Ar in-winsize 4410must be values between 4411.Em 8 4412and 4413.Em 15 . 4414If 4415.Ar in-winsize 4416is specified, 4417.Nm 4418will insist that this window size is used and will not accept any other 4419values from the peer. 4420.It set dns Op Ar primary Op Ar secondary 4421This command specifies DNS overrides for the 4422.Dq accept dns 4423command. 4424Refer to the 4425.Dq accept 4426command description above for details. 4427This command does not affect the IP numbers requested using 4428.Dq enable dns . 4429.It set device|line Xo 4430.Ar value Ns No ... 4431.Xc 4432This sets the device(s) to which 4433.Nm 4434will talk to the given 4435.Dq value . 4436.Pp 4437All serial device names are expected to begin with 4438.Pa /dev/ 4439and are usually called 4440.Pa cuaXX . 4441.Pp 4442If 4443.Dq value 4444does not begin with 4445.Pa /dev/ , 4446it must either begin with an exclamation mark 4447.Pq Dq !\& , 4448be of the format 4449.No PPPoE: Ns Ar iface Ns Xo 4450.Op \&: Ns Ar provider Ns 4451.Xc 4452(on 4453.Xr netgraph 4 4454enabled systems), or be of the format 4455.Sm off 4456.Ar host : port Op /tcp|udp . 4457.Sm on 4458.Pp 4459If it begins with an exclamation mark, the rest of the device name is 4460treated as a program name, and that program is executed when the device 4461is opened. 4462Standard input, output and error are fed back to 4463.Nm 4464and are read and written as if they were a regular device. 4465.Pp 4466If a 4467.No PPPoE: Ns Ar iface Ns Xo 4468.Op \&: Ns Ar provider Ns 4469.Xc 4470specification is given, 4471.Nm 4472will attempt to create a 4473.Em PPP 4474over Ethernet connection using the given 4475.Ar iface 4476interface by using 4477.Xr netgraph 4 . 4478If 4479.Xr netgraph 4 4480is not available, 4481.Nm 4482will attempt to load it using 4483.Xr kldload 2 . 4484If this fails, an external program must be used such as the 4485.Xr pppoe 8 4486program available under 4487.Ox . 4488The given 4489.Ar provider 4490is passed as the service name in the PPPoE Discovery Initiation (PADI) 4491packet. 4492If no provider is given, an empty value will be used. 4493.Pp 4494When a PPPoE connection is established, 4495.Nm 4496will place the name of the Access Concentrator in the environment variable 4497.Ev ACNAME . 4498.Pp 4499Refer to 4500.Xr netgraph 4 4501and 4502.Xr ng_pppoe 4 4503for further details. 4504.Pp 4505If a 4506.Ar host Ns No : Ns Ar port Ns Oo 4507.No /tcp|udp 4508.Oc 4509specification is given, 4510.Nm 4511will attempt to connect to the given 4512.Ar host 4513on the given 4514.Ar port . 4515If a 4516.Dq /tcp 4517or 4518.Dq /udp 4519suffix is not provided, the default is 4520.Dq /tcp . 4521Refer to the section on 4522.Em PPP OVER TCP and UDP 4523above for further details. 4524.Pp 4525If multiple 4526.Dq values 4527are specified, 4528.Nm 4529will attempt to open each one in turn until it succeeds or runs out of 4530devices. 4531.It set dial Ar chat-script 4532This specifies the chat script that will be used to dial the other 4533side. 4534See also the 4535.Dq set login 4536command below. 4537Refer to 4538.Xr chat 8 4539and to the example configuration files for details of the chat script 4540format. 4541It is possible to specify some special 4542.Sq values 4543in your chat script as follows: 4544.Bl -tag -width 2n 4545.It Li \ec 4546When used as the last character in a 4547.Sq send 4548string, this indicates that a newline should not be appended. 4549.It Li \ed 4550When the chat script encounters this sequence, it delays two seconds. 4551.It Li \ep 4552When the chat script encounters this sequence, it delays for one quarter of 4553a second. 4554.It Li \en 4555This is replaced with a newline character. 4556.It Li \er 4557This is replaced with a carriage return character. 4558.It Li \es 4559This is replaced with a space character. 4560.It Li \et 4561This is replaced with a tab character. 4562.It Li \eT 4563This is replaced by the current phone number (see 4564.Dq set phone 4565below). 4566.It Li \eP 4567This is replaced by the current 4568.Ar authkey 4569value (see 4570.Dq set authkey 4571above). 4572.It Li \eU 4573This is replaced by the current 4574.Ar authname 4575value (see 4576.Dq set authname 4577above). 4578.El 4579.Pp 4580Note that two parsers will examine these escape sequences, so in order to 4581have the 4582.Sq chat parser 4583see the escape character, it is necessary to escape it from the 4584.Sq command parser . 4585This means that in practice you should use two escapes, for example: 4586.Bd -literal -offset indent 4587set dial "... ATDT\\\\T CONNECT" 4588.Ed 4589.Pp 4590It is also possible to execute external commands from the chat script. 4591To do this, the first character of the expect or send string is an 4592exclamation mark 4593.Pq Dq !\& . 4594If a literal exclamation mark is required, double it up to 4595.Dq !!\& 4596and it will be treated as a single literal 4597.Dq !\& . 4598When the command is executed, standard input and standard output are 4599directed to the open device (see the 4600.Dq set device 4601command), and standard error is read by 4602.Nm 4603and substituted as the expect or send string. 4604If 4605.Nm 4606is running in interactive mode, file descriptor 3 is attached to 4607.Pa /dev/tty . 4608.Pp 4609For example (wrapped for readability): 4610.Bd -literal -offset indent 4611set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4612word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4613\\"!/bin/echo in\\" HELLO" 4614.Ed 4615.Pp 4616would result in the following chat sequence (output using the 4617.Sq set log local chat 4618command before dialing): 4619.Bd -literal -offset indent 4620Dial attempt 1 of 1 4621dial OK! 4622Chat: Expecting: 4623Chat: Sending: 4624Chat: Expecting: login:--login: 4625Chat: Wait for (5): login: 4626Chat: Sending: ppp 4627Chat: Expecting: word: 4628Chat: Wait for (5): word: 4629Chat: Sending: ppp 4630Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4631Chat: Exec: sh -c "echo -n label: >&2" 4632Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4633Chat: Exec: /bin/echo in 4634Chat: Sending: 4635Chat: Expecting: HELLO 4636Chat: Wait for (5): HELLO 4637login OK! 4638.Ed 4639.Pp 4640Note (again) the use of the escape character, allowing many levels of 4641nesting. 4642Here, there are four parsers at work. 4643The first parses the original line, reading it as three arguments. 4644The second parses the third argument, reading it as 11 arguments. 4645At this point, it is 4646important that the 4647.Dq \&- 4648signs are escaped, otherwise this parser will see them as constituting 4649an expect-send-expect sequence. 4650When the 4651.Dq !\& 4652character is seen, the execution parser reads the first command as three 4653arguments, and then 4654.Xr sh 1 4655itself expands the argument after the 4656.Fl c . 4657As we wish to send the output back to the modem, in the first example 4658we redirect our output to file descriptor 2 (stderr) so that 4659.Nm 4660itself sends and logs it, and in the second example, we just output to stdout, 4661which is attached directly to the modem. 4662.Pp 4663This, of course means that it is possible to execute an entirely external 4664.Dq chat 4665command rather than using the internal one. 4666See 4667.Xr chat 8 4668for a good alternative. 4669.Pp 4670The external command that is executed is subjected to the same special 4671word expansions as the 4672.Dq !bg 4673command. 4674.It set enddisc Op label|IP|MAC|magic|psn value 4675This command sets our local endpoint discriminator. 4676If set prior to LCP negotiation, and if no 4677.Dq disable enddisc 4678command has been used, 4679.Nm 4680will send the information to the peer using the LCP endpoint discriminator 4681option. 4682The following discriminators may be set: 4683.Bl -tag -width indent 4684.It Li label 4685The current label is used. 4686.It Li IP 4687Our local IP number is used. 4688As LCP is negotiated prior to IPCP, it is 4689possible that the IPCP layer will subsequently change this value. 4690If 4691it does, the endpoint discriminator stays at the old value unless manually 4692reset. 4693.It Li MAC 4694This is similar to the 4695.Ar IP 4696option above, except that the MAC address associated with the local IP 4697number is used. 4698If the local IP number is not resident on any Ethernet 4699interface, the command will fail. 4700.Pp 4701As the local IP number defaults to whatever the machine host name is, 4702.Dq set enddisc mac 4703is usually done prior to any 4704.Dq set ifaddr 4705commands. 4706.It Li magic 4707A 20 digit random number is used. 4708Care should be taken when using magic numbers as restarting 4709.Nm 4710or creating a link using a different 4711.Nm 4712invocation will also use a different magic number and will therefore not 4713be recognised by the peer as belonging to the same bundle. 4714This makes it unsuitable for 4715.Fl direct 4716connections. 4717.It Li psn Ar value 4718The given 4719.Ar value 4720is used. 4721.Ar Value 4722should be set to an absolute public switched network number with the 4723country code first. 4724.El 4725.Pp 4726If no arguments are given, the endpoint discriminator is reset. 4727.It set escape Ar value... 4728This option is similar to the 4729.Dq set accmap 4730option above. 4731It allows the user to specify a set of characters that will be 4732.Sq escaped 4733as they travel across the link. 4734.It set filter dial|alive|in|out Ar rule-no Xo 4735.No permit|deny|clear| Ns Ar rule-no 4736.Op !\& 4737.Oo Op host 4738.Ar src_addr Ns Op / Ns Ar width 4739.Op Ar dst_addr Ns Op / Ns Ar width 4740.Oc [ Ns Ar proto 4741.Op src lt|eq|gt Ar port 4742.Op dst lt|eq|gt Ar port 4743.Op estab 4744.Op syn 4745.Op finrst 4746.Op timeout Ar secs ] 4747.Xc 4748.Nm 4749supports four filter sets. 4750The 4751.Em alive 4752filter specifies packets that keep the connection alive - resetting the 4753idle timer. 4754The 4755.Em dial 4756filter specifies packets that cause 4757.Nm 4758to dial when in 4759.Fl auto 4760mode. 4761The 4762.Em in 4763filter specifies packets that are allowed to travel 4764into the machine and the 4765.Em out 4766filter specifies packets that are allowed out of the machine. 4767.Pp 4768Filtering is done prior to any IP alterations that might be done by the 4769NAT engine on outgoing packets and after any IP alterations that might 4770be done by the NAT engine on incoming packets. 4771By default all empty filter sets allow all packets to pass. 4772Rules are processed in order according to 4773.Ar rule-no 4774(unless skipped by specifying a rule number as the 4775.Ar action ) . 4776Up to 40 rules may be given for each set. 4777If a packet doesn't match 4778any of the rules in a given set, it is discarded. 4779In the case of 4780.Em in 4781and 4782.Em out 4783filters, this means that the packet is dropped. 4784In the case of 4785.Em alive 4786filters it means that the packet will not reset the idle timer (even if 4787the 4788.Ar in Ns No / Ns Ar out 4789filter has a 4790.Dq timeout 4791value) and in the case of 4792.Em dial 4793filters it means that the packet will not trigger a dial. 4794A packet failing to trigger a dial will be dropped rather than queued. 4795Refer to the 4796section on 4797.Sx PACKET FILTERING 4798above for further details. 4799.It set hangup Ar chat-script 4800This specifies the chat script that will be used to reset the device 4801before it is closed. 4802It should not normally be necessary, but can 4803be used for devices that fail to reset themselves properly on close. 4804.It set help|? Op Ar command 4805This command gives a summary of available set commands, or if 4806.Ar command 4807is specified, the command usage is shown. 4808.It set ifaddr Oo Ar myaddr Ns 4809.Op / Ns Ar \&nn 4810.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4811.Oo Ar netmask 4812.Op Ar triggeraddr 4813.Oc Oc 4814.Oc 4815This command specifies the IP addresses that will be used during 4816IPCP negotiation. 4817Addresses are specified using the format 4818.Pp 4819.Dl a.b.c.d/nn 4820.Pp 4821Where 4822.Dq a.b.c.d 4823is the preferred IP, but 4824.Ar nn 4825specifies how many bits of the address we will insist on. 4826If 4827.No / Ns Ar nn 4828is omitted, it defaults to 4829.Dq /32 4830unless the IP address is 0.0.0.0 in which case it defaults to 4831.Dq /0 . 4832.Pp 4833If you wish to assign a dynamic IP number to the peer, 4834.Ar hisaddr 4835may also be specified as a range of IP numbers in the format 4836.Bd -ragged -offset indent 4837.Sm off 4838.Ar \&IP Oo \&- Ar \&IP Oc Oo , 4839.Ar \&IP Oo \&- Ar \&IP Oc Oc ... 4840.Sm on 4841.Ed 4842.Pp 4843for example: 4844.Pp 4845.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4846.Pp 4847will only negotiate 4848.Dq 10.0.0.1 4849as the local IP number, but may assign any of the given 10 IP 4850numbers to the peer. 4851If the peer requests one of these numbers, 4852and that number is not already in use, 4853.Nm 4854will grant the peers request. 4855This is useful if the peer wants 4856to re-establish a link using the same IP number as was previously 4857allocated (thus maintaining any existing tcp or udp connections). 4858.Pp 4859If the peer requests an IP number that's either outside 4860of this range or is already in use, 4861.Nm 4862will suggest a random unused IP number from the range. 4863.Pp 4864If 4865.Ar triggeraddr 4866is specified, it is used in place of 4867.Ar myaddr 4868in the initial IPCP negotiation. 4869However, only an address in the 4870.Ar myaddr 4871range will be accepted. 4872This is useful when negotiating with some 4873.Dv PPP 4874implementations that will not assign an IP number unless their peer 4875requests 4876.Dq 0.0.0.0 . 4877.Pp 4878It should be noted that in 4879.Fl auto 4880mode, 4881.Nm 4882will configure the interface immediately upon reading the 4883.Dq set ifaddr 4884line in the config file. 4885In any other mode, these values are just 4886used for IPCP negotiations, and the interface isn't configured 4887until the IPCP layer is up. 4888.Pp 4889Note that the 4890.Ar HISADDR 4891argument may be overridden by the third field in the 4892.Pa ppp.secret 4893file once the client has authenticated itself 4894(if PAP or CHAP are 4895.Dq enabled ) . 4896Refer to the 4897.Sx AUTHENTICATING INCOMING CONNECTIONS 4898section for details. 4899.Pp 4900In all cases, if the interface is already configured, 4901.Nm 4902will try to maintain the interface IP numbers so that any existing 4903bound sockets will remain valid. 4904.It set ifqueue Ar packets 4905Set the maximum number of packets that 4906.Nm 4907will read from the tunnel interface while data cannot be sent to any of 4908the available links. 4909This queue limit is necessary to flow control outgoing data as the tunnel 4910interface is likely to be far faster than the combined links available to 4911.Nm . 4912.Pp 4913If 4914.Ar packets 4915is set to a value less than the number of links, 4916.Nm 4917will read up to that value regardless. 4918This prevents any possible latency problems. 4919.Pp 4920The default value for 4921.Ar packets 4922is 4923.Dq 30 . 4924.It set ccpretry|ccpretries Oo Ar timeout 4925.Op Ar reqtries Op Ar trmtries 4926.Oc 4927.It set chapretry|chapretries Oo Ar timeout 4928.Op Ar reqtries 4929.Oc 4930.It set ipcpretry|ipcpretries Oo Ar timeout 4931.Op Ar reqtries Op Ar trmtries 4932.Oc 4933.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 4934.Op Ar reqtries Op Ar trmtries 4935.Oc 4936.It set lcpretry|lcpretries Oo Ar timeout 4937.Op Ar reqtries Op Ar trmtries 4938.Oc 4939.It set papretry|papretries Oo Ar timeout 4940.Op Ar reqtries 4941.Oc 4942These commands set the number of seconds that 4943.Nm 4944will wait before resending Finite State Machine (FSM) Request packets. 4945The default 4946.Ar timeout 4947for all FSMs is 3 seconds (which should suffice in most cases). 4948.Pp 4949If 4950.Ar reqtries 4951is specified, it tells 4952.Nm 4953how many configuration request attempts it should make while receiving 4954no reply from the peer before giving up. 4955The default is 5 attempts for 4956CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4957.Pp 4958If 4959.Ar trmtries 4960is specified, it tells 4961.Nm 4962how many terminate requests should be sent before giving up waiting for the 4963peers response. 4964The default is 3 attempts. 4965Authentication protocols are 4966not terminated and it is therefore invalid to specify 4967.Ar trmtries 4968for PAP or CHAP. 4969.Pp 4970In order to avoid negotiations with the peer that will never converge, 4971.Nm 4972will only send at most 3 times the configured number of 4973.Ar reqtries 4974in any given negotiation session before giving up and closing that layer. 4975.It set log Xo 4976.Op local 4977.Op +|- Ns 4978.Ar value Ns No ... 4979.Xc 4980This command allows the adjustment of the current log level. 4981Refer to the Logging Facility section for further details. 4982.It set login Ar chat-script 4983This 4984.Ar chat-script 4985complements the dial-script. 4986If both are specified, the login 4987script will be executed after the dial script. 4988Escape sequences available in the dial script are also available here. 4989.It set logout Ar chat-script 4990This specifies the chat script that will be used to logout 4991before the hangup script is called. 4992It should not normally be necessary. 4993.It set lqrperiod Ar frequency 4994This command sets the 4995.Ar frequency 4996in seconds at which 4997.Em LQR 4998or 4999.Em ECHO LQR 5000packets are sent. 5001The default is 30 seconds. 5002You must also use the 5003.Dq enable lqr 5004command if you wish to send LQR requests to the peer. 5005.It set mode Ar interactive|auto|ddial|background 5006This command allows you to change the 5007.Sq mode 5008of the specified link. 5009This is normally only useful in multi-link mode, 5010but may also be used in uni-link mode. 5011.Pp 5012It is not possible to change a link that is 5013.Sq direct 5014or 5015.Sq dedicated . 5016.Pp 5017Note: If you issue the command 5018.Dq set mode auto , 5019and have network address translation enabled, it may be useful to 5020.Dq enable iface-alias 5021afterwards. 5022This will allow 5023.Nm 5024to do the necessary address translations to enable the process that 5025triggers the connection to connect once the link is up despite the 5026peer assigning us a new (dynamic) IP address. 5027.It set mppe Op 40|56|128|* Op stateless|stateful|* 5028This option selects the encryption parameters used when negotiation 5029MPPE. 5030MPPE can be disabled entirely with the 5031.Dq disable mppe 5032command. 5033If no arguments are given, 5034.Nm 5035will attempt to negotiate a stateful link with a 128 bit key, but 5036will agree to whatever the peer requests (including no encryption 5037at all). 5038.Pp 5039If any arguments are given, 5040.Nm 5041will 5042.Em insist 5043on using MPPE and will close the link if it's rejected by the peer (Note; 5044this behaviour can be overridden by a configured RADIUS server). 5045.Pp 5046The first argument specifies the number of bits that 5047.Nm 5048should insist on during negotiations and the second specifies whether 5049.Nm 5050should insist on stateful or stateless mode. 5051In stateless mode, the 5052encryption dictionary is re-initialised with every packet according to 5053an encryption key that is changed with every packet. 5054In stateful mode, 5055the encryption dictionary is re-initialised every 256 packets or after 5056the loss of any data and the key is changed every 256 packets. 5057Stateless mode is less efficient but is better for unreliable transport 5058layers. 5059.It set mrru Op Ar value 5060Setting this option enables Multi-link PPP negotiations, also known as 5061Multi-link Protocol or MP. 5062There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5063If no argument is given, multi-link mode is disabled. 5064.It set mru Xo 5065.Op max Ns Op imum 5066.Op Ar value 5067.Xc 5068The default MRU (Maximum Receive Unit) is 1500. 5069If it is increased, the other side *may* increase its MTU. 5070In theory there is no point in decreasing the MRU to below the default as the 5071.Em PPP 5072protocol says implementations *must* be able to accept packets of at 5073least 1500 octets. 5074.Pp 5075If the 5076.Dq maximum 5077keyword is used, 5078.Nm 5079will refuse to negotiate a higher value. 5080The maximum MRU can be set to 2048 at most. 5081Setting a maximum of less than 1500 violates the 5082.Em PPP 5083rfc, but may sometimes be necessary. 5084For example, 5085.Em PPPoE 5086imposes a maximum of 1492 due to hardware limitations. 5087.Pp 5088If no argument is given, 1500 is assumed. 5089A value must be given when 5090.Dq maximum 5091is specified. 5092.It set mtu Xo 5093.Op max Ns Op imum 5094.Op Ar value 5095.Xc 5096The default MTU is 1500. 5097At negotiation time, 5098.Nm 5099will accept whatever MRU the peer requests (assuming it's 5100not less than 296 bytes or greater than the assigned maximum). 5101If the MTU is set, 5102.Nm 5103will not accept MRU values less than 5104.Ar value . 5105When negotiations are complete, the MTU is used when writing to the 5106interface, even if the peer requested a higher value MRU. 5107This can be useful for 5108limiting your packet size (giving better bandwidth sharing at the expense 5109of more header data). 5110.Pp 5111If the 5112.Dq maximum 5113keyword is used, 5114.Nm 5115will refuse to negotiate a higher value. 5116The maximum MTU can be set to 2048 at most. 5117.Pp 5118If no 5119.Ar value 5120is given, 1500, or whatever the peer asks for is used. 5121A value must be given when 5122.Dq maximum 5123is specified. 5124.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5125This option allows the setting of the Microsoft NetBIOS name server 5126values to be returned at the peers request. 5127If no values are given, 5128.Nm 5129will reject any such requests. 5130.It set openmode active|passive Op Ar delay 5131By default, 5132.Ar openmode 5133is always 5134.Ar active 5135with a one second 5136.Ar delay . 5137That is, 5138.Nm 5139will always initiate LCP/IPCP/CCP negotiation one second after the line 5140comes up. 5141If you want to wait for the peer to initiate negotiations, you 5142can use the value 5143.Ar passive . 5144If you want to initiate negotiations immediately or after more than one 5145second, the appropriate 5146.Ar delay 5147may be specified here in seconds. 5148.It set parity odd|even|none|mark 5149This allows the line parity to be set. 5150The default value is 5151.Ar none . 5152.It set phone Ar telno Ns Xo 5153.Oo \&| Ns Ar backupnumber 5154.Oc Ns ... Ns Oo : Ns Ar nextnumber 5155.Oc Ns ... 5156.Xc 5157This allows the specification of the phone number to be used in 5158place of the \\\\T string in the dial and login chat scripts. 5159Multiple phone numbers may be given separated either by a pipe 5160.Pq Dq \&| 5161or a colon 5162.Pq Dq \&: . 5163.Pp 5164Numbers after the pipe are only dialed if the dial or login 5165script for the previous number failed. 5166.Pp 5167Numbers after the colon are tried sequentially, irrespective of 5168the reason the line was dropped. 5169.Pp 5170If multiple numbers are given, 5171.Nm 5172will dial them according to these rules until a connection is made, retrying 5173the maximum number of times specified by 5174.Dq set redial 5175below. 5176In 5177.Fl background 5178mode, each number is attempted at most once. 5179.It Ic set Oo Ic proc Oc Ns Xo 5180.Ic title Op Ar value 5181.Xc 5182The current process title as displayed by 5183.Xr ps 1 5184is changed according to 5185.Ar value . 5186If 5187.Ar value 5188is not specified, the original process title is restored. 5189All the 5190word replacements done by the shell commands (see the 5191.Dq bg 5192command above) are done here too. 5193.Pp 5194Note, if USER is required in the process title, the 5195.Dq set proctitle 5196command must appear in 5197.Pa ppp.linkup , 5198as it is not known when the commands in 5199.Pa ppp.conf 5200are executed. 5201.It set radius Op Ar config-file 5202This command enables RADIUS support (if it's compiled in). 5203.Ar config-file 5204refers to the radius client configuration file. 5205If PAP, CHAP, MSCHAP or MSCHAPv2 are 5206.Dq enable Ns No d , 5207.Nm 5208behaves as a 5209.Em \&N Ns No etwork 5210.Em \&A Ns No ccess 5211.Em \&S Ns No erver 5212and uses the configured RADIUS server to authenticate rather than 5213authenticating from the 5214.Pa ppp.secret 5215file or from the passwd database. 5216.Pp 5217If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5218.Dq set radius 5219will do nothing. 5220.Pp 5221.Nm 5222uses the following attributes from the RADIUS reply: 5223.Bl -tag -width XXX -offset XXX 5224.It RAD_FRAMED_IP_ADDRESS 5225The peer IP address is set to the given value. 5226.It RAD_FRAMED_IP_NETMASK 5227The tun interface netmask is set to the given value. 5228.It RAD_FRAMED_MTU 5229If the given MTU is less than the peers MRU as agreed during LCP 5230negotiation, *and* it is less than any configured MTU (see the 5231.Dq set mru 5232command), the tun interface MTU is set to the given value. 5233.It RAD_FRAMED_COMPRESSION 5234If the received compression type is 5235.Dq 1 , 5236.Nm 5237will request VJ compression during IPCP negotiations despite any 5238.Dq disable vj 5239configuration command. 5240.It RAD_FILTER_ID 5241If this attribute is supplied, 5242.Nm 5243will attempt to use it as an additional label to load from the 5244.Pa ppp.linkup 5245and 5246.Pa ppp.linkdown 5247files. 5248The load will be attempted before (and in addition to) the normal 5249label search. 5250If the label doesn't exist, no action is taken and 5251.Nm 5252proceeds to the normal load using the current label. 5253.It RAD_FRAMED_ROUTE 5254The received string is expected to be in the format 5255.Ar dest Ns Op / Ns Ar bits 5256.Ar gw 5257.Op Ar metrics . 5258Any specified metrics are ignored. 5259.Dv MYADDR 5260and 5261.Dv HISADDR 5262are understood as valid values for 5263.Ar dest 5264and 5265.Ar gw , 5266.Dq default 5267can be used for 5268.Ar dest 5269to specify the default route, and 5270.Dq 0.0.0.0 5271is understood to be the same as 5272.Dq default 5273for 5274.Ar dest 5275and 5276.Dv HISADDR 5277for 5278.Ar gw . 5279.Pp 5280For example, a returned value of 5281.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5282would result in a routing table entry to the 1.2.3.0/24 network via 5283.Dv HISADDR 5284and a returned value of 5285.Dq 0.0.0.0 0.0.0.0 5286or 5287.Dq default HISADDR 5288would result in a default route to 5289.Dv HISADDR . 5290.Pp 5291All RADIUS routes are applied after any sticky routes are applied, making 5292RADIUS routes override configured routes. 5293This also applies for RADIUS routes that don't {include} the 5294.Dv MYADDR 5295or 5296.Dv HISADDR 5297keywords. 5298.It RAD_SESSION_TIMEOUT 5299If supplied, the client connection is closed after the given number of 5300seconds. 5301.It RAD_REPLY_MESSAGE 5302If supplied, this message is passed back to the peer as the authentication 5303SUCCESS text. 5304.It RAD_MICROSOFT_MS_CHAP_ERROR 5305If this 5306.Dv RAD_VENDOR_MICROSOFT 5307vendor specific attribute is supplied, it is passed back to the peer as the 5308authentication FAILURE text. 5309.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5310If this 5311.Dv RAD_VENDOR_MICROSOFT 5312vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5313being used, it is passed back to the peer as the authentication SUCCESS text. 5314.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5315If this 5316.Dv RAD_VENDOR_MICROSOFT 5317vendor specific attribute is supplied and has a value of 2 (Required), 5318.Nm 5319will insist that MPPE encryption is used (even if no 5320.Dq set mppe 5321configuration command has been given with arguments). 5322If it is supplied with a value of 1 (Allowed), encryption is made optional 5323(despite any 5324.Dq set mppe 5325configuration commands with arguments). 5326.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5327If this 5328.Dv RAD_VENDOR_MICROSOFT 5329vendor specific attribute is supplied, bits 1 and 2 are examined. 5330If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5331options are set, overriding any given first argument to the 5332.Dq set mppe 5333command. 5334Note, it is not currently possible for the RADIUS server to specify 56 bit 5335encryption. 5336.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5337If this 5338.Dv RAD_VENDOR_MICROSOFT 5339vendor specific attribute is supplied, its value is used as the master 5340key for decryption of incoming data. When clients are authenticated using 5341MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5342to function. 5343.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5344If this 5345.Dv RAD_VENDOR_MICROSOFT 5346vendor specific attribute is supplied, its value is used as the master 5347key for encryption of outgoing data. When clients are authenticated using 5348MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5349to function. 5350.El 5351.Pp 5352Values received from the RADIUS server may be viewed using 5353.Dq show bundle . 5354.It set reconnect Ar timeout ntries 5355Should the line drop unexpectedly (due to loss of CD or LQR 5356failure), a connection will be re-established after the given 5357.Ar timeout . 5358The line will be re-connected at most 5359.Ar ntries 5360times. 5361.Ar Ntries 5362defaults to zero. 5363A value of 5364.Ar random 5365for 5366.Ar timeout 5367will result in a variable pause, somewhere between 1 and 30 seconds. 5368.It set recvpipe Op Ar value 5369This sets the routing table RECVPIPE value. 5370The optimum value is just over twice the MTU value. 5371If 5372.Ar value 5373is unspecified or zero, the default kernel controlled value is used. 5374.It set redial Ar secs Ns Xo 5375.Oo + Ns Ar inc Ns 5376.Op - Ns Ar max Ns 5377.Oc Ns Op . Ns Ar next 5378.Op Ar attempts 5379.Xc 5380.Nm 5381can be instructed to attempt to redial 5382.Ar attempts 5383times. 5384If more than one phone number is specified (see 5385.Dq set phone 5386above), a pause of 5387.Ar next 5388is taken before dialing each number. 5389A pause of 5390.Ar secs 5391is taken before starting at the first number again. 5392A literal value of 5393.Dq Li random 5394may be used here in place of 5395.Ar secs 5396and 5397.Ar next , 5398causing a random delay of between 1 and 30 seconds. 5399.Pp 5400If 5401.Ar inc 5402is specified, its value is added onto 5403.Ar secs 5404each time 5405.Nm 5406tries a new number. 5407.Ar secs 5408will only be incremented at most 5409.Ar max 5410times. 5411.Ar max 5412defaults to 10. 5413.Pp 5414Note, the 5415.Ar secs 5416delay will be effective, even after 5417.Ar attempts 5418has been exceeded, so an immediate manual dial may appear to have 5419done nothing. 5420If an immediate dial is required, a 5421.Dq !\& 5422should immediately follow the 5423.Dq open 5424keyword. 5425See the 5426.Dq open 5427description above for further details. 5428.It set sendpipe Op Ar value 5429This sets the routing table SENDPIPE value. 5430The optimum value is just over twice the MTU value. 5431If 5432.Ar value 5433is unspecified or zero, the default kernel controlled value is used. 5434.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5435.Ar LocalName Ns No |none|open|closed 5436.Op password Op Ar mask 5437.Xc 5438This command tells 5439.Nm 5440to listen on the given socket or 5441.Sq diagnostic port 5442for incoming command connections. 5443.Pp 5444The word 5445.Dq none 5446instructs 5447.Nm 5448to close any existing socket and clear the socket configuration. 5449The word 5450.Dq open 5451instructs 5452.Nm 5453to attempt to re-open the port. 5454The word 5455.Dq closed 5456instructs 5457.Nm 5458to close the open port. 5459.Pp 5460If you wish to specify a local domain socket, 5461.Ar LocalName 5462must be specified as an absolute file name, otherwise it is assumed 5463to be the name or number of a TCP port. 5464You may specify the octal umask to be used with a local domain socket. 5465Refer to 5466.Xr umask 2 5467for umask details. 5468Refer to 5469.Xr services 5 5470for details of how to translate TCP port names. 5471.Pp 5472You must also specify the password that must be entered by the client 5473(using the 5474.Dq passwd 5475variable above) when connecting to this socket. 5476If the password is 5477specified as an empty string, no password is required for connecting clients. 5478.Pp 5479When specifying a local domain socket, the first 5480.Dq %d 5481sequence found in the socket name will be replaced with the current 5482interface unit number. 5483This is useful when you wish to use the same 5484profile for more than one connection. 5485.Pp 5486In a similar manner TCP sockets may be prefixed with the 5487.Dq + 5488character, in which case the current interface unit number is added to 5489the port number. 5490.Pp 5491When using 5492.Nm 5493with a server socket, the 5494.Xr pppctl 8 5495command is the preferred mechanism of communications. 5496Currently, 5497.Xr telnet 1 5498can also be used, but link encryption may be implemented in the future, so 5499.Xr telnet 1 5500should be avoided. 5501.Pp 5502Note; 5503.Dv SIGUSR1 5504and 5505.Dv SIGUSR2 5506interact with the diagnostic socket. 5507.It set speed Ar value 5508This sets the speed of the serial device. 5509If speed is specified as 5510.Dq sync , 5511.Nm 5512treats the device as a synchronous device. 5513.Pp 5514Certain device types will know whether they should be specified as 5515synchronous or asynchronous. 5516These devices will override incorrect 5517settings and log a warning to this effect. 5518.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5519If this option is set, 5520.Nm 5521will time out after the given FSM (Finite State Machine) has been in 5522the stopped state for the given number of 5523.Dq seconds . 5524This option may be useful if the peer sends a terminate request, 5525but never actually closes the connection despite our sending a terminate 5526acknowledgement. 5527This is also useful if you wish to 5528.Dq set openmode passive 5529and time out if the peer doesn't send a Configure Request within the 5530given time. 5531Use 5532.Dq set log +lcp +ccp 5533to make 5534.Nm 5535log the appropriate state transitions. 5536.Pp 5537The default value is zero, where 5538.Nm 5539doesn't time out in the stopped state. 5540.Pp 5541This value should not be set to less than the openmode delay (see 5542.Dq set openmode 5543above). 5544.It set timeout Ar idleseconds Op Ar mintimeout 5545This command allows the setting of the idle timer. 5546Refer to the section titled 5547.Sx SETTING THE IDLE TIMER 5548for further details. 5549.Pp 5550If 5551.Ar mintimeout 5552is specified, 5553.Nm 5554will never idle out before the link has been up for at least that number 5555of seconds. 5556.It set urgent Xo 5557.Op tcp|udp|none 5558.Oo Op +|- Ns 5559.Ar port 5560.Oc No ... 5561.Xc 5562This command controls the ports that 5563.Nm 5564prioritizes when transmitting data. 5565The default priority TCP ports 5566are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5567543 (klogin) and 544 (kshell). 5568There are no priority UDP ports by default. 5569See 5570.Xr services 5 5571for details. 5572.Pp 5573If neither 5574.Dq tcp 5575or 5576.Dq udp 5577are specified, 5578.Dq tcp 5579is assumed. 5580.Pp 5581If no 5582.Ar port Ns No s 5583are given, the priority port lists are cleared (although if 5584.Dq tcp 5585or 5586.Dq udp 5587is specified, only that list is cleared). 5588If the first 5589.Ar port 5590argument is prefixed with a plus 5591.Pq Dq \&+ 5592or a minus 5593.Pq Dq \&- , 5594the current list is adjusted, otherwise the list is reassigned. 5595.Ar port Ns No s 5596prefixed with a plus or not prefixed at all are added to the list and 5597.Ar port Ns No s 5598prefixed with a minus are removed from the list. 5599.Pp 5600If 5601.Dq none 5602is specified, all priority port lists are disabled and even 5603.Dv IPTOS_LOWDELAY 5604packets are not prioritised. 5605.It set vj slotcomp on|off 5606This command tells 5607.Nm 5608whether it should attempt to negotiate VJ slot compression. 5609By default, slot compression is turned 5610.Ar on . 5611.It set vj slots Ar nslots 5612This command sets the initial number of slots that 5613.Nm 5614will try to negotiate with the peer when VJ compression is enabled (see the 5615.Sq enable 5616command above). 5617It defaults to a value of 16. 5618.Ar Nslots 5619must be between 5620.Ar 4 5621and 5622.Ar 16 5623inclusive. 5624.El 5625.It shell|! Op Ar command 5626If 5627.Ar command 5628is not specified a shell is invoked according to the 5629.Dv SHELL 5630environment variable. 5631Otherwise, the given 5632.Ar command 5633is executed. 5634Word replacement is done in the same way as for the 5635.Dq !bg 5636command as described above. 5637.Pp 5638Use of the ! character 5639requires a following space as with any of the other commands. 5640You should note that this command is executed in the foreground; 5641.Nm 5642will not continue running until this process has exited. 5643Use the 5644.Dv bg 5645command if you wish processing to happen in the background. 5646.It show Ar var 5647This command allows the user to examine the following: 5648.Bl -tag -width 2n 5649.It show bundle 5650Show the current bundle settings. 5651.It show ccp 5652Show the current CCP compression statistics. 5653.It show compress 5654Show the current VJ compression statistics. 5655.It show escape 5656Show the current escape characters. 5657.It show filter Op Ar name 5658List the current rules for the given filter. 5659If 5660.Ar name 5661is not specified, all filters are shown. 5662.It show hdlc 5663Show the current HDLC statistics. 5664.It show help|? 5665Give a summary of available show commands. 5666.It show iface 5667Show the current interface information 5668(the same as 5669.Dq iface show ) . 5670.It show ipcp 5671Show the current IPCP statistics. 5672.It show layers 5673Show the protocol layers currently in use. 5674.It show lcp 5675Show the current LCP statistics. 5676.It Ic show Oo Ic data Oc Ns Xo 5677.Ic link 5678.Xc 5679Show high level link information. 5680.It show links 5681Show a list of available logical links. 5682.It show log 5683Show the current log values. 5684.It show mem 5685Show current memory statistics. 5686.It show ncp 5687Show the current NCP statistics. 5688.It show physical 5689Show low level link information. 5690.It show mp 5691Show Multi-link information. 5692.It show proto 5693Show current protocol totals. 5694.It show route 5695Show the current routing tables. 5696.It show stopped 5697Show the current stopped timeouts. 5698.It show timer 5699Show the active alarm timers. 5700.It show version 5701Show the current version number of 5702.Nm . 5703.El 5704.It term 5705Go into terminal mode. 5706Characters typed at the keyboard are sent to the device. 5707Characters read from the device are displayed on the screen. 5708When a remote 5709.Em PPP 5710peer is detected, 5711.Nm 5712automatically enables Packet Mode and goes back into command mode. 5713.El 5714.Sh MORE DETAILS 5715.Bl -bullet 5716.It 5717Read the example configuration files. 5718They are a good source of information. 5719.It 5720Use 5721.Dq help , 5722.Dq nat \&? , 5723.Dq enable \&? , 5724.Dq set ?\& 5725and 5726.Dq show ?\& 5727to get online information about what's available. 5728.It 5729The following URLs contain useful information: 5730.Bl -bullet -compact 5731.It 5732.Pa http://www.dragonflybsd.org/docs/handbook/handbook-userppp/ 5733.El 5734.El 5735.Sh FILES 5736.Nm 5737refers to four files: 5738.Pa ppp.conf , 5739.Pa ppp.linkup , 5740.Pa ppp.linkdown 5741and 5742.Pa ppp.secret . 5743These files are placed in the 5744.Pa /etc/ppp 5745directory. 5746.Bl -tag -width 2n 5747.It Pa /etc/ppp/ppp.conf 5748System default configuration file. 5749.It Pa /etc/ppp/ppp.secret 5750An authorisation file for each system. 5751.It Pa /etc/ppp/ppp.linkup 5752A file to check when 5753.Nm 5754establishes a network level connection. 5755.It Pa /etc/ppp/ppp.linkdown 5756A file to check when 5757.Nm 5758closes a network level connection. 5759.It Pa /var/log/ppp.log 5760Logging and debugging information file. 5761Note, this name is specified in 5762.Pa /etc/syslog.conf . 5763See 5764.Xr syslog.conf 5 5765for further details. 5766.It Pa /var/spool/lock/LCK..* 5767tty port locking file. 5768Refer to 5769.Xr uucplock 3 5770for further details. 5771.It Pa /var/run/tunN.pid 5772The process id (pid) of the 5773.Nm 5774program connected to the tunN device, where 5775.Sq N 5776is the number of the device. 5777.It Pa /var/run/ttyXX.if 5778The tun interface used by this port. 5779Again, this file is only created in 5780.Fl background , 5781.Fl auto 5782and 5783.Fl ddial 5784modes. 5785.It Pa /etc/services 5786Get port number if port number is using service name. 5787.It Pa /var/run/ppp-authname-class-value 5788In multi-link mode, local domain sockets are created using the peer 5789authentication name 5790.Pq Sq authname , 5791the peer endpoint discriminator class 5792.Pq Sq class 5793and the peer endpoint discriminator value 5794.Pq Sq value . 5795As the endpoint discriminator value may be a binary value, it is turned 5796to HEX to determine the actual file name. 5797.Pp 5798This socket is used to pass links between different instances of 5799.Nm . 5800.El 5801.Sh SEE ALSO 5802.Xr at 1 , 5803.Xr ftp 1 , 5804.Xr gzip 1 , 5805.Xr hostname 1 , 5806.Xr login 1 , 5807.Xr tcpdump 1 , 5808.Xr telnet 1 , 5809.Xr kldload 2 , 5810ifdef({LOCALNAT},{},{.Xr libalias 3 , 5811})dnl 5812.Xr syslog 3 , 5813.Xr uucplock 3 , 5814.Xr netgraph 4 , 5815.Xr ng_pppoe 4 , 5816.Xr crontab 5 , 5817.Xr group 5 , 5818.Xr passwd 5 , 5819.Xr protocols 5 , 5820.Xr resolv.conf 5 , 5821.Xr syslog.conf 5 , 5822.Xr adduser 8 , 5823.Xr chat 8 , 5824.Xr getty 8 , 5825.Xr inetd 8 , 5826.Xr init 8 , 5827.Xr named 8 , 5828.Xr ping 8 , 5829.Xr pppctl 8 , 5830.Xr pppoe 8 , 5831.Xr route 8 , 5832.Xr sshd 8 , 5833.Xr syslogd 8 , 5834.Xr traceroute 8 , 5835.Xr vipw 8 5836.Sh HISTORY 5837This program was originally written by 5838.An Toshiharu OHNO Aq Mt tony-o@iij.ad.jp , 5839and was submitted to 5840.Fx 2.0.5 5841by 5842.An Atsushi Murai Aq Mt amurai@spec.co.jp . 5843.Pp 5844It was substantially modified during 1997 by 5845.An Brian Somers Aq Mt brian@Awfulhak.org , 5846and was ported to 5847.Ox 5848in November that year 5849(just after the 2.2 release). 5850.Pp 5851Most of the code was rewritten by 5852.An Brian Somers 5853in early 1998 when multi-link ppp support was added. 5854