1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: src/usr.sbin/ppp/ppp.8.m4,v 1.301.2.1 2002/09/01 02:12:31 brian Exp $ 29.\" 30.Dd August 6, 2009 31.Dt PPP 8 32.Os 33.Sh NAME 34.Nm ppp 35.Nd Point to Point Protocol (a.k.a. user-ppp) 36.Sh SYNOPSIS 37.Nm 38.Op Fl Va mode 39.Op Fl nat 40.Op Fl quiet 41.Op Fl unit Ns Ar N 42.Op Ar system ... 43.Sh DESCRIPTION 44This is a user process 45.Em PPP 46software package. 47Normally, 48.Em PPP 49is implemented as a part of the kernel (e.g., as managed by 50.Xr pppd 8 ) 51and it's thus somewhat hard to debug and/or modify its behaviour. 52However, in this implementation 53.Em PPP 54is done as a user process with the help of the 55tunnel device driver (tun). 56.Pp 57The 58.Fl nat 59flag does the equivalent of a 60.Dq nat enable yes , 61enabling 62.Nm Ns No 's 63network address translation features. 64This allows 65.Nm 66to act as a NAT or masquerading engine for all machines on an internal 67LAN. 68ifdef({LOCALNAT},{},{Refer to 69.Xr libalias 3 70for details on the technical side of the NAT engine. 71})dnl 72Refer to the 73.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 74section of this manual page for details on how to configure NAT in 75.Nm . 76.Pp 77The 78.Fl quiet 79flag tells 80.Nm 81to be silent at startup rather than displaying the mode and interface 82to standard output. 83.Pp 84The 85.Fl unit 86flag tells 87.Nm 88to only attempt to open 89.Pa /dev/tun Ns Ar N . 90Normally, 91.Nm 92will start with a value of 0 for 93.Ar N , 94and keep trying to open a tunnel device by incrementing the value of 95.Ar N 96by one each time until it succeeds. 97If it fails three times in a row 98because the device file is missing, it gives up. 99.Pp 100The following 101.Va mode Ns No s 102are understood by 103.Nm : 104.Bl -tag -width XXX -offset XXX 105.It Fl auto 106.Nm 107opens the tun interface, configures it then goes into the background. 108The link isn't brought up until outgoing data is detected on the tun 109interface at which point 110.Nm 111attempts to bring up the link. 112Packets received (including the first one) while 113.Nm 114is trying to bring the link up will remain queued for a default of 1152 minutes. 116See the 117.Dq set choked 118command below. 119.Pp 120In 121.Fl auto 122mode, at least one 123.Dq system 124must be given on the command line (see below) and a 125.Dq set ifaddr 126must be done in the system profile that specifies a peer IP address to 127use when configuring the interface. 128Something like 129.Dq 10.0.0.1/0 130is usually appropriate. 131See the 132.Dq pmdemand 133system in 134.Pa /usr/share/examples/ppp/ppp.conf.sample 135for an example. 136.It Fl background 137Here, 138.Nm 139attempts to establish a connection with the peer immediately. 140If it succeeds, 141.Nm 142goes into the background and the parent process returns an exit code 143of 0. 144If it fails, 145.Nm 146exits with a non-zero result. 147.It Fl foreground 148In foreground mode, 149.Nm 150attempts to establish a connection with the peer immediately, but never 151becomes a daemon. 152The link is created in background mode. 153This is useful if you wish to control 154.Nm Ns No 's 155invocation from another process. 156.It Fl direct 157This is used for receiving incoming connections. 158.Nm 159ignores the 160.Dq set device 161line and uses descriptor 0 as the link. 162.Pp 163If callback is configured, 164.Nm 165will use the 166.Dq set device 167information when dialing back. 168.It Fl dedicated 169This option is designed for machines connected with a dedicated 170wire. 171.Nm 172will always keep the device open and will never use any configured 173chat scripts. 174.It Fl ddial 175This mode is equivalent to 176.Fl auto 177mode except that 178.Nm 179will bring the link back up any time it's dropped for any reason. 180.It Fl interactive 181This is a no-op, and gives the same behaviour as if none of the above 182modes have been specified. 183.Nm 184loads any sections specified on the command line then provides an 185interactive prompt. 186.El 187.Pp 188One or more configuration entries or systems 189(as specified in 190.Pa /etc/ppp/ppp.conf ) 191may also be specified on the command line. 192.Nm 193will read the 194.Dq default 195system from 196.Pa /etc/ppp/ppp.conf 197at startup, followed by each of the systems specified on the command line. 198.Sh Major Features 199.Bl -diag 200.It Provides an interactive user interface. 201Using its command mode, the user can 202easily enter commands to establish the connection with the remote end, check 203the status of connection and close the connection. 204All functions can also be optionally password protected for security. 205.It Supports both manual and automatic dialing. 206Interactive mode has a 207.Dq term 208command which enables you to talk to the device directly. 209When you are connected to the remote peer and it starts to talk 210.Em PPP , 211.Nm 212detects it and switches to packet mode automatically. 213Once you have 214determined the proper sequence for connecting with the remote host, you 215can write a chat script to {define} the necessary dialing and login 216procedure for later convenience. 217.It Supports on-demand dialup capability. 218By using 219.Fl auto 220mode, 221.Nm 222will act as a daemon and wait for a packet to be sent over the 223.Em PPP 224link. 225When this happens, the daemon automatically dials and establishes the 226connection. 227In almost the same manner 228.Fl ddial 229mode (direct-dial mode) also automatically dials and establishes the 230connection. 231However, it differs in that it will dial the remote site 232any time it detects the link is down, even if there are no packets to be 233sent. 234This mode is useful for full-time connections where we worry less 235about line charges and more about being connected full time. 236A third 237.Fl dedicated 238mode is also available. 239This mode is targeted at a dedicated link between two machines. 240.Nm 241will never voluntarily quit from dedicated mode - you must send it the 242.Dq quit all 243command via its diagnostic socket. 244A 245.Dv SIGHUP 246will force an LCP renegotiation, and a 247.Dv SIGTERM 248will force it to exit. 249.It Supports client callback. 250.Nm 251can use either the standard LCP callback protocol or the Microsoft 252CallBack Control Protocol 253.Pa ( ftp://ftp.microsoft.com/developr/rfc/cbcp.txt ) . 254.It Supports NAT or packet aliasing. 255Packet aliasing (a.k.a. IP masquerading) allows computers on a 256private, unregistered network to access the Internet. 257The 258.Em PPP 259host acts as a masquerading gateway. 260IP addresses as well as TCP and 261UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 262returning packets. 263.It Supports background PPP connections. 264In background mode, if 265.Nm 266successfully establishes the connection, it will become a daemon. 267Otherwise, it will exit with an error. 268This allows the setup of 269scripts that wish to execute certain commands only if the connection 270is successfully established. 271.It Supports server-side PPP connections. 272In direct mode, 273.Nm 274acts as server which accepts incoming 275.Em PPP 276connections on stdin/stdout. 277.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication." 278With PAP or CHAP, it is possible to skip the Unix style 279.Xr login 1 280procedure, and use the 281.Em PPP 282protocol for authentication instead. 283If the peer requests Microsoft CHAP authentication and 284.Nm 285is compiled with DES support, an appropriate MD4/DES response will be 286made. 287.It Supports RADIUS (rfc 2138 & 2548) authentication. 288An extension to PAP and CHAP, 289.Em \&R Ns No emote 290.Em \&A Ns No ccess 291.Em \&D Ns No ial 292.Em \&I Ns No n 293.Em \&U Ns No ser 294.Em \&S Ns No ervice 295allows authentication information to be stored in a central or 296distributed database along with various per-user framed connection 297characteristics. 298ifdef({LOCALRAD},{},{If 299.Xr libradius 3 300is available at compile time, 301.Nm 302will use it to make 303.Em RADIUS 304requests when configured to do so. 305})dnl 306.It Supports Proxy Arp. 307.Nm 308can be configured to make one or more proxy arp entries on behalf of 309the peer. 310This allows routing from the peer to the LAN without 311configuring each machine on that LAN. 312.It Supports packet filtering. 313User can {define} four kinds of filters: the 314.Em in 315filter for incoming packets, the 316.Em out 317filter for outgoing packets, the 318.Em dial 319filter to {define} a dialing trigger packet and the 320.Em alive 321filter for keeping a connection alive with the trigger packet. 322.It Tunnel driver supports bpf. 323The user can use 324.Xr tcpdump 1 325to check the packet flow over the 326.Em PPP 327link. 328.It Supports PPP over TCP and PPP over UDP. 329If a device name is specified as 330.Em host Ns No : Ns Em port Ns 331.Xo 332.Op / Ns tcp|udp , 333.Xc 334.Nm 335will open a TCP or UDP connection for transporting data rather than using a 336conventional serial device. 337UDP connections force 338.Nm 339into synchronous mode. 340.It Supports PPP over Ethernet (rfc 2516). 341If 342.Nm 343is given a device specification of the format 344.No PPPoE: Ns Ar iface Ns Xo 345.Op \&: Ns Ar provider Ns 346.Xc 347and if 348.Xr netgraph 4 349is available, 350.Nm 351will attempt talk 352.Em PPP 353over Ethernet to 354.Ar provider 355using the 356.Ar iface 357network interface. 358.Pp 359On systems that do not support 360.Xr netgraph 4 , 361an external program such as 362.Xr pppoe 8 363may be used. 364.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 365.Nm 366supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 367Normally, a modem has built-in compression (e.g., v42.bis) and the system 368may receive higher data rates from it as a result of such compression. 369While this is generally a good thing in most other situations, this 370higher speed data imposes a penalty on the system by increasing the 371number of serial interrupts the system has to process in talking to the 372modem and also increases latency. 373Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 374.Em all 375network traffic flowing through the link, thus reducing overheads to a 376minimum. 377.It Supports Microsoft's IPCP extensions (rfc 1877). 378Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 379with clients using the Microsoft 380.Em PPP 381stack (i.e., Win95, WinNT) 382.It Supports Multi-link PPP (rfc 1990) 383It is possible to configure 384.Nm 385to open more than one physical connection to the peer, combining the 386bandwidth of all links for better throughput. 387.It Supports MPPE (draft-ietf-pppext-mppe) 388MPPE is Microsoft Point to Point Encryption scheme. 389It is possible to configure 390.Nm 391to participate in Microsoft's Windows VPN. 392For now, 393.Nm 394can only get encryption keys from CHAP 81 authentication. 395.Nm 396must be compiled with DES for MPPE to operate. 397.It Supports IPV6CP (rfc 2023). 398An IPv6 connection can be made in addition to or instead of the normal 399IPv4 connection. 400.El 401.Sh PERMISSIONS 402.Nm 403is installed as user 404.Dv root 405and group 406.Dv network , 407with permissions 408.Dv 04554 . 409By default, 410.Nm 411will not run if the invoking user id is not zero. 412This may be overridden by using the 413.Dq allow users 414command in 415.Pa /etc/ppp/ppp.conf . 416When running as a normal user, 417.Nm 418switches to user id 0 in order to alter the system routing table, set up 419system lock files and read the ppp configuration files. 420All external commands (executed via the "shell" or "!bg" commands) are executed 421as the user id that invoked 422.Nm . 423Refer to the 424.Sq ID0 425logging facility if you're interested in what exactly is done as user id 426zero. 427.Sh GETTING STARTED 428When you first run 429.Nm 430you may need to deal with some initial configuration details. 431.Bl -bullet 432.It 433Your kernel must {include} a tunnel device (the GENERIC kernel includes 434one by default). 435If it doesn't, or if you require more than one tun 436interface, you'll need to rebuild your kernel with the following line in 437your kernel configuration file: 438.Pp 439.Dl pseudo-device tun N 440.Pp 441where 442.Ar N 443is the maximum number of 444.Em PPP 445connections you wish to support. 446.It 447Make sure that your system has a group named 448.Dq network 449in the 450.Pa /etc/group 451file and that the group contains the names of all users expected to use 452.Nm . 453Refer to the 454.Xr group 5 455manual page for details. 456Each of these users must also be given access using the 457.Dq allow users 458command in 459.Pa /etc/ppp/ppp.conf . 460.It 461Create a log file. 462.Nm 463uses 464.Xr syslog 3 465to log information. 466A common log file name is 467.Pa /var/log/ppp.log . 468To make output go to this file, put the following lines in the 469.Pa /etc/syslog.conf 470file: 471.Bd -literal -offset indent 472!ppp 473*.*<TAB>/var/log/ppp.log 474.Ed 475.Pp 476It is possible to have more than one 477.Em PPP 478log file by creating a link to the 479.Nm 480executable: 481.Pp 482.Dl # cd /usr/sbin 483.Dl # ln ppp ppp0 484.Pp 485and using 486.Bd -literal -offset indent 487!ppp0 488*.*<TAB>/var/log/ppp0.log 489.Ed 490.Pp 491in 492.Pa /etc/syslog.conf . 493Don't forget to send a 494.Dv HUP 495signal to 496.Xr syslogd 8 497after altering 498.Pa /etc/syslog.conf . 499.It 500Although not strictly relevant to 501.Nm Ns No 's 502operation, you should configure your resolver so that it works correctly. 503This can be done by configuring a local DNS 504(using 505.Xr named 8 ) 506or by adding the correct 507.Sq nameserver 508lines to the file 509.Pa /etc/resolv.conf . 510Refer to the 511.Xr resolv.conf 5 512manual page for details. 513.Pp 514Alternatively, if the peer supports it, 515.Nm 516can be configured to ask the peer for the nameserver address(es) and to 517update 518.Pa /etc/resolv.conf 519automatically. 520Refer to the 521.Dq enable dns 522and 523.Dq resolv 524commands below for details. 525.El 526.Sh MANUAL DIALING 527In the following examples, we assume that your machine name is 528.Dv awfulhak . 529when you invoke 530.Nm 531(see 532.Sx PERMISSIONS 533above) with no arguments, you are presented with a prompt: 534.Bd -literal -offset indent 535ppp ON awfulhak> 536.Ed 537.Pp 538The 539.Sq ON 540part of your prompt should always be in upper case. 541If it is in lower case, it means that you must supply a password using the 542.Dq passwd 543command. 544This only ever happens if you connect to a running version of 545.Nm 546and have not authenticated yourself using the correct password. 547.Pp 548You can start by specifying the device name and speed: 549.Bd -literal -offset indent 550ppp ON awfulhak> set device /dev/cuaa0 551ppp ON awfulhak> set speed 38400 552.Ed 553.Pp 554Normally, hardware flow control (CTS/RTS) is used. 555However, under 556certain circumstances (as may happen when you are connected directly 557to certain PPP-capable terminal servers), this may result in 558.Nm 559hanging as soon as it tries to write data to your communications link 560as it is waiting for the CTS (clear to send) signal - which will never 561come. 562Thus, if you have a direct line and can't seem to make a 563connection, try turning CTS/RTS off with 564.Dq set ctsrts off . 565If you need to do this, check the 566.Dq set accmap 567description below too - you'll probably need to 568.Dq set accmap 000a0000 . 569.Pp 570Usually, parity is set to 571.Dq none , 572and this is 573.Nm Ns No 's 574default. 575Parity is a rather archaic error checking mechanism that is no 576longer used because modern modems do their own error checking, and most 577link-layer protocols (that's what 578.Nm 579is) use much more reliable checking mechanisms. 580Parity has a relatively 581huge overhead (a 12.5% increase in traffic) and as a result, it is always 582disabled 583(set to 584.Dq none ) 585when 586.Dv PPP 587is opened. 588However, some ISPs (Internet Service Providers) may use 589specific parity settings at connection time (before 590.Dv PPP 591is opened). 592Notably, Compuserve insist on even parity when logging in: 593.Bd -literal -offset indent 594ppp ON awfulhak> set parity even 595.Ed 596.Pp 597You can now see what your current device settings look like: 598.Bd -literal -offset indent 599ppp ON awfulhak> show physical 600Name: deflink 601 State: closed 602 Device: N/A 603 Link Type: interactive 604 Connect Count: 0 605 Queued Packets: 0 606 Phone Number: N/A 607 608Defaults: 609 Device List: /dev/cuaa0 610 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 611 612Connect time: 0 secs 6130 octets in, 0 octets out 614Overall 0 bytes/sec 615ppp ON awfulhak> 616.Ed 617.Pp 618The term command can now be used to talk directly to the device: 619.Bd -literal -offset indent 620ppp ON awfulhak> term 621at 622OK 623atdt123456 624CONNECT 625login: myispusername 626Password: myisppassword 627Protocol: ppp 628.Ed 629.Pp 630When the peer starts to talk in 631.Em PPP , 632.Nm 633detects this automatically and returns to command mode. 634.Bd -literal -offset indent 635ppp ON awfulhak> # No link has been established 636Ppp ON awfulhak> # We've connected & finished LCP 637PPp ON awfulhak> # We've authenticated 638PPP ON awfulhak> # We've agreed IP numbers 639.Ed 640.Pp 641If it does not, it's probable that the peer is waiting for your end to 642start negotiating. 643To force 644.Nm 645to start sending 646.Em PPP 647configuration packets to the peer, use the 648.Dq ~p 649command to drop out of terminal mode and enter packet mode. 650.Pp 651If you never even receive a login prompt, it is quite likely that the 652peer wants to use PAP or CHAP authentication instead of using Unix-style 653login/password authentication. 654To set things up properly, drop back to 655the prompt and set your authentication name and key, then reconnect: 656.Bd -literal -offset indent 657~. 658ppp ON awfulhak> set authname myispusername 659ppp ON awfulhak> set authkey myisppassword 660ppp ON awfulhak> term 661at 662OK 663atdt123456 664CONNECT 665.Ed 666.Pp 667You may need to tell ppp to initiate negotiations with the peer here too: 668.Bd -literal -offset indent 669~p 670ppp ON awfulhak> # No link has been established 671Ppp ON awfulhak> # We've connected & finished LCP 672PPp ON awfulhak> # We've authenticated 673PPP ON awfulhak> # We've agreed IP numbers 674.Ed 675.Pp 676You are now connected! 677Note that 678.Sq PPP 679in the prompt has changed to capital letters to indicate that you have 680a peer connection. 681If only some of the three Ps go uppercase, wait until 682either everything is uppercase or lowercase. 683If they revert to lowercase, it means that 684.Nm 685couldn't successfully negotiate with the peer. 686A good first step for troubleshooting at this point would be to 687.Bd -literal -offset indent 688ppp ON awfulhak> set log local phase lcp ipcp 689.Ed 690.Pp 691and try again. 692Refer to the 693.Dq set log 694command description below for further details. 695If things fail at this point, 696it is quite important that you turn logging on and try again. 697It is also 698important that you note any prompt changes and report them to anyone trying 699to help you. 700.Pp 701When the link is established, the show command can be used to see how 702things are going: 703.Bd -literal -offset indent 704PPP ON awfulhak> show physical 705* Modem related information is shown here * 706PPP ON awfulhak> show ccp 707* CCP (compression) related information is shown here * 708PPP ON awfulhak> show lcp 709* LCP (line control) related information is shown here * 710PPP ON awfulhak> show ipcp 711* IPCP (IP) related information is shown here * 712PPP ON awfulhak> show ipv6cp 713* IPV6CP (IPv6) related information is shown here * 714PPP ON awfulhak> show link 715* Link (high level) related information is shown here * 716PPP ON awfulhak> show bundle 717* Logical (high level) connection related information is shown here * 718.Ed 719.Pp 720At this point, your machine has a host route to the peer. 721This means 722that you can only make a connection with the host on the other side 723of the link. 724If you want to add a default route entry (telling your 725machine to send all packets without another routing entry to the other 726side of the 727.Em PPP 728link), enter the following command: 729.Bd -literal -offset indent 730PPP ON awfulhak> add default HISADDR 731.Ed 732.Pp 733The string 734.Sq HISADDR 735represents the IP address of the connected peer. 736If the 737.Dq add 738command fails due to an existing route, you can overwrite the existing 739route using 740.Bd -literal -offset indent 741PPP ON awfulhak> add! default HISADDR 742.Ed 743.Pp 744This command can also be executed before actually making the connection. 745If a new IP address is negotiated at connection time, 746.Nm 747will update your default route accordingly. 748.Pp 749You can now use your network applications (ping, telnet, ftp etc.) 750in other windows or terminals on your machine. 751If you wish to reuse the current terminal, you can put 752.Nm 753into the background using your standard shell suspend and background 754commands (usually 755.Dq ^Z 756followed by 757.Dq bg ) . 758.Pp 759Refer to the 760.Sx PPP COMMAND LIST 761section for details on all available commands. 762.Sh AUTOMATIC DIALING 763To use automatic dialing, you must prepare some Dial and Login chat scripts. 764See the example definitions in 765.Pa /usr/share/examples/ppp/ppp.conf.sample 766(the format of 767.Pa /etc/ppp/ppp.conf 768is pretty simple). 769Each line contains one comment, inclusion, label or command: 770.Bl -bullet 771.It 772A line starting with a 773.Pq Dq # 774character is treated as a comment line. 775Leading whitespace are ignored when identifying comment lines. 776.It 777An inclusion is a line beginning with the word 778.Sq {!include} . 779It must have one argument - the file to {include}. 780You may wish to 781.Dq {!include} ~/.ppp.conf 782for compatibility with older versions of 783.Nm . 784.It 785A label name starts in the first column and is followed by 786a colon 787.Pq Dq \&: . 788.It 789A command line must contain a space or tab in the first column. 790.El 791.Pp 792The 793.Pa /etc/ppp/ppp.conf 794file should consist of at least a 795.Dq default 796section. 797This section is always executed. 798It should also contain 799one or more sections, named according to their purpose, for example, 800.Dq MyISP 801would represent your ISP, and 802.Dq ppp-in 803would represent an incoming 804.Nm 805configuration. 806You can now specify the destination label name when you invoke 807.Nm . 808Commands associated with the 809.Dq default 810label are executed, followed by those associated with the destination 811label provided. 812When 813.Nm 814is started with no arguments, the 815.Dq default 816section is still executed. 817The load command can be used to manually load a section from the 818.Pa /etc/ppp/ppp.conf 819file: 820.Bd -literal -offset indent 821ppp ON awfulhak> load MyISP 822.Ed 823.Pp 824Note, no action is taken by 825.Nm 826after a section is loaded, whether it's the result of passing a label on 827the command line or using the 828.Dq load 829command. 830Only the commands specified for that label in the configuration 831file are executed. 832However, when invoking 833.Nm 834with the 835.Fl background , 836.Fl ddial , 837or 838.Fl dedicated 839switches, the link mode tells 840.Nm 841to establish a connection. 842Refer to the 843.Dq set mode 844command below for further details. 845.Pp 846Once the connection is made, the 847.Sq ppp 848portion of the prompt will change to 849.Sq PPP : 850.Bd -literal -offset indent 851# ppp MyISP 852\&... 853ppp ON awfulhak> dial 854Ppp ON awfulhak> 855PPp ON awfulhak> 856PPP ON awfulhak> 857.Ed 858.Pp 859The Ppp prompt indicates that 860.Nm 861has entered the authentication phase. 862The PPp prompt indicates that 863.Nm 864has entered the network phase. 865The PPP prompt indicates that 866.Nm 867has successfully negotiated a network layer protocol and is in 868a usable state. 869.Pp 870If the 871.Pa /etc/ppp/ppp.linkup 872file is available, its contents are executed 873when the 874.Em PPP 875connection is established. 876See the provided 877.Dq pmdemand 878example in 879.Pa /usr/share/examples/ppp/ppp.conf.sample 880which runs a script in the background after the connection is established 881(refer to the 882.Dq shell 883and 884.Dq bg 885commands below for a description of possible substitution strings). 886Similarly, when a connection is closed, the contents of the 887.Pa /etc/ppp/ppp.linkdown 888file are executed. 889Both of these files have the same format as 890.Pa /etc/ppp/ppp.conf . 891.Pp 892In previous versions of 893.Nm , 894it was necessary to re-add routes such as the default route in the 895.Pa ppp.linkup 896file. 897.Nm 898supports 899.Sq sticky routes , 900where all routes that contain the 901.Dv HISADDR , 902.Dv MYADDR , 903.Dv HISADDR6 904or 905.Dv MYADDR6 906literals will automatically be updated when the values of these variables 907change. 908.Sh BACKGROUND DIALING 909If you want to establish a connection using 910.Nm 911non-interactively (such as from a 912.Xr crontab 5 913entry or an 914.Xr at 1 915job) you should use the 916.Fl background 917option. 918When 919.Fl background 920is specified, 921.Nm 922attempts to establish the connection immediately. 923If multiple phone 924numbers are specified, each phone number will be tried once. 925If the attempt fails, 926.Nm 927exits immediately with a non-zero exit code. 928If it succeeds, then 929.Nm 930becomes a daemon, and returns an exit status of zero to its caller. 931The daemon exits automatically if the connection is dropped by the 932remote system, or it receives a 933.Dv TERM 934signal. 935.Sh DIAL ON DEMAND 936Demand dialing is enabled with the 937.Fl auto 938or 939.Fl ddial 940options. 941You must also specify the destination label in 942.Pa /etc/ppp/ppp.conf 943to use. 944It must contain the 945.Dq set ifaddr 946command to {define} the remote peers IP address. 947(refer to 948.Pa /usr/share/examples/ppp/ppp.conf.sample ) 949.Bd -literal -offset indent 950# ppp -auto pmdemand 951.Ed 952.Pp 953When 954.Fl auto 955or 956.Fl ddial 957is specified, 958.Nm 959runs as a daemon but you can still configure or examine its 960configuration by using the 961.Dq set server 962command in 963.Pa /etc/ppp/ppp.conf , 964(for example, 965.Dq Li "set server +3000 mypasswd" ) 966and connecting to the diagnostic port as follows: 967.Bd -literal -offset indent 968# pppctl 3000 (assuming tun0) 969Password: 970PPP ON awfulhak> show who 971tcp (127.0.0.1:1028) * 972.Ed 973.Pp 974The 975.Dq show who 976command lists users that are currently connected to 977.Nm 978itself. 979If the diagnostic socket is closed or changed to a different 980socket, all connections are immediately dropped. 981.Pp 982In 983.Fl auto 984mode, when an outgoing packet is detected, 985.Nm 986will perform the dialing action (chat script) and try to connect 987with the peer. 988In 989.Fl ddial 990mode, the dialing action is performed any time the line is found 991to be down. 992If the connect fails, the default behaviour is to wait 30 seconds 993and then attempt to connect when another outgoing packet is detected. 994This behaviour can be changed using the 995.Dq set redial 996command: 997.Pp 998.No set redial Ar secs Ns Xo 999.Oo + Ns Ar inc Ns 1000.Op - Ns Ar max Ns 1001.Oc Ns Op . Ns Ar next 1002.Op Ar attempts 1003.Xc 1004.Pp 1005.Bl -tag -width attempts -compact 1006.It Ar secs 1007is the number of seconds to wait before attempting 1008to connect again. 1009If the argument is the literal string 1010.Sq Li random , 1011the delay period is a random value between 1 and 30 seconds inclusive. 1012.It Ar inc 1013is the number of seconds that 1014.Ar secs 1015should be incremented each time a new dial attempt is made. 1016The timeout reverts to 1017.Ar secs 1018only after a successful connection is established. 1019The default value for 1020.Ar inc 1021is zero. 1022.It Ar max 1023is the maximum number of times 1024.Nm 1025should increment 1026.Ar secs . 1027The default value for 1028.Ar max 1029is 10. 1030.It Ar next 1031is the number of seconds to wait before attempting 1032to dial the next number in a list of numbers (see the 1033.Dq set phone 1034command). 1035The default is 3 seconds. 1036Again, if the argument is the literal string 1037.Sq Li random , 1038the delay period is a random value between 1 and 30 seconds. 1039.It Ar attempts 1040is the maximum number of times to try to connect for each outgoing packet 1041that triggers a dial. 1042The previous value is unchanged if this parameter is omitted. 1043If a value of zero is specified for 1044.Ar attempts , 1045.Nm 1046will keep trying until a connection is made. 1047.El 1048.Pp 1049So, for example: 1050.Bd -literal -offset indent 1051set redial 10.3 4 1052.Ed 1053.Pp 1054will attempt to connect 4 times for each outgoing packet that causes 1055a dial attempt with a 3 second delay between each number and a 10 second 1056delay after all numbers have been tried. 1057If multiple phone numbers 1058are specified, the total number of attempts is still 4 (it does not 1059attempt each number 4 times). 1060.Pp 1061Alternatively, 1062.Bd -literal -offset indent 1063set redial 10+10-5.3 20 1064.Ed 1065.Pp 1066tells 1067.Nm 1068to attempt to connect 20 times. 1069After the first attempt, 1070.Nm 1071pauses for 10 seconds. 1072After the next attempt it pauses for 20 seconds 1073and so on until after the sixth attempt it pauses for 1 minute. 1074The next 14 pauses will also have a duration of one minute. 1075If 1076.Nm 1077connects, disconnects and fails to connect again, the timeout starts again 1078at 10 seconds. 1079.Pp 1080Modifying the dial delay is very useful when running 1081.Nm 1082in 1083.Fl auto 1084mode on both ends of the link. 1085If each end has the same timeout, 1086both ends wind up calling each other at the same time if the link 1087drops and both ends have packets queued. 1088At some locations, the serial link may not be reliable, and carrier 1089may be lost at inappropriate times. 1090It is possible to have 1091.Nm 1092redial should carrier be unexpectedly lost during a session. 1093.Bd -literal -offset indent 1094set reconnect timeout ntries 1095.Ed 1096.Pp 1097This command tells 1098.Nm 1099to re-establish the connection 1100.Ar ntries 1101times on loss of carrier with a pause of 1102.Ar timeout 1103seconds before each try. 1104For example, 1105.Bd -literal -offset indent 1106set reconnect 3 5 1107.Ed 1108.Pp 1109tells 1110.Nm 1111that on an unexpected loss of carrier, it should wait 1112.Ar 3 1113seconds before attempting to reconnect. 1114This may happen up to 1115.Ar 5 1116times before 1117.Nm 1118gives up. 1119The default value of ntries is zero (no reconnect). 1120Care should be taken with this option. 1121If the local timeout is slightly 1122longer than the remote timeout, the reconnect feature will always be 1123triggered (up to the given number of times) after the remote side 1124times out and hangs up. 1125NOTE: In this context, losing too many LQRs constitutes a loss of 1126carrier and will trigger a reconnect. 1127If the 1128.Fl background 1129flag is specified, all phone numbers are dialed at most once until 1130a connection is made. 1131The next number redial period specified with the 1132.Dq set redial 1133command is honoured, as is the reconnect tries value. 1134If your redial 1135value is less than the number of phone numbers specified, not all 1136the specified numbers will be tried. 1137To terminate the program, type 1138.Bd -literal -offset indent 1139PPP ON awfulhak> close 1140ppp ON awfulhak> quit all 1141.Ed 1142.Pp 1143A simple 1144.Dq quit 1145command will terminate the 1146.Xr pppctl 8 1147or 1148.Xr telnet 1 1149connection but not the 1150.Nm 1151program itself. 1152You must use 1153.Dq quit all 1154to terminate 1155.Nm 1156as well. 1157.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1158To handle an incoming 1159.Em PPP 1160connection request, follow these steps: 1161.Bl -enum 1162.It 1163Make sure the modem and (optionally) 1164.Pa /etc/rc.d/serial 1165is configured correctly. 1166.Bl -bullet -compact 1167.It 1168Use Hardware Handshake (CTS/RTS) for flow control. 1169.It 1170Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1171.El 1172.It 1173Edit 1174.Pa /etc/ttys 1175to enable a 1176.Xr getty 8 1177on the port where the modem is attached. 1178For example: 1179.Pp 1180.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1181.Pp 1182Don't forget to send a 1183.Dv HUP 1184signal to the 1185.Xr init 8 1186process to start the 1187.Xr getty 8 : 1188.Pp 1189.Dl # kill -HUP 1 1190.Pp 1191It is usually also necessary to train your modem to the same DTR speed 1192as the getty: 1193.Bd -literal -offset indent 1194# ppp 1195ppp ON awfulhak> set device /dev/cuaa1 1196ppp ON awfulhak> set speed 38400 1197ppp ON awfulhak> term 1198deflink: Entering terminal mode on /dev/cuaa1 1199Type `~?' for help 1200at 1201OK 1202at 1203OK 1204atz 1205OK 1206at 1207OK 1208~. 1209ppp ON awfulhak> quit 1210.Ed 1211.It 1212Create a 1213.Pa /usr/local/bin/ppplogin 1214file with the following contents: 1215.Bd -literal -offset indent 1216#! /bin/sh 1217exec /usr/sbin/ppp -direct incoming 1218.Ed 1219.Pp 1220Direct mode 1221.Pq Fl direct 1222lets 1223.Nm 1224work with stdin and stdout. 1225You can also use 1226.Xr pppctl 8 1227to connect to a configured diagnostic port, in the same manner as with 1228client-side 1229.Nm . 1230.Pp 1231Here, the 1232.Ar incoming 1233section must be set up in 1234.Pa /etc/ppp/ppp.conf . 1235.Pp 1236Make sure that the 1237.Ar incoming 1238section contains the 1239.Dq allow users 1240command as appropriate. 1241.It 1242Prepare an account for the incoming user. 1243.Bd -literal 1244ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1245.Ed 1246.Pp 1247Refer to the manual entries for 1248.Xr adduser 8 1249and 1250.Xr vipw 8 1251for details. 1252.It 1253Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1254can be enabled using the 1255.Dq accept dns 1256and 1257.Dq set nbns 1258commands. 1259Refer to their descriptions below. 1260.El 1261.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1262This method differs in that we use 1263.Nm 1264to authenticate the connection rather than 1265.Xr login 1 : 1266.Bl -enum 1267.It 1268Configure your default section in 1269.Pa /etc/gettytab 1270with automatic ppp recognition by specifying the 1271.Dq pp 1272capability: 1273.Bd -literal 1274default:\\ 1275 :pp=/usr/local/bin/ppplogin:\\ 1276 ..... 1277.Ed 1278.It 1279Configure your serial device(s), enable a 1280.Xr getty 8 1281and create 1282.Pa /usr/local/bin/ppplogin 1283as in the first three steps for method 1 above. 1284.It 1285Add either 1286.Dq enable chap 1287or 1288.Dq enable pap 1289(or both) 1290to 1291.Pa /etc/ppp/ppp.conf 1292under the 1293.Sq incoming 1294label (or whatever label 1295.Pa ppplogin 1296uses). 1297.It 1298Create an entry in 1299.Pa /etc/ppp/ppp.secret 1300for each incoming user: 1301.Bd -literal 1302Pfred<TAB>xxxx 1303Pgeorge<TAB>yyyy 1304.Ed 1305.El 1306.Pp 1307Now, as soon as 1308.Xr getty 8 1309detects a ppp connection (by recognising the HDLC frame headers), it runs 1310.Dq /usr/local/bin/ppplogin . 1311.Pp 1312It is 1313.Em VITAL 1314that either PAP or CHAP are enabled as above. 1315If they are not, you are 1316allowing anybody to establish a ppp session with your machine 1317.Em without 1318a password, opening yourself up to all sorts of potential attacks. 1319.Sh AUTHENTICATING INCOMING CONNECTIONS 1320Normally, the receiver of a connection requires that the peer 1321authenticates itself. 1322This may be done using 1323.Xr login 1 , 1324but alternatively, you can use PAP or CHAP. 1325CHAP is the more secure of the two, but some clients may not support it. 1326Once you decide which you wish to use, add the command 1327.Sq enable chap 1328or 1329.Sq enable pap 1330to the relevant section of 1331.Pa ppp.conf . 1332.Pp 1333You must then configure the 1334.Pa /etc/ppp/ppp.secret 1335file. 1336This file contains one line per possible client, each line 1337containing up to five fields: 1338.Pp 1339.Ar name Ar key Oo 1340.Ar hisaddr Op Ar label Op Ar callback-number 1341.Oc 1342.Pp 1343The 1344.Ar name 1345and 1346.Ar key 1347specify the client username and password. 1348If 1349.Ar key 1350is 1351.Dq \&* 1352and PAP is being used, 1353.Nm 1354will look up the password database 1355.Pq Xr passwd 5 1356when authenticating. 1357If the client does not offer a suitable response based on any 1358.Ar name Ns No / Ns Ar key 1359combination in 1360.Pa ppp.secret , 1361authentication fails. 1362.Pp 1363If authentication is successful, 1364.Ar hisaddr 1365(if specified) 1366is used when negotiating IP numbers. 1367See the 1368.Dq set ifaddr 1369command for details. 1370.Pp 1371If authentication is successful and 1372.Ar label 1373is specified, the current system label is changed to match the given 1374.Ar label . 1375This will change the subsequent parsing of the 1376.Pa ppp.linkup 1377and 1378.Pa ppp.linkdown 1379files. 1380.Pp 1381If authentication is successful and 1382.Ar callback-number 1383is specified and 1384.Dq set callback 1385has been used in 1386.Pa ppp.conf , 1387the client will be called back on the given number. 1388If CBCP is being used, 1389.Ar callback-number 1390may also contain a list of numbers or a 1391.Dq \&* , 1392as if passed to the 1393.Dq set cbcp 1394command. 1395The value will be used in 1396.Nm Ns No 's 1397subsequent CBCP phase. 1398.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1399Instead of running 1400.Nm 1401over a serial link, it is possible to 1402use a TCP connection instead by specifying the host, port and protocol as the 1403device: 1404.Pp 1405.Dl set device ui-gate:6669/tcp 1406.Pp 1407Instead of opening a serial device, 1408.Nm 1409will open a TCP connection to the given machine on the given 1410socket. 1411It should be noted however that 1412.Nm 1413doesn't use the telnet protocol and will be unable to negotiate 1414with a telnet server. 1415You should set up a port for receiving this 1416.Em PPP 1417connection on the receiving machine (ui-gate). 1418This is done by first updating 1419.Pa /etc/services 1420to name the service: 1421.Pp 1422.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1423.Pp 1424and updating 1425.Pa /etc/inetd.conf 1426to tell 1427.Xr inetd 8 1428how to deal with incoming connections on that port: 1429.Pp 1430.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1431.Pp 1432Don't forget to send a 1433.Dv HUP 1434signal to 1435.Xr inetd 8 1436after you've updated 1437.Pa /etc/inetd.conf . 1438Here, we use a label named 1439.Dq ppp-in . 1440The entry in 1441.Pa /etc/ppp/ppp.conf 1442on ui-gate (the receiver) should contain the following: 1443.Bd -literal -offset indent 1444ppp-in: 1445 set timeout 0 1446 set ifaddr 10.0.4.1 10.0.4.2 1447.Ed 1448.Pp 1449and the entry in 1450.Pa /etc/ppp/ppp.linkup 1451should contain: 1452.Bd -literal -offset indent 1453ppp-in: 1454 add 10.0.1.0/24 HISADDR 1455.Ed 1456.Pp 1457It is necessary to put the 1458.Dq add 1459command in 1460.Pa ppp.linkup 1461to ensure that the route is only added after 1462.Nm 1463has negotiated and assigned addresses to its interface. 1464.Pp 1465You may also want to enable PAP or CHAP for security. 1466To enable PAP, add the following line: 1467.Bd -literal -offset indent 1468 enable PAP 1469.Ed 1470.Pp 1471You'll also need to create the following entry in 1472.Pa /etc/ppp/ppp.secret : 1473.Bd -literal -offset indent 1474MyAuthName MyAuthPasswd 1475.Ed 1476.Pp 1477If 1478.Ar MyAuthPasswd 1479is a 1480.Dq * , 1481the password is looked up in the 1482.Xr passwd 5 1483database. 1484.Pp 1485The entry in 1486.Pa /etc/ppp/ppp.conf 1487on awfulhak (the initiator) should contain the following: 1488.Bd -literal -offset indent 1489ui-gate: 1490 set escape 0xff 1491 set device ui-gate:ppp-in/tcp 1492 set dial 1493 set timeout 30 1494 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1495 set ifaddr 10.0.4.2 10.0.4.1 1496.Ed 1497.Pp 1498with the route setup in 1499.Pa /etc/ppp/ppp.linkup : 1500.Bd -literal -offset indent 1501ui-gate: 1502 add 10.0.2.0/24 HISADDR 1503.Ed 1504.Pp 1505Again, if you're enabling PAP, you'll also need this in the 1506.Pa /etc/ppp/ppp.conf 1507profile: 1508.Bd -literal -offset indent 1509 set authname MyAuthName 1510 set authkey MyAuthKey 1511.Ed 1512.Pp 1513We're assigning the address of 10.0.4.1 to ui-gate, and the address 151410.0.4.2 to awfulhak. 1515To open the connection, just type 1516.Pp 1517.Dl awfulhak # ppp -background ui-gate 1518.Pp 1519The result will be an additional "route" on awfulhak to the 152010.0.2.0/24 network via the TCP connection, and an additional 1521"route" on ui-gate to the 10.0.1.0/24 network. 1522The networks are effectively bridged - the underlying TCP 1523connection may be across a public network (such as the 1524Internet), and the 1525.Em PPP 1526traffic is conceptually encapsulated 1527(although not packet by packet) inside the TCP stream between 1528the two gateways. 1529.Pp 1530The major disadvantage of this mechanism is that there are two 1531"guaranteed delivery" mechanisms in place - the underlying TCP 1532stream and whatever protocol is used over the 1533.Em PPP 1534link - probably TCP again. 1535If packets are lost, both levels will 1536get in each others way trying to negotiate sending of the missing 1537packet. 1538.Pp 1539To avoid this overhead, it is also possible to do all this using 1540UDP instead of TCP as the transport by simply changing the protocol 1541from "tcp" to "udp". 1542When using UDP as a transport, 1543.Nm 1544will operate in synchronous mode. 1545This is another gain as the incoming 1546data does not have to be rearranged into packets. 1547.Pp 1548Care should be taken when adding a default route through a tunneled 1549setup like this. 1550It is quite common for the default route 1551(added in 1552.Pa /etc/ppp/ppp.linkup ) 1553to end up routing the link's TCP connection through the tunnel, 1554effectively garrotting the connection. 1555To avoid this, make sure you add a static route for the benefit of 1556the link: 1557.Bd -literal -offset indent 1558ui-gate: 1559 set escape 0xff 1560 set device ui-gate:ppp-in/tcp 1561 add ui-gate x.x.x.x 1562 ..... 1563.Ed 1564.Pp 1565where 1566.Dq x.x.x.x 1567is the IP number that your route to 1568.Dq ui-gate 1569would normally use. 1570.Pp 1571When routing your connection across a public network such as the Internet, 1572it is preferable to encrypt the data. 1573This can be done with the help of the MPPE protocol, although currently this 1574means that you will not be able to also compress the traffic as MPPE is 1575implemented as a compression layer (thank Microsoft for this). 1576To enable MPPE encryption, add the following lines to 1577.Pa /etc/ppp/ppp.conf 1578on the server: 1579.Bd -literal -offset indent 1580 enable MSCHAPv2 1581 disable deflate pred1 1582 deny deflate pred1 1583.Ed 1584.Pp 1585ensuring that you've put the requisite entry in 1586.Pa /etc/ppp/ppp.secret 1587(MSCHAPv2 is challenge based, so 1588.Xr passwd 5 1589cannot be used) 1590.Pp 1591MSCHAPv2 and MPPE are accepted by default, so the client end should work 1592without any additional changes (although ensure you have 1593.Dq set authname 1594and 1595.Dq set authkey 1596in your profile). 1597.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1598The 1599.Fl nat 1600command line option enables network address translation (a.k.a. packet 1601aliasing). 1602This allows the 1603.Nm 1604host to act as a masquerading gateway for other computers over 1605a local area network. 1606Outgoing IP packets are NAT'd so that they appear to come from the 1607.Nm 1608host, and incoming packets are de-NAT'd so that they are routed 1609to the correct machine on the local area network. 1610NAT allows computers on private, unregistered subnets to have Internet 1611access, although they are invisible from the outside world. 1612In general, correct 1613.Nm 1614operation should first be verified with network address translation disabled. 1615Then, the 1616.Fl nat 1617option should be switched on, and network applications (web browser, 1618.Xr telnet 1 , 1619.Xr ftp 1 , 1620.Xr ping 8 , 1621.Xr traceroute 8 ) 1622should be checked on the 1623.Nm 1624host. 1625Finally, the same or similar applications should be checked on other 1626computers in the LAN. 1627If network applications work correctly on the 1628.Nm 1629host, but not on other machines in the LAN, then the masquerading 1630software is working properly, but the host is either not forwarding 1631or possibly receiving IP packets. 1632Check that IP forwarding is enabled in 1633.Pa /etc/rc.conf 1634and that other machines have designated the 1635.Nm 1636host as the gateway for the LAN. 1637.Sh PACKET FILTERING 1638This implementation supports packet filtering. 1639There are four kinds of 1640filters: the 1641.Em in 1642filter, the 1643.Em out 1644filter, the 1645.Em dial 1646filter and the 1647.Em alive 1648filter. 1649Here are the basics: 1650.Bl -bullet 1651.It 1652A filter definition has the following syntax: 1653.Pp 1654set filter 1655.Ar name 1656.Ar rule-no 1657.Ar action 1658.Op !\& 1659.Oo 1660.Op host 1661.Ar src_addr Ns Op / Ns Ar width 1662.Op Ar dst_addr Ns Op / Ns Ar width 1663.Oc 1664.Ar [ proto Op src Ar cmp port 1665.Op dst Ar cmp port 1666.Op estab 1667.Op syn 1668.Op finrst 1669.Op timeout Ar secs ] 1670.Bl -enum 1671.It 1672.Ar Name 1673should be one of 1674.Sq in , 1675.Sq out , 1676.Sq dial 1677or 1678.Sq alive . 1679.It 1680.Ar Rule-no 1681is a numeric value between 1682.Sq 0 1683and 1684.Sq 39 1685specifying the rule number. 1686Rules are specified in numeric order according to 1687.Ar rule-no , 1688but only if rule 1689.Sq 0 1690is defined. 1691.It 1692.Ar Action 1693may be specified as 1694.Sq permit 1695or 1696.Sq deny , 1697in which case, if a given packet matches the rule, the associated action 1698is taken immediately. 1699.Ar Action 1700can also be specified as 1701.Sq clear 1702to clear the action associated with that particular rule, or as a new 1703rule number greater than the current rule. 1704In this case, if a given 1705packet matches the current rule, the packet will next be matched against 1706the new rule number (rather than the next rule number). 1707.Pp 1708The 1709.Ar action 1710may optionally be followed with an exclamation mark 1711.Pq Dq !\& , 1712telling 1713.Nm 1714to reverse the sense of the following match. 1715.It 1716.Op Ar src_addr Ns Op / Ns Ar width 1717and 1718.Op Ar dst_addr Ns Op / Ns Ar width 1719are the source and destination IP number specifications. 1720If 1721.Op / Ns Ar width 1722is specified, it gives the number of relevant netmask bits, 1723allowing the specification of an address range. 1724.Pp 1725Either 1726.Ar src_addr 1727or 1728.Ar dst_addr 1729may be given the values 1730.Dv MYADDR , 1731.Dv HISADDR , 1732.Dv MYADDR6 1733or 1734.Dv HISADDR6 1735(refer to the description of the 1736.Dq bg 1737command for a description of these values). 1738When these values are used, 1739the filters will be updated any time the values change. 1740This is similar to the behaviour of the 1741.Dq add 1742command below. 1743.It 1744.Ar Proto 1745may be any protocol from 1746.Xr protocols 5 . 1747.It 1748.Ar Cmp 1749is one of 1750.Sq \< , 1751.Sq \&eq 1752or 1753.Sq \> , 1754meaning less-than, equal and greater-than respectively. 1755.Ar Port 1756can be specified as a numeric port or by service name from 1757.Pa /etc/services . 1758.It 1759The 1760.Sq estab , 1761.Sq syn , 1762and 1763.Sq finrst 1764flags are only allowed when 1765.Ar proto 1766is set to 1767.Sq tcp , 1768and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1769.It 1770The timeout value adjusts the current idle timeout to at least 1771.Ar secs 1772seconds. 1773If a timeout is given in the alive filter as well as in the in/out 1774filter, the in/out value is used. 1775If no timeout is given, the default timeout (set using 1776.Ic set timeout 1777and defaulting to 180 seconds) is used. 1778.El 1779.It 1780Each filter can hold up to 40 rules, starting from rule 0. 1781The entire rule set is not effective until rule 0 is defined, 1782i.e., the default is to allow everything through. 1783.It 1784If no rule in a defined set of rules matches a packet, that packet will 1785be discarded (blocked). 1786If there are no rules in a given filter, the packet will be permitted. 1787.It 1788It's possible to filter based on the payload of UDP frames where those 1789frames contain a 1790.Em PROTO_IP 1791.Em PPP 1792frame header. 1793See the 1794.Ar filter-decapsulation 1795option below for further details. 1796.It 1797Use 1798.Dq set filter Ar name No -1 1799to flush all rules. 1800.El 1801.Pp 1802See 1803.Pa /usr/share/examples/ppp/ppp.conf.sample . 1804.Sh SETTING THE IDLE TIMER 1805To check/set the idle timer, use the 1806.Dq show bundle 1807and 1808.Dq set timeout 1809commands: 1810.Bd -literal -offset indent 1811ppp ON awfulhak> set timeout 600 1812.Ed 1813.Pp 1814The timeout period is measured in seconds, the default value for which 1815is 180 seconds 1816(or 3 min). 1817To disable the idle timer function, use the command 1818.Bd -literal -offset indent 1819ppp ON awfulhak> set timeout 0 1820.Ed 1821.Pp 1822In 1823.Fl ddial 1824and 1825.Fl dedicated 1826modes, the idle timeout is ignored. 1827In 1828.Fl auto 1829mode, when the idle timeout causes the 1830.Em PPP 1831session to be 1832closed, the 1833.Nm 1834program itself remains running. 1835Another trigger packet will cause it to attempt to re-establish the link. 1836.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1837.Nm 1838supports both Predictor type 1 and deflate compression. 1839By default, 1840.Nm 1841will attempt to use (or be willing to accept) both compression protocols 1842when the peer agrees 1843(or requests them). 1844The deflate protocol is preferred by 1845.Nm . 1846Refer to the 1847.Dq disable 1848and 1849.Dq deny 1850commands if you wish to disable this functionality. 1851.Pp 1852It is possible to use a different compression algorithm in each direction 1853by using only one of 1854.Dq disable deflate 1855and 1856.Dq deny deflate 1857(assuming that the peer supports both algorithms). 1858.Pp 1859By default, when negotiating DEFLATE, 1860.Nm 1861will use a window size of 15. 1862Refer to the 1863.Dq set deflate 1864command if you wish to change this behaviour. 1865.Pp 1866A special algorithm called DEFLATE24 is also available, and is disabled 1867and denied by default. 1868This is exactly the same as DEFLATE except that 1869it uses CCP ID 24 to negotiate. 1870This allows 1871.Nm 1872to successfully negotiate DEFLATE with 1873.Nm pppd 1874version 2.3.*. 1875.Sh CONTROLLING IP ADDRESS 1876For IPv4, 1877.Nm 1878uses IPCP to negotiate IP addresses. 1879Each side of the connection 1880specifies the IP address that it's willing to use, and if the requested 1881IP address is acceptable then 1882.Nm 1883returns an ACK to the requester. 1884Otherwise, 1885.Nm 1886returns NAK to suggest that the peer use a different IP address. 1887When 1888both sides of the connection agree to accept the received request (and 1889send an ACK), IPCP is set to the open state and a network level connection 1890is established. 1891To control this IPCP behaviour, this implementation has the 1892.Dq set ifaddr 1893command for defining the local and remote IP address: 1894.Bd -ragged -offset indent 1895.No set ifaddr Oo Ar src_addr Ns 1896.Op / Ns Ar \&nn 1897.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1898.Oo Ar netmask 1899.Op Ar trigger_addr 1900.Oc 1901.Oc 1902.Oc 1903.Ed 1904.Pp 1905where, 1906.Sq src_addr 1907is the IP address that the local side is willing to use, 1908.Sq dst_addr 1909is the IP address which the remote side should use and 1910.Sq netmask 1911is the netmask that should be used. 1912.Sq Src_addr 1913defaults to the current 1914.Xr hostname 1 , 1915.Sq dst_addr 1916defaults to 0.0.0.0, and 1917.Sq netmask 1918defaults to whatever mask is appropriate for 1919.Sq src_addr . 1920It is only possible to make 1921.Sq netmask 1922smaller than the default. 1923The usual value is 255.255.255.255, as 1924most kernels ignore the netmask of a POINTOPOINT interface. 1925.Pp 1926Some incorrect 1927.Em PPP 1928implementations require that the peer negotiates a specific IP 1929address instead of 1930.Sq src_addr . 1931If this is the case, 1932.Sq trigger_addr 1933may be used to specify this IP number. 1934This will not affect the 1935routing table unless the other side agrees with this proposed number. 1936.Bd -literal -offset indent 1937set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1938.Ed 1939.Pp 1940The above specification means: 1941.Pp 1942.Bl -bullet -compact 1943.It 1944I will first suggest that my IP address should be 0.0.0.0, but I 1945will only accept an address of 192.244.177.38. 1946.It 1947I strongly insist that the peer uses 192.244.177.2 as his own 1948address and won't permit the use of any IP address but 192.244.177.2. 1949When the peer requests another IP address, I will always suggest that 1950it uses 192.244.177.2. 1951.It 1952The routing table entry will have a netmask of 0xffffffff. 1953.El 1954.Pp 1955This is all fine when each side has a pre-determined IP address, however 1956it is often the case that one side is acting as a server which controls 1957all IP addresses and the other side should go along with it. 1958In order to allow more flexible behaviour, the 1959.Dq set ifaddr 1960command allows the user to specify IP addresses more loosely: 1961.Pp 1962.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1963.Pp 1964A number followed by a slash 1965.Pq Dq / 1966represents the number of bits significant in the IP address. 1967The above example means: 1968.Pp 1969.Bl -bullet -compact 1970.It 1971I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1972also accept any IP address between 192.244.177.0 and 192.244.177.255. 1973.It 1974I'd like to make him use 192.244.177.2 as his own address, but I'll also 1975permit him to use any IP address between 192.244.176.0 and 1976192.244.191.255. 1977.It 1978As you may have already noticed, 192.244.177.2 is equivalent to saying 1979192.244.177.2/32. 1980.It 1981As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 1982preferred IP address and will obey the remote peers selection. 1983When using zero, no routing table entries will be made until a connection 1984is established. 1985.It 1986192.244.177.2/0 means that I'll accept/permit any IP address but I'll 1987suggest that 192.244.177.2 be used first. 1988.El 1989.Pp 1990When negotiating IPv6 addresses, no control is given to the user. 1991IPV6CP negotiation is fully automatic. 1992.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 1993The following steps should be taken when connecting to your ISP: 1994.Bl -enum 1995.It 1996Describe your providers phone number(s) in the dial script using the 1997.Dq set phone 1998command. 1999This command allows you to set multiple phone numbers for 2000dialing and redialing separated by either a pipe 2001.Pq Dq \&| 2002or a colon 2003.Pq Dq \&: : 2004.Bd -ragged -offset indent 2005.No set phone Ar telno Ns Xo 2006.Oo \&| Ns Ar backupnumber 2007.Oc Ns ... Ns Oo : Ns Ar nextnumber 2008.Oc Ns ... 2009.Xc 2010.Ed 2011.Pp 2012Numbers after the first in a pipe-separated list are only used if the 2013previous number was used in a failed dial or login script. 2014Numbers 2015separated by a colon are used sequentially, irrespective of what happened 2016as a result of using the previous number. 2017For example: 2018.Bd -literal -offset indent 2019set phone "1234567|2345678:3456789|4567890" 2020.Ed 2021.Pp 2022Here, the 1234567 number is attempted. 2023If the dial or login script fails, 2024the 2345678 number is used next time, but *only* if the dial or login script 2025fails. 2026On the dial after this, the 3456789 number is used. 2027The 4567890 2028number is only used if the dial or login script using the 3456789 fails. 2029If the login script of the 2345678 number fails, the next number is still the 20303456789 number. 2031As many pipes and colons can be used as are necessary 2032(although a given site would usually prefer to use either the pipe or the 2033colon, but not both). 2034The next number redial timeout is used between all numbers. 2035When the end of the list is reached, the normal redial period is 2036used before starting at the beginning again. 2037The selected phone number is substituted for the \\\\T string in the 2038.Dq set dial 2039command (see below). 2040.It 2041Set up your redial requirements using 2042.Dq set redial . 2043For example, if you have a bad telephone line or your provider is 2044usually engaged (not so common these days), you may want to specify 2045the following: 2046.Bd -literal -offset indent 2047set redial 10 4 2048.Ed 2049.Pp 2050This says that up to 4 phone calls should be attempted with a pause of 10 2051seconds before dialing the first number again. 2052.It 2053Describe your login procedure using the 2054.Dq set dial 2055and 2056.Dq set login 2057commands. 2058The 2059.Dq set dial 2060command is used to talk to your modem and establish a link with your 2061ISP, for example: 2062.Bd -literal -offset indent 2063set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2064 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2065.Ed 2066.Pp 2067This modem "chat" string means: 2068.Bl -bullet 2069.It 2070Abort if the string "BUSY" or "NO CARRIER" are received. 2071.It 2072Set the timeout to 4 seconds. 2073.It 2074Expect nothing. 2075.It 2076Send ATZ. 2077.It 2078Expect OK. 2079If that's not received within the 4 second timeout, send ATZ 2080and expect OK. 2081.It 2082Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2083above. 2084.It 2085Set the timeout to 60. 2086.It 2087Wait for the CONNECT string. 2088.El 2089.Pp 2090Once the connection is established, the login script is executed. 2091This script is written in the same style as the dial script, but care should 2092be taken to avoid having your password logged: 2093.Bd -literal -offset indent 2094set authkey MySecret 2095set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2096 word: \\\\P ocol: PPP HELLO" 2097.Ed 2098.Pp 2099This login "chat" string means: 2100.Bl -bullet 2101.It 2102Set the timeout to 15 seconds. 2103.It 2104Expect "login:". 2105If it's not received, send a carriage return and expect 2106"login:" again. 2107.It 2108Send "awfulhak" 2109.It 2110Expect "word:" (the tail end of a "Password:" prompt). 2111.It 2112Send whatever our current 2113.Ar authkey 2114value is set to. 2115.It 2116Expect "ocol:" (the tail end of a "Protocol:" prompt). 2117.It 2118Send "PPP". 2119.It 2120Expect "HELLO". 2121.El 2122.Pp 2123The 2124.Dq set authkey 2125command is logged specially. 2126When 2127.Ar command 2128or 2129.Ar chat 2130logging is enabled, the actual password is not logged; 2131.Sq ******** 2132is logged instead. 2133.Pp 2134Login scripts vary greatly between ISPs. 2135If you're setting one up for the first time, 2136.Em ENABLE CHAT LOGGING 2137so that you can see if your script is behaving as you expect. 2138.It 2139Use 2140.Dq set device 2141and 2142.Dq set speed 2143to specify your serial line and speed, for example: 2144.Bd -literal -offset indent 2145set device /dev/cuaa0 2146set speed 115200 2147.Ed 2148.Pp 2149Cuaa0 is the first serial port on 2150.Dx . 2151If you're running 2152.Nm 2153on 2154.Ox , 2155cua00 is the first. 2156A speed of 115200 should be specified 2157if you have a modem capable of bit rates of 28800 or more. 2158In general, the serial speed should be about four times the modem speed. 2159.It 2160Use the 2161.Dq set ifaddr 2162command to {define} the IP address. 2163.Bl -bullet 2164.It 2165If you know what IP address your provider uses, then use it as the remote 2166address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2167.It 2168If your provider has assigned a particular IP address to you, then use 2169it as your address (src_addr). 2170.It 2171If your provider assigns your address dynamically, choose a suitably 2172unobtrusive and unspecific IP number as your address. 217310.0.0.1/0 would be appropriate. 2174The bit after the / specifies how many bits of the 2175address you consider to be important, so if you wanted to insist on 2176something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2177.It 2178If you find that your ISP accepts the first IP number that you suggest, 2179specify third and forth arguments of 2180.Dq 0.0.0.0 . 2181This will force your ISP to assign a number. 2182(The third argument will 2183be ignored as it is less restrictive than the default mask for your 2184.Sq src_addr ) . 2185.El 2186.Pp 2187An example for a connection where you don't know your IP number or your 2188ISPs IP number would be: 2189.Bd -literal -offset indent 2190set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2191.Ed 2192.It 2193In most cases, your ISP will also be your default router. 2194If this is the case, add the line 2195.Bd -literal -offset indent 2196add default HISADDR 2197.Ed 2198.Pp 2199to 2200.Pa /etc/ppp/ppp.conf 2201(or to 2202.Pa /etc/ppp/ppp.linkup 2203for setups that don't use 2204.Fl auto 2205mode). 2206.Pp 2207This tells 2208.Nm 2209to add a default route to whatever the peer address is 2210(10.0.0.2 in this example). 2211This route is 2212.Sq sticky , 2213meaning that should the value of 2214.Dv HISADDR 2215change, the route will be updated accordingly. 2216.It 2217If your provider requests that you use PAP/CHAP authentication methods, add 2218the next lines to your 2219.Pa /etc/ppp/ppp.conf 2220file: 2221.Bd -literal -offset indent 2222set authname MyName 2223set authkey MyPassword 2224.Ed 2225.Pp 2226Both are accepted by default, so 2227.Nm 2228will provide whatever your ISP requires. 2229.Pp 2230It should be noted that a login script is rarely (if ever) required 2231when PAP or CHAP are in use. 2232.It 2233Ask your ISP to authenticate your nameserver address(es) with the line 2234.Bd -literal -offset indent 2235enable dns 2236.Ed 2237.Pp 2238Do 2239.Em NOT 2240do this if you are running a local DNS unless you also either use 2241.Dq resolv readonly 2242or have 2243.Dq resolv restore 2244in 2245.Pa /etc/ppp/ppp.linkdown , 2246as 2247.Nm 2248will simply circumvent its use by entering some nameserver lines in 2249.Pa /etc/resolv.conf . 2250.El 2251.Pp 2252Please refer to 2253.Pa /usr/share/examples/ppp/ppp.conf.sample 2254and 2255.Pa /usr/share/examples/ppp/ppp.linkup.sample 2256for some real examples. 2257The pmdemand label should be appropriate for most ISPs. 2258.Sh LOGGING FACILITY 2259.Nm 2260is able to generate the following log info either via 2261.Xr syslog 3 2262or directly to the screen: 2263.Pp 2264.Bl -tag -width XXXXXXXXX -offset XXX -compact 2265.It Li All 2266Enable all logging facilities. 2267This generates a lot of log. 2268The most common use of 'all' is as a basis, where you remove some facilities 2269after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2270.It Li Async 2271Dump async level packet in hex. 2272.It Li CBCP 2273Generate CBCP (CallBack Control Protocol) logs. 2274.It Li CCP 2275Generate a CCP packet trace. 2276.It Li Chat 2277Generate 2278.Sq dial , 2279.Sq login , 2280.Sq logout 2281and 2282.Sq hangup 2283chat script trace logs. 2284.It Li Command 2285Log commands executed either from the command line or any of the configuration 2286files. 2287.It Li Connect 2288Log Chat lines containing the string "CONNECT". 2289.It Li Debug 2290Log debug information. 2291.It Li DNS 2292Log DNS QUERY packets. 2293.It Li Filter 2294Log packets permitted by the dial filter and denied by any filter. 2295.It Li HDLC 2296Dump HDLC packet in hex. 2297.It Li ID0 2298Log all function calls specifically made as user id 0. 2299.It Li IPCP 2300Generate an IPCP packet trace. 2301.It Li LCP 2302Generate an LCP packet trace. 2303.It Li LQM 2304Generate LQR reports. 2305.It Li Phase 2306Phase transition log output. 2307.It Li Physical 2308Dump physical level packet in hex. 2309.It Li Sync 2310Dump sync level packet in hex. 2311.It Li TCP/IP 2312Dump all TCP/IP packets. 2313.It Li Timer 2314Log timer manipulation. 2315.It Li TUN 2316Include the tun device on each log line. 2317.It Li Warning 2318Output to the terminal device. 2319If there is currently no terminal, 2320output is sent to the log file using syslogs 2321.Dv LOG_WARNING . 2322.It Li Error 2323Output to both the terminal device 2324and the log file using syslogs 2325.Dv LOG_ERROR . 2326.It Li Alert 2327Output to the log file using 2328.Dv LOG_ALERT . 2329.El 2330.Pp 2331The 2332.Dq set log 2333command allows you to set the logging output level. 2334Multiple levels can be specified on a single command line. 2335The default is equivalent to 2336.Dq set log Phase . 2337.Pp 2338It is also possible to log directly to the screen. 2339The syntax is the same except that the word 2340.Dq local 2341should immediately follow 2342.Dq set log . 2343The default is 2344.Dq set log local 2345(i.e., only the un-maskable warning, error and alert output). 2346.Pp 2347If The first argument to 2348.Dq set log Op local 2349begins with a 2350.Sq + 2351or a 2352.Sq - 2353character, the current log levels are 2354not cleared, for example: 2355.Bd -literal -offset indent 2356PPP ON awfulhak> set log phase 2357PPP ON awfulhak> show log 2358Log: Phase Warning Error Alert 2359Local: Warning Error Alert 2360PPP ON awfulhak> set log +tcp/ip -warning 2361PPP ON awfulhak> set log local +command 2362PPP ON awfulhak> show log 2363Log: Phase TCP/IP Warning Error Alert 2364Local: Command Warning Error Alert 2365.Ed 2366.Pp 2367Log messages of level Warning, Error and Alert are not controllable 2368using 2369.Dq set log Op local . 2370.Pp 2371The 2372.Ar Warning 2373level is special in that it will not be logged if it can be displayed 2374locally. 2375.Sh SIGNAL HANDLING 2376.Nm 2377deals with the following signals: 2378.Bl -tag -width "USR2" 2379.It INT 2380Receipt of this signal causes the termination of the current connection 2381(if any). 2382This will cause 2383.Nm 2384to exit unless it is in 2385.Fl auto 2386or 2387.Fl ddial 2388mode. 2389.It HUP, TERM & QUIT 2390These signals tell 2391.Nm 2392to exit. 2393.It USR1 2394This signal, tells 2395.Nm 2396to re-open any existing server socket, dropping all existing diagnostic 2397connections. 2398Sockets that couldn't previously be opened will be retried. 2399.It USR2 2400This signal, tells 2401.Nm 2402to close any existing server socket, dropping all existing diagnostic 2403connections. 2404.Dv SIGUSR1 2405can still be used to re-open the socket. 2406.El 2407.Sh MULTI-LINK PPP 2408If you wish to use more than one physical link to connect to a 2409.Em PPP 2410peer, that peer must also understand the 2411.Em MULTI-LINK PPP 2412protocol. 2413Refer to RFC 1990 for specification details. 2414.Pp 2415The peer is identified using a combination of his 2416.Dq endpoint discriminator 2417and his 2418.Dq authentication id . 2419Either or both of these may be specified. 2420It is recommended that 2421at least one is specified, otherwise there is no way of ensuring that 2422all links are actually connected to the same peer program, and some 2423confusing lock-ups may result. 2424Locally, these identification variables are specified using the 2425.Dq set enddisc 2426and 2427.Dq set authname 2428commands. 2429The 2430.Sq authname 2431(and 2432.Sq authkey ) 2433must be agreed in advance with the peer. 2434.Pp 2435Multi-link capabilities are enabled using the 2436.Dq set mrru 2437command (set maximum reconstructed receive unit). 2438Once multi-link is enabled, 2439.Nm 2440will attempt to negotiate a multi-link connection with the peer. 2441.Pp 2442By default, only one 2443.Sq link 2444is available 2445(called 2446.Sq deflink ) . 2447To create more links, the 2448.Dq clone 2449command is used. 2450This command will clone existing links, where all 2451characteristics are the same except: 2452.Bl -enum 2453.It 2454The new link has its own name as specified on the 2455.Dq clone 2456command line. 2457.It 2458The new link is an 2459.Sq interactive 2460link. 2461Its mode may subsequently be changed using the 2462.Dq set mode 2463command. 2464.It 2465The new link is in a 2466.Sq closed 2467state. 2468.El 2469.Pp 2470A summary of all available links can be seen using the 2471.Dq show links 2472command. 2473.Pp 2474Once a new link has been created, command usage varies. 2475All link specific commands must be prefixed with the 2476.Dq link Ar name 2477command, specifying on which link the command is to be applied. 2478When only a single link is available, 2479.Nm 2480is smart enough not to require the 2481.Dq link Ar name 2482prefix. 2483.Pp 2484Some commands can still be used without specifying a link - resulting 2485in an operation at the 2486.Sq bundle 2487level. 2488For example, once two or more links are available, the command 2489.Dq show ccp 2490will show CCP configuration and statistics at the multi-link level, and 2491.Dq link deflink show ccp 2492will show the same information at the 2493.Dq deflink 2494link level. 2495.Pp 2496Armed with this information, the following configuration might be used: 2497.Bd -literal -offset indent 2498mp: 2499 set timeout 0 2500 set log phase chat 2501 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2502 set phone "123456789" 2503 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2504 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2505 set login 2506 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2507 set authname ppp 2508 set authkey ppppassword 2509 2510 set mrru 1500 2511 clone 1,2,3 # Create 3 new links - duplicates of the default 2512 link deflink remove # Delete the default link (called ``deflink'') 2513.Ed 2514.Pp 2515Note how all cloning is done at the end of the configuration. 2516Usually, the link will be configured first, then cloned. 2517If you wish all links 2518to be up all the time, you can add the following line to the end of your 2519configuration. 2520.Bd -literal -offset indent 2521 link 1,2,3 set mode ddial 2522.Ed 2523.Pp 2524If you want the links to dial on demand, this command could be used: 2525.Bd -literal -offset indent 2526 link * set mode auto 2527.Ed 2528.Pp 2529Links may be tied to specific names by removing the 2530.Dq set device 2531line above, and specifying the following after the 2532.Dq clone 2533command: 2534.Bd -literal -offset indent 2535 link 1 set device /dev/cuaa0 2536 link 2 set device /dev/cuaa1 2537 link 3 set device /dev/cuaa2 2538.Ed 2539.Pp 2540Use the 2541.Dq help 2542command to see which commands require context (using the 2543.Dq link 2544command), which have optional 2545context and which should not have any context. 2546.Pp 2547When 2548.Nm 2549has negotiated 2550.Em MULTI-LINK 2551mode with the peer, it creates a local domain socket in the 2552.Pa /var/run 2553directory. 2554This socket is used to pass link information (including 2555the actual link file descriptor) between different 2556.Nm 2557invocations. 2558This facilitates 2559.Nm Ns No 's 2560ability to be run from a 2561.Xr getty 8 2562or directly from 2563.Pa /etc/gettydefs 2564(using the 2565.Sq pp= 2566capability), without needing to have initial control of the serial 2567line. 2568Once 2569.Nm 2570negotiates multi-link mode, it will pass its open link to any 2571already running process. 2572If there is no already running process, 2573.Nm 2574will act as the master, creating the socket and listening for new 2575connections. 2576.Sh PPP COMMAND LIST 2577This section lists the available commands and their effect. 2578They are usable either from an interactive 2579.Nm 2580session, from a configuration file or from a 2581.Xr pppctl 8 2582or 2583.Xr telnet 1 2584session. 2585.Bl -tag -width 2n 2586.It accept|deny|enable|disable Ar option.... 2587These directives tell 2588.Nm 2589how to negotiate the initial connection with the peer. 2590Each 2591.Dq option 2592has a default of either accept or deny and enable or disable. 2593.Dq Accept 2594means that the option will be ACK'd if the peer asks for it. 2595.Dq Deny 2596means that the option will be NAK'd if the peer asks for it. 2597.Dq Enable 2598means that the option will be requested by us. 2599.Dq Disable 2600means that the option will not be requested by us. 2601.Pp 2602.Dq Option 2603may be one of the following: 2604.Bl -tag -width 2n 2605.It acfcomp 2606Default: Enabled and Accepted. 2607ACFComp stands for Address and Control Field Compression. 2608Non LCP packets will usually have an address 2609field of 0xff (the All-Stations address) and a control field of 26100x03 (the Unnumbered Information command). 2611If this option is 2612negotiated, these two bytes are simply not sent, thus minimising 2613traffic. 2614.Pp 2615See 2616.Pa rfc1662 2617for details. 2618.It chap Ns Op \&05 2619Default: Disabled and Accepted. 2620CHAP stands for Challenge Handshake Authentication Protocol. 2621Only one of CHAP and PAP (below) may be negotiated. 2622With CHAP, the authenticator sends a "challenge" message to its peer. 2623The peer uses a one-way hash function to encrypt the 2624challenge and sends the result back. 2625The authenticator does the same, and compares the results. 2626The advantage of this mechanism is that no 2627passwords are sent across the connection. 2628A challenge is made when the connection is first made. 2629Subsequent challenges may occur. 2630If you want to have your peer authenticate itself, you must 2631.Dq enable chap . 2632in 2633.Pa /etc/ppp/ppp.conf , 2634and have an entry in 2635.Pa /etc/ppp/ppp.secret 2636for the peer. 2637.Pp 2638When using CHAP as the client, you need only specify 2639.Dq AuthName 2640and 2641.Dq AuthKey 2642in 2643.Pa /etc/ppp/ppp.conf . 2644CHAP is accepted by default. 2645Some 2646.Em PPP 2647implementations use "MS-CHAP" rather than MD5 when encrypting the 2648challenge. 2649MS-CHAP is a combination of MD4 and DES. 2650If 2651.Nm 2652was built on a machine with DES libraries available, it will respond 2653to MS-CHAP authentication requests, but will never request them. 2654.It deflate 2655Default: Enabled and Accepted. 2656This option decides if deflate 2657compression will be used by the Compression Control Protocol (CCP). 2658This is the same algorithm as used by the 2659.Xr gzip 1 2660program. 2661Note: There is a problem negotiating 2662.Ar deflate 2663capabilities with 2664.Xr pppd 8 2665- a 2666.Em PPP 2667implementation available under many operating systems. 2668.Nm pppd 2669(version 2.3.1) incorrectly attempts to negotiate 2670.Ar deflate 2671compression using type 2672.Em 24 2673as the CCP configuration type rather than type 2674.Em 26 2675as specified in 2676.Pa rfc1979 . 2677Type 2678.Ar 24 2679is actually specified as 2680.Dq PPP Magna-link Variable Resource Compression 2681in 2682.Pa rfc1975 ! 2683.Nm 2684is capable of negotiating with 2685.Nm pppd , 2686but only if 2687.Dq deflate24 2688is 2689.Ar enable Ns No d 2690and 2691.Ar accept Ns No ed . 2692.It deflate24 2693Default: Disabled and Denied. 2694This is a variance of the 2695.Ar deflate 2696option, allowing negotiation with the 2697.Xr pppd 8 2698program. 2699Refer to the 2700.Ar deflate 2701section above for details. 2702It is disabled by default as it violates 2703.Pa rfc1975 . 2704.It dns 2705Default: Disabled and Denied. 2706This option allows DNS negotiation. 2707.Pp 2708If 2709.Dq enable Ns No d, 2710.Nm 2711will request that the peer confirms the entries in 2712.Pa /etc/resolv.conf . 2713If the peer NAKs our request (suggesting new IP numbers), 2714.Pa /etc/resolv.conf 2715is updated and another request is sent to confirm the new entries. 2716.Pp 2717If 2718.Dq accept Ns No ed, 2719.Nm 2720will answer any DNS queries requested by the peer rather than rejecting 2721them. 2722The answer is taken from 2723.Pa /etc/resolv.conf 2724unless the 2725.Dq set dns 2726command is used as an override. 2727.It enddisc 2728Default: Enabled and Accepted. 2729This option allows control over whether we 2730negotiate an endpoint discriminator. 2731We only send our discriminator if 2732.Dq set enddisc 2733is used and 2734.Ar enddisc 2735is enabled. 2736We reject the peers discriminator if 2737.Ar enddisc 2738is denied. 2739.It LANMan|chap80lm 2740Default: Disabled and Accepted. 2741The use of this authentication protocol 2742is discouraged as it partially violates the authentication protocol by 2743implementing two different mechanisms (LANMan & NT) under the guise of 2744a single CHAP type (0x80). 2745.Dq LANMan 2746uses a simple DES encryption mechanism and is the least secure of the 2747CHAP alternatives (although is still more secure than PAP). 2748.Pp 2749Refer to the 2750.Dq MSChap 2751description below for more details. 2752.It lqr 2753Default: Disabled and Accepted. 2754This option decides if Link Quality Requests will be sent or accepted. 2755LQR is a protocol that allows 2756.Nm 2757to determine that the link is down without relying on the modems 2758carrier detect. 2759When LQR is enabled, 2760.Nm 2761sends the 2762.Em QUALPROTO 2763option (see 2764.Dq set lqrperiod 2765below) as part of the LCP request. 2766If the peer agrees, both sides will 2767exchange LQR packets at the agreed frequency, allowing detailed link 2768quality monitoring by enabling LQM logging. 2769If the peer doesn't agree, 2770.Nm 2771will send ECHO LQR requests instead. 2772These packets pass no information of interest, but they 2773.Em MUST 2774be replied to by the peer. 2775.Pp 2776Whether using LQR or ECHO LQR, 2777.Nm 2778will abruptly drop the connection if 5 unacknowledged packets have been 2779sent rather than sending a 6th. 2780A message is logged at the 2781.Em PHASE 2782level, and any appropriate 2783.Dq reconnect 2784values are honoured as if the peer were responsible for dropping the 2785connection. 2786.It mppe 2787Default: Enabled and Accepted. 2788This is Microsoft Point to Point Encryption scheme. 2789MPPE key size can be 279040-, 56- and 128-bits. 2791Refer to 2792.Dq set mppe 2793command. 2794.It MSChapV2|chap81 2795Default: Disabled and Accepted. 2796It is very similar to standard CHAP (type 0x05) 2797except that it issues challenges of a fixed 16 bytes in length and uses a 2798combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2799standard MD5 mechanism. 2800.It MSChap|chap80nt 2801Default: Disabled and Accepted. 2802The use of this authentication protocol 2803is discouraged as it partially violates the authentication protocol by 2804implementing two different mechanisms (LANMan & NT) under the guise of 2805a single CHAP type (0x80). 2806It is very similar to standard CHAP (type 0x05) 2807except that it issues challenges of a fixed 8 bytes in length and uses a 2808combination of MD4 and DES to encrypt the challenge rather than using the 2809standard MD5 mechanism. 2810CHAP type 0x80 for LANMan is also supported - see 2811.Dq enable LANMan 2812for details. 2813.Pp 2814Because both 2815.Dq LANMan 2816and 2817.Dq NT 2818use CHAP type 0x80, when acting as authenticator with both 2819.Dq enable Ns No d , 2820.Nm 2821will rechallenge the peer up to three times if it responds using the wrong 2822one of the two protocols. 2823This gives the peer a chance to attempt using both protocols. 2824.Pp 2825Conversely, when 2826.Nm 2827acts as the authenticatee with both protocols 2828.Dq accept Ns No ed , 2829the protocols are used alternately in response to challenges. 2830.Pp 2831Note: If only LANMan is enabled, 2832.Xr pppd 8 2833(version 2.3.5) misbehaves when acting as authenticatee. 2834It provides both 2835the NT and the LANMan answers, but also suggests that only the NT answer 2836should be used. 2837.It pap 2838Default: Disabled and Accepted. 2839PAP stands for Password Authentication Protocol. 2840Only one of PAP and CHAP (above) may be negotiated. 2841With PAP, the ID and Password are sent repeatedly to the peer until 2842authentication is acknowledged or the connection is terminated. 2843This is a rather poor security mechanism. 2844It is only performed when the connection is first established. 2845If you want to have your peer authenticate itself, you must 2846.Dq enable pap . 2847in 2848.Pa /etc/ppp/ppp.conf , 2849and have an entry in 2850.Pa /etc/ppp/ppp.secret 2851for the peer (although see the 2852.Dq passwdauth 2853and 2854.Dq set radius 2855options below). 2856.Pp 2857When using PAP as the client, you need only specify 2858.Dq AuthName 2859and 2860.Dq AuthKey 2861in 2862.Pa /etc/ppp/ppp.conf . 2863PAP is accepted by default. 2864.It pred1 2865Default: Enabled and Accepted. 2866This option decides if Predictor 1 2867compression will be used by the Compression Control Protocol (CCP). 2868.It protocomp 2869Default: Enabled and Accepted. 2870This option is used to negotiate 2871PFC (Protocol Field Compression), a mechanism where the protocol 2872field number is reduced to one octet rather than two. 2873.It shortseq 2874Default: Enabled and Accepted. 2875This option determines if 2876.Nm 2877will request and accept requests for short 2878(12 bit) 2879sequence numbers when negotiating multi-link mode. 2880This is only applicable if our MRRU is set (thus enabling multi-link). 2881.It vjcomp 2882Default: Enabled and Accepted. 2883This option determines if Van Jacobson header compression will be used. 2884.El 2885.Pp 2886The following options are not actually negotiated with the peer. 2887Therefore, accepting or denying them makes no sense. 2888.Bl -tag -width 2n 2889.It filter-decapsulation 2890Default: Disabled. 2891When this option is enabled, 2892.Nm 2893will examine UDP frames to see if they actually contain a 2894.Em PPP 2895frame as their payload. 2896If this is the case, all filters will operate on the payload rather 2897than the actual packet. 2898.Pp 2899This is useful if you want to send PPPoUDP traffic over a 2900.Em PPP 2901link, but want that link to do smart things with the real data rather than 2902the UDP wrapper. 2903.Pp 2904The UDP frame payload must not be compressed in any way, otherwise 2905.Nm 2906will not be able to interpret it. 2907It's therefore recommended that you 2908.Ic disable vj pred1 deflate 2909and 2910.Ic deny vj pred1 deflate 2911in the configuration for the 2912.Nm 2913invocation with the udp link. 2914.It idcheck 2915Default: Enabled. 2916When 2917.Nm 2918exchanges low-level LCP, CCP and IPCP configuration traffic, the 2919.Em Identifier 2920field of any replies is expected to be the same as that of the request. 2921By default, 2922.Nm 2923drops any reply packets that do not contain the expected identifier 2924field, reporting the fact at the respective log level. 2925If 2926.Ar idcheck 2927is disabled, 2928.Nm 2929will ignore the identifier field. 2930.It iface-alias 2931Default: Enabled if 2932.Fl nat 2933is specified. 2934This option simply tells 2935.Nm 2936to add new interface addresses to the interface rather than replacing them. 2937The option can only be enabled if network address translation is enabled 2938.Pq Dq nat enable yes . 2939.Pp 2940With this option enabled, 2941.Nm 2942will pass traffic for old interface addresses through the NAT 2943ifdef({LOCALNAT},{engine,},{engine 2944(see 2945.Xr libalias 3 ) ,}) 2946resulting in the ability (in 2947.Fl auto 2948mode) to properly connect the process that caused the PPP link to 2949come up in the first place. 2950.Pp 2951Disabling NAT with 2952.Dq nat enable no 2953will also disable 2954.Sq iface-alias . 2955.It ipcp 2956Default: Enabled. 2957This option allows 2958.Nm 2959to attempt to negotiate IP control protocol capabilities and if 2960successful to exchange IP datagrams with the peer. 2961.It ipv6cp 2962Default: Enabled. 2963This option allows 2964.Nm 2965to attempt to negotiate IPv6 control protocol capabilities and if 2966successful to exchange IPv6 datagrams with the peer. 2967.It keep-session 2968Default: Disabled. 2969When 2970.Nm 2971runs as a Multi-link server, a different 2972.Nm 2973instance initially receives each connection. 2974After determining that 2975the link belongs to an already existing bundle (controlled by another 2976.Nm 2977invocation), 2978.Nm 2979will transfer the link to that process. 2980.Pp 2981If the link is a tty device or if this option is enabled, 2982.Nm 2983will not exit, but will change its process name to 2984.Dq session owner 2985and wait for the controlling 2986.Nm 2987to finish with the link and deliver a signal back to the idle process. 2988This prevents the confusion that results from 2989.Nm Ns No 's 2990parent considering the link resource available again. 2991.Pp 2992For tty devices that have entries in 2993.Pa /etc/ttys , 2994this is necessary to prevent another 2995.Xr getty 8 2996from being started, and for program links such as 2997.Xr sshd 8 , 2998it prevents 2999.Xr sshd 8 3000from exiting due to the death of its child. 3001As 3002.Nm 3003cannot determine its parents requirements (except for the tty case), this 3004option must be enabled manually depending on the circumstances. 3005.It loopback 3006Default: Enabled. 3007When 3008.Ar loopback 3009is enabled, 3010.Nm 3011will automatically loop back packets being sent 3012out with a destination address equal to that of the 3013.Em PPP 3014interface. 3015If disabled, 3016.Nm 3017will send the packet, probably resulting in an ICMP redirect from 3018the other end. 3019It is convenient to have this option enabled when 3020the interface is also the default route as it avoids the necessity 3021of a loopback route. 3022.It passwdauth 3023Default: Disabled. 3024Enabling this option will tell the PAP authentication 3025code to use the password database (see 3026.Xr passwd 5 ) 3027to authenticate the caller if they cannot be found in the 3028.Pa /etc/ppp/ppp.secret 3029file. 3030.Pa /etc/ppp/ppp.secret 3031is always checked first. 3032If you wish to use passwords from 3033.Xr passwd 5 , 3034but also to specify an IP number or label for a given client, use 3035.Dq \&* 3036as the client password in 3037.Pa /etc/ppp/ppp.secret . 3038.It proxy 3039Default: Disabled. 3040Enabling this option will tell 3041.Nm 3042to proxy ARP for the peer. 3043This means that 3044.Nm 3045will make an entry in the ARP table using 3046.Dv HISADDR 3047and the 3048.Dv MAC 3049address of the local network in which 3050.Dv HISADDR 3051appears. 3052This allows other machines connected to the LAN to talk to 3053the peer as if the peer itself was connected to the LAN. 3054The proxy entry cannot be made unless 3055.Dv HISADDR 3056is an address from a LAN. 3057.It proxyall 3058Default: Disabled. 3059Enabling this will tell 3060.Nm 3061to add proxy arp entries for every IP address in all class C or 3062smaller subnets routed via the tun interface. 3063.Pp 3064Proxy arp entries are only made for sticky routes that are added 3065using the 3066.Dq add 3067command. 3068No proxy arp entries are made for the interface address itself 3069(as created by the 3070.Dq set ifaddr 3071command). 3072.It sroutes 3073Default: Enabled. 3074When the 3075.Dq add 3076command is used with the 3077.Dv HISADDR , 3078.Dv MYADDR , 3079.Dv HISADDR6 3080or 3081.Dv MYADDR6 3082values, entries are stored in the 3083.Sq sticky route 3084list. 3085Each time these variables change, this list is re-applied to the routing table. 3086.Pp 3087Disabling this option will prevent the re-application of sticky routes, 3088although the 3089.Sq stick route 3090list will still be maintained. 3091.It Op tcp Ns Xo 3092.No mssfixup 3093.Xc 3094Default: Enabled. 3095This option tells 3096.Nm 3097to adjust TCP SYN packets so that the maximum receive segment 3098size is not greater than the amount allowed by the interface MTU. 3099.It throughput 3100Default: Enabled. 3101This option tells 3102.Nm 3103to gather throughput statistics. 3104Input and output is sampled over 3105a rolling 5 second window, and current, best and total figures are retained. 3106This data is output when the relevant 3107.Em PPP 3108layer shuts down, and is also available using the 3109.Dq show 3110command. 3111Throughput statistics are available at the 3112.Dq IPCP 3113and 3114.Dq physical 3115levels. 3116.It utmp 3117Default: Enabled. 3118Normally, when a user is authenticated using PAP or CHAP, and when 3119.Nm 3120is running in 3121.Fl direct 3122mode, an entry is made in the utmp and wtmp files for that user. 3123Disabling this option will tell 3124.Nm 3125not to make any utmp or wtmp entries. 3126This is usually only necessary if 3127you require the user to both login and authenticate themselves. 3128.El 3129.It add Ns Xo 3130.Op !\& 3131.Ar dest Ns Op / Ns Ar nn 3132.Op Ar mask 3133.Op Ar gateway 3134.Xc 3135.Ar Dest 3136is the destination IP address. 3137The netmask is specified either as a number of bits with 3138.Ar /nn 3139or as an IP number using 3140.Ar mask . 3141.Ar 0 0 3142or simply 3143.Ar 0 3144with no mask refers to the default route. 3145It is also possible to use the literal name 3146.Sq default 3147instead of 3148.Ar 0 . 3149.Ar Gateway 3150is the next hop gateway to get to the given 3151.Ar dest 3152machine/network. 3153Refer to the 3154.Xr route 8 3155command for further details. 3156.Pp 3157It is possible to use the symbolic names 3158.Sq MYADDR , 3159.Sq HISADDR , 3160.Sq MYADDR6 3161or 3162.Sq HISADDR6 3163as the destination, and 3164.Sq HISADDR 3165or 3166.Sq HISADDR6 3167as the 3168.Ar gateway . 3169.Sq MYADDR 3170is replaced with the interface IP address, 3171.Sq HISADDR 3172is replaced with the interface IP destination (peer) address, 3173.Sq MYADDR6 3174is replaced with the interface IPv6 address, and 3175.Sq HISADDR6 3176is replaced with the interface IPv6 destination address, 3177.Pp 3178If the 3179.Ar add!\& 3180command is used 3181(note the trailing 3182.Dq !\& ) , 3183then if the route already exists, it will be updated as with the 3184.Sq route change 3185command (see 3186.Xr route 8 3187for further details). 3188.Pp 3189Routes that contain the 3190.Dq HISADDR , 3191.Dq MYADDR , 3192.Dq HISADDR6 , 3193.Dq MYADDR6 , 3194.Dq DNS0 , 3195or 3196.Dq DNS1 3197constants are considered 3198.Sq sticky . 3199They are stored in a list (use 3200.Dq show ncp 3201to see the list), and each time the value of one of these variables 3202changes, the appropriate routing table entries are updated. 3203This facility may be disabled using 3204.Dq disable sroutes . 3205.It allow Ar command Op Ar args 3206This command controls access to 3207.Nm 3208and its configuration files. 3209It is possible to allow user-level access, 3210depending on the configuration file label and on the mode that 3211.Nm 3212is being run in. 3213For example, you may wish to configure 3214.Nm 3215so that only user 3216.Sq fred 3217may access label 3218.Sq fredlabel 3219in 3220.Fl background 3221mode. 3222.Pp 3223User id 0 is immune to these commands. 3224.Bl -tag -width 2n 3225.It allow user Ns Xo 3226.Op s 3227.Ar logname Ns No ... 3228.Xc 3229By default, only user id 0 is allowed access to 3230.Nm . 3231If this command is used, all of the listed users are allowed access to 3232the section in which the 3233.Dq allow users 3234command is found. 3235The 3236.Sq default 3237section is always checked first (even though it is only ever automatically 3238loaded at startup). 3239.Dq allow users 3240commands are cumulative in a given section, but users allowed in any given 3241section override users allowed in the default section, so it's possible to 3242allow users access to everything except a given label by specifying default 3243users in the 3244.Sq default 3245section, and then specifying a new user list for that label. 3246.Pp 3247If user 3248.Sq * 3249is specified, access is allowed to all users. 3250.It allow mode Ns Xo 3251.Op s 3252.Ar mode Ns No ... 3253.Xc 3254By default, access using any 3255.Nm 3256mode is possible. 3257If this command is used, it restricts the access 3258.Ar modes 3259allowed to load the label under which this command is specified. 3260Again, as with the 3261.Dq allow users 3262command, each 3263.Dq allow modes 3264command overrides any previous settings, and the 3265.Sq default 3266section is always checked first. 3267.Pp 3268Possible modes are: 3269.Sq interactive , 3270.Sq auto , 3271.Sq direct , 3272.Sq dedicated , 3273.Sq ddial , 3274.Sq background 3275and 3276.Sq * . 3277.Pp 3278When running in multi-link mode, a section can be loaded if it allows 3279.Em any 3280of the currently existing line modes. 3281.El 3282.It nat Ar command Op Ar args 3283This command allows the control of the network address translation (also 3284known as masquerading or IP aliasing) facilities that are built into 3285.Nm . 3286NAT is done on the external interface only, and is unlikely to make sense 3287if used with the 3288.Fl direct 3289flag. 3290.Pp 3291If nat is enabled on your system (it may be omitted at compile time), 3292the following commands are possible: 3293.Bl -tag -width 2n 3294.It nat enable yes|no 3295This command either switches network address translation on or turns it off. 3296The 3297.Fl nat 3298command line flag is synonymous with 3299.Dq nat enable yes . 3300.It nat addr Op Ar addr_local addr_alias 3301This command allows data for 3302.Ar addr_alias 3303to be redirected to 3304.Ar addr_local . 3305It is useful if you own a small number of real IP numbers that 3306you wish to map to specific machines behind your gateway. 3307.It nat deny_incoming yes|no 3308If set to yes, this command will refuse all incoming packets where an 3309aliasing link doesn't already exist. 3310ifdef({LOCALNAT},{},{Refer to the 3311.Sx CONCEPTUAL BACKGROUND 3312section of 3313.Xr libalias 3 3314for a description of what an 3315.Dq aliasing link 3316is. 3317})dnl 3318.Pp 3319It should be noted under what circumstances an aliasing link is 3320ifdef({LOCALNAT},{created.},{created by 3321.Xr libalias 3 .}) 3322It may be necessary to further protect your network from outside 3323connections using the 3324.Dq set filter 3325or 3326.Dq nat target 3327commands. 3328.It nat help|? 3329This command gives a summary of available nat commands. 3330.It nat log yes|no 3331This option causes various NAT statistics and information to 3332be logged to the file 3333.Pa /var/log/alias.log . 3334.It nat port Ar proto Ar targetIP Ns Xo 3335.No : Ns Ar targetPort Ns 3336.Oo 3337.No - Ns Ar targetPort 3338.Oc Ar aliasPort Ns 3339.Oo 3340.No - Ns Ar aliasPort 3341.Oc Oo Ar remoteIP : Ns 3342.Ar remotePort Ns 3343.Oo 3344.No - Ns Ar remotePort 3345.Oc Ns 3346.Oc 3347.Xc 3348This command causes incoming 3349.Ar proto 3350connections to 3351.Ar aliasPort 3352to be redirected to 3353.Ar targetPort 3354on 3355.Ar targetIP . 3356.Ar proto 3357is either 3358.Dq tcp 3359or 3360.Dq udp . 3361.Pp 3362A range of port numbers may be specified as shown above. 3363The ranges must be of the same size. 3364.Pp 3365If 3366.Ar remoteIP 3367is specified, only data coming from that IP number is redirected. 3368.Ar remotePort 3369must either be 3370.Dq 0 3371(indicating any source port) 3372or a range of ports the same size as the other ranges. 3373.Pp 3374This option is useful if you wish to run things like Internet phone on 3375machines behind your gateway, but is limited in that connections to only 3376one interior machine per source machine and target port are possible. 3377.It nat proto Ar proto localIP Oo 3378.Ar publicIP Op Ar remoteIP 3379.Oc 3380This command tells 3381.Nm 3382to redirect packets of protocol type 3383.Ar proto 3384(see 3385.Xr protocols 5 ) 3386to the internal address 3387.Ar localIP . 3388.Pp 3389If 3390.Ar publicIP 3391is specified, only packets destined for that address are matched, 3392otherwise the default alias address is used. 3393.Pp 3394If 3395.Ar remoteIP 3396is specified, only packets matching that source address are matched, 3397.Pp 3398This command is useful for redirecting tunnel endpoints to an internal machine, 3399for example: 3400.Pp 3401.Dl nat proto ipencap 10.0.0.1 3402.It "nat proxy cmd" Ar arg Ns No ... 3403This command tells 3404.Nm 3405to proxy certain connections, redirecting them to a given server. 3406ifdef({LOCALNAT},{},{Refer to the description of 3407.Fn PacketAliasProxyRule 3408in 3409.Xr libalias 3 3410for details of the available commands. 3411})dnl 3412.It nat punch_fw Op Ar base count 3413This command tells 3414.Nm 3415to punch holes in the firewall for FTP or IRC DCC connections. 3416This is done dynamically by installing temporary firewall rules which 3417allow a particular connection (and only that connection) to go through 3418the firewall. 3419The rules are removed once the corresponding connection terminates. 3420.Pp 3421A maximum of 3422.Ar count 3423rules starting from rule number 3424.Ar base 3425will be used for punching firewall holes. 3426The range will be cleared when the 3427.Dq nat punch_fw 3428command is run. 3429.Pp 3430If no arguments are given, firewall punching is disabled. 3431.It nat same_ports yes|no 3432When enabled, this command will tell the network address translation engine to 3433attempt to avoid changing the port number on outgoing packets. 3434This is useful 3435if you want to support protocols such as RPC and LPD which require 3436connections to come from a well known port. 3437.It nat target Op Ar address 3438Set the given target address or clear it if no address is given. 3439The target address is used 3440ifdef({LOCALNAT},{},{by libalias })dnl 3441to specify how to NAT incoming packets by default. 3442If a target address is not set or if 3443.Dq default 3444is given, packets are not altered and are allowed to route to the internal 3445network. 3446.Pp 3447The target address may be set to 3448.Dq MYADDR , 3449in which case 3450ifdef({LOCALNAT},{all packets will be redirected}, 3451{libalias will redirect all packets}) 3452to the interface address. 3453.It nat use_sockets yes|no 3454When enabled, this option tells the network address translation engine to 3455create a socket so that it can guarantee a correct incoming ftp data or 3456IRC connection. 3457.It nat unregistered_only yes|no 3458Only alter outgoing packets with an unregistered source address. 3459According to RFC 1918, unregistered source addresses 3460are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3461.El 3462.Pp 3463These commands are also discussed in the file 3464.Pa README.nat 3465which comes with the source distribution. 3466.It Op !\& Ns Xo 3467.No bg Ar command 3468.Xc 3469The given 3470.Ar command 3471is executed in the background with the following words replaced: 3472.Bl -tag -width COMPILATIONDATE 3473.It Li AUTHNAME 3474This is replaced with the local 3475.Ar authname 3476value. 3477See the 3478.Dq set authname 3479command below. 3480.It Li COMPILATIONDATE 3481This is replaced with the date on which 3482.Nm 3483was compiled. 3484.It Li DNS0 & DNS1 3485These are replaced with the primary and secondary nameserver IP numbers. 3486If nameservers are negotiated by IPCP, the values of these macros will change. 3487.It Li ENDDISC 3488This is replaced with the local endpoint discriminator value. 3489See the 3490.Dq set enddisc 3491command below. 3492.It Li HISADDR 3493This is replaced with the peers IP number. 3494.It Li HISADDR6 3495This is replaced with the peers IPv6 number. 3496.It Li INTERFACE 3497This is replaced with the name of the interface that's in use. 3498.It Li IPOCTETSIN 3499This is replaced with the number of IP bytes received since the connection 3500was established. 3501.It Li IPOCTETSOUT 3502This is replaced with the number of IP bytes sent since the connection 3503was established. 3504.It Li IPPACKETSIN 3505This is replaced with the number of IP packets received since the connection 3506was established. 3507.It Li IPPACKETSOUT 3508This is replaced with the number of IP packets sent since the connection 3509was established. 3510.It Li IPV6OCTETSIN 3511This is replaced with the number of IPv6 bytes received since the connection 3512was established. 3513.It Li IPV6OCTETSOUT 3514This is replaced with the number of IPv6 bytes sent since the connection 3515was established. 3516.It Li IPV6PACKETSIN 3517This is replaced with the number of IPv6 packets received since the connection 3518was established. 3519.It Li IPV6PACKETSOUT 3520This is replaced with the number of IPv6 packets sent since the connection 3521was established. 3522.It Li LABEL 3523This is replaced with the last label name used. 3524A label may be specified on the 3525.Nm 3526command line, via the 3527.Dq load 3528or 3529.Dq dial 3530commands and in the 3531.Pa ppp.secret 3532file. 3533.It Li MYADDR 3534This is replaced with the IP number assigned to the local interface. 3535.It Li MYADDR6 3536This is replaced with the IPv6 number assigned to the local interface. 3537.It Li OCTETSIN 3538This is replaced with the number of bytes received since the connection 3539was established. 3540.It Li OCTETSOUT 3541This is replaced with the number of bytes sent since the connection 3542was established. 3543.It Li PACKETSIN 3544This is replaced with the number of packets received since the connection 3545was established. 3546.It Li PACKETSOUT 3547This is replaced with the number of packets sent since the connection 3548was established. 3549.It Li PEER_ENDDISC 3550This is replaced with the value of the peers endpoint discriminator. 3551.It Li PROCESSID 3552This is replaced with the current process id. 3553.It Li SOCKNAME 3554This is replaced with the name of the diagnostic socket. 3555.It Li UPTIME 3556This is replaced with the bundle uptime in HH:MM:SS format. 3557.It Li USER 3558This is replaced with the username that has been authenticated with PAP or 3559CHAP. 3560Normally, this variable is assigned only in -direct mode. 3561This value is available irrespective of whether utmp logging is enabled. 3562.It Li VERSION 3563This is replaced with the current version number of 3564.Nm . 3565.El 3566.Pp 3567These substitutions are also done by the 3568.Dq set proctitle , 3569.Dq ident 3570and 3571.Dq log 3572commands. 3573.Pp 3574If you wish to pause 3575.Nm 3576while the command executes, use the 3577.Dq shell 3578command instead. 3579.It clear physical|ipcp|ipv6 Op current|overall|peak... 3580Clear the specified throughput values at either the 3581.Dq physical , 3582.Dq ipcp 3583or 3584.Dq ipv6cp 3585level. 3586If 3587.Dq physical 3588is specified, context must be given (see the 3589.Dq link 3590command below). 3591If no second argument is given, all values are cleared. 3592.It clone Ar name Ns Xo 3593.Op \&, Ns Ar name Ns 3594.No ... 3595.Xc 3596Clone the specified link, creating one or more new links according to the 3597.Ar name 3598argument(s). 3599This command must be used from the 3600.Dq link 3601command below unless you've only got a single link (in which case that 3602link becomes the default). 3603Links may be removed using the 3604.Dq remove 3605command below. 3606.Pp 3607The default link name is 3608.Dq deflink . 3609.It close Op lcp|ccp Ns Op !\& 3610If no arguments are given, the relevant protocol layers will be brought 3611down and the link will be closed. 3612If 3613.Dq lcp 3614is specified, the LCP layer is brought down, but 3615.Nm 3616will not bring the link offline. 3617It is subsequently possible to use 3618.Dq term 3619(see below) 3620to talk to the peer machine if, for example, something like 3621.Dq slirp 3622is being used. 3623If 3624.Dq ccp 3625is specified, only the relevant compression layer is closed. 3626If the 3627.Dq !\& 3628is used, the compression layer will remain in the closed state, otherwise 3629it will re-enter the STOPPED state, waiting for the peer to initiate 3630further CCP negotiation. 3631In any event, this command does not disconnect the user from 3632.Nm 3633or exit 3634.Nm . 3635See the 3636.Dq quit 3637command below. 3638.It delete Ns Xo 3639.Op !\& 3640.Ar dest 3641.Xc 3642This command deletes the route with the given 3643.Ar dest 3644IP address. 3645If 3646.Ar dest 3647is specified as 3648.Sq ALL , 3649all non-direct entries in the routing table for the current interface, 3650and all 3651.Sq sticky route 3652entries are deleted. 3653If 3654.Ar dest 3655is specified as 3656.Sq default , 3657the default route is deleted. 3658.Pp 3659If the 3660.Ar delete!\& 3661command is used 3662(note the trailing 3663.Dq !\& ) , 3664.Nm 3665will not complain if the route does not already exist. 3666.It dial|call Op Ar label Ns Xo 3667.No ... 3668.Xc 3669This command is the equivalent of 3670.Dq load label 3671followed by 3672.Dq open , 3673and is provided for backwards compatibility. 3674.It down Op Ar lcp|ccp 3675Bring the relevant layer down ungracefully, as if the underlying layer 3676had become unavailable. 3677It's not considered polite to use this command on 3678a Finite State Machine that's in the OPEN state. 3679If no arguments are 3680supplied, the entire link is closed (or if no context is given, all links 3681are terminated). 3682If 3683.Sq lcp 3684is specified, the 3685.Em LCP 3686layer is terminated but the device is not brought offline and the link 3687is not closed. 3688If 3689.Sq ccp 3690is specified, only the relevant compression layer(s) are terminated. 3691.It help|? Op Ar command 3692Show a list of available commands. 3693If 3694.Ar command 3695is specified, show the usage string for that command. 3696.It ident Op Ar text Ns No ... 3697Identify the link to the peer using 3698.Ar text . 3699If 3700.Ar text 3701is empty, link identification is disabled. 3702It is possible to use any of the words described for the 3703.Ic bg 3704command above. 3705Refer to the 3706.Ic sendident 3707command for details of when 3708.Nm 3709identifies itself to the peer. 3710.It iface Ar command Op args 3711This command is used to control the interface used by 3712.Nm . 3713.Ar Command 3714may be one of the following: 3715.Bl -tag -width 2n 3716.It iface add Ns Xo 3717.Op !\& 3718.Ar addr Ns Op / Ns Ar bits 3719.Op Ar peer 3720.Xc 3721.It iface add Ns Xo 3722.Op !\& 3723.Ar addr 3724.Ar mask 3725.Ar peer 3726.Xc 3727Add the given 3728.Ar addr mask peer 3729combination to the interface. 3730Instead of specifying 3731.Ar mask , 3732.Ar /bits 3733can be used 3734(with no space between it and 3735.Ar addr ) . 3736If the given address already exists, the command fails unless the 3737.Dq !\& 3738is used - in which case the previous interface address entry is overwritten 3739with the new one, allowing a change of netmask or peer address. 3740.Pp 3741If only 3742.Ar addr 3743is specified, 3744.Ar bits 3745defaults to 3746.Dq 32 3747and 3748.Ar peer 3749defaults to 3750.Dq 255.255.255.255 . 3751This address (the broadcast address) is the only duplicate peer address that 3752.Nm 3753allows. 3754.It iface clear Op INET | INET6 3755If this command is used while 3756.Nm 3757is in the OPENED state or while in 3758.Fl auto 3759mode, all addresses except for the NCP negotiated address are deleted 3760from the interface. 3761If 3762.Nm 3763is not in the OPENED state and is not in 3764.Fl auto 3765mode, all interface addresses are deleted. 3766.Pp 3767If the INET or INET6 arguments are used, only addresses for that address 3768family are cleared. 3769.It iface delete Ns Xo 3770.Op !\& Ns 3771.No |rm Ns Op !\& 3772.Ar addr 3773.Xc 3774This command deletes the given 3775.Ar addr 3776from the interface. 3777If the 3778.Dq !\& 3779is used, no error is given if the address isn't currently assigned to 3780the interface (and no deletion takes place). 3781.It iface show 3782Shows the current state and current addresses for the interface. 3783It is much the same as running 3784.Dq ifconfig INTERFACE . 3785.It iface help Op Ar sub-command 3786This command, when invoked without 3787.Ar sub-command , 3788will show a list of possible 3789.Dq iface 3790sub-commands and a brief synopsis for each. 3791When invoked with 3792.Ar sub-command , 3793only the synopsis for the given sub-command is shown. 3794.El 3795.It Op data Ns Xo 3796.No link 3797.Ar name Ns Op , Ns Ar name Ns 3798.No ... Ar command Op Ar args 3799.Xc 3800This command may prefix any other command if the user wishes to 3801specify which link the command should affect. 3802This is only applicable after multiple links have been created in Multi-link 3803mode using the 3804.Dq clone 3805command. 3806.Pp 3807.Ar Name 3808specifies the name of an existing link. 3809If 3810.Ar name 3811is a comma separated list, 3812.Ar command 3813is executed on each link. 3814If 3815.Ar name 3816is 3817.Dq * , 3818.Ar command 3819is executed on all links. 3820.It load Op Ar label Ns Xo 3821.No ... 3822.Xc 3823Load the given 3824.Ar label Ns No (s) 3825from the 3826.Pa ppp.conf 3827file. 3828If 3829.Ar label 3830is not given, the 3831.Ar default 3832label is used. 3833.Pp 3834Unless the 3835.Ar label 3836section uses the 3837.Dq set mode , 3838.Dq open 3839or 3840.Dq dial 3841commands, 3842.Nm 3843will not attempt to make an immediate connection. 3844.It log Ar word Ns No ... 3845Send the given word(s) to the log file with the prefix 3846.Dq LOG: . 3847Word substitutions are done as explained under the 3848.Dq !bg 3849command above. 3850.It open Op lcp|ccp|ipcp 3851This is the opposite of the 3852.Dq close 3853command. 3854All closed links are immediately brought up apart from second and subsequent 3855.Ar demand-dial 3856links - these will come up based on the 3857.Dq set autoload 3858command that has been used. 3859.Pp 3860If the 3861.Dq lcp 3862argument is used while the LCP layer is already open, LCP will be 3863renegotiated. 3864This allows various LCP options to be changed, after which 3865.Dq open lcp 3866can be used to put them into effect. 3867After renegotiating LCP, 3868any agreed authentication will also take place. 3869.Pp 3870If the 3871.Dq ccp 3872argument is used, the relevant compression layer is opened. 3873Again, if it is already open, it will be renegotiated. 3874.Pp 3875If the 3876.Dq ipcp 3877argument is used, the link will be brought up as normal, but if 3878IPCP is already open, it will be renegotiated and the network 3879interface will be reconfigured. 3880.Pp 3881It is probably not good practice to re-open the PPP state machines 3882like this as it's possible that the peer will not behave correctly. 3883It 3884.Em is 3885however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3886.It passwd Ar pass 3887Specify the password required for access to the full 3888.Nm 3889command set. 3890This password is required when connecting to the diagnostic port (see the 3891.Dq set server 3892command). 3893.Ar Pass 3894is specified on the 3895.Dq set server 3896command line. 3897The value of 3898.Ar pass 3899is not logged when 3900.Ar command 3901logging is active, instead, the literal string 3902.Sq ******** 3903is logged. 3904.It quit|bye Op all 3905If 3906.Dq quit 3907is executed from the controlling connection or from a command file, 3908ppp will exit after closing all connections. 3909Otherwise, if the user 3910is connected to a diagnostic socket, the connection is simply dropped. 3911.Pp 3912If the 3913.Ar all 3914argument is given, 3915.Nm 3916will exit despite the source of the command after closing all existing 3917connections. 3918.It remove|rm 3919This command removes the given link. 3920It is only really useful in multi-link mode. 3921A link must be in the 3922.Dv CLOSED 3923state before it is removed. 3924.It rename|mv Ar name 3925This command renames the given link to 3926.Ar name . 3927It will fail if 3928.Ar name 3929is already used by another link. 3930.Pp 3931The default link name is 3932.Sq deflink . 3933Renaming it to 3934.Sq modem , 3935.Sq cuaa0 3936or 3937.Sq USR 3938may make the log file more readable. 3939.It resolv Ar command 3940This command controls 3941.Nm Ns No 's 3942manipulation of the 3943.Xr resolv.conf 5 3944file. 3945When 3946.Nm 3947starts up, it loads the contents of this file into memory and retains this 3948image for future use. 3949.Ar command 3950is one of the following: 3951.Bl -tag -width readonly 3952.It Em readonly 3953Treat 3954.Pa /etc/resolv.conf 3955as read only. 3956If 3957.Dq dns 3958is enabled, 3959.Nm 3960will still attempt to negotiate nameservers with the peer, making the results 3961available via the 3962.Dv DNS0 3963and 3964.Dv DNS1 3965macros. 3966This is the opposite of the 3967.Dq resolv writable 3968command. 3969.It Em reload 3970Reload 3971.Pa /etc/resolv.conf 3972into memory. 3973This may be necessary if for example a DHCP client overwrote 3974.Pa /etc/resolv.conf . 3975.It Em restore 3976Replace 3977.Pa /etc/resolv.conf 3978with the version originally read at startup or with the last 3979.Dq resolv reload 3980command. 3981This is sometimes a useful command to put in the 3982.Pa /etc/ppp/ppp.linkdown 3983file. 3984.It Em rewrite 3985Rewrite the 3986.Pa /etc/resolv.conf 3987file. 3988This command will work even if the 3989.Dq resolv readonly 3990command has been used. 3991It may be useful as a command in the 3992.Pa /etc/ppp/ppp.linkup 3993file if you wish to defer updating 3994.Pa /etc/resolv.conf 3995until after other commands have finished. 3996.It Em writable 3997Allow 3998.Nm 3999to update 4000.Pa /etc/resolv.conf 4001if 4002.Dq dns 4003is enabled and 4004.Nm 4005successfully negotiates a DNS. 4006This is the opposite of the 4007.Dq resolv readonly 4008command. 4009.El 4010.It save 4011This option is not (yet) implemented. 4012.It sendident 4013This command tells 4014.Nm 4015to identify itself to the peer. 4016The link must be in LCP state or higher. 4017If no identity has been set (via the 4018.Ic ident 4019command), 4020.Ic sendident 4021will fail. 4022.Pp 4023When an identity has been set, 4024.Nm 4025will automatically identify itself when it sends or receives a configure 4026reject, when negotiation fails or when LCP reaches the opened state. 4027.Pp 4028Received identification packets are logged to the LCP log (see 4029.Ic set log 4030for details) and are never responded to. 4031.It set Ns Xo 4032.Op up 4033.Ar var value 4034.Xc 4035This option allows the setting of any of the following variables: 4036.Bl -tag -width 2n 4037.It set accmap Ar hex-value 4038ACCMap stands for Asynchronous Control Character Map. 4039This is always 4040negotiated with the peer, and defaults to a value of 00000000 in hex. 4041This protocol is required to defeat hardware that depends on passing 4042certain characters from end to end (such as XON/XOFF etc). 4043.Pp 4044For the XON/XOFF scenario, use 4045.Dq set accmap 000a0000 . 4046.It set Op auth Ns Xo 4047.No key Ar value 4048.Xc 4049This sets the authentication key (or password) used in client mode 4050PAP or CHAP negotiation to the given value. 4051It also specifies the 4052password to be used in the dial or login scripts in place of the 4053.Sq \eP 4054sequence, preventing the actual password from being logged. 4055If 4056.Ar command 4057or 4058.Ar chat 4059logging is in effect, 4060.Ar value 4061is logged as 4062.Sq ******** 4063for security reasons. 4064.Pp 4065If the first character of 4066.Ar value 4067is an exclamation mark 4068.Pq Dq !\& , 4069.Nm 4070treats the remainder of the string as a program that must be executed 4071to determine the 4072.Dq authname 4073and 4074.Dq authkey 4075values. 4076.Pp 4077If the 4078.Dq !\& 4079is doubled up 4080(to 4081.Dq !! ) , 4082it is treated as a single literal 4083.Dq !\& , 4084otherwise, ignoring the 4085.Dq !\& , 4086.Ar value 4087is parsed as a program to execute in the same was as the 4088.Dq !bg 4089command above, substituting special names in the same manner. 4090Once executed, 4091.Nm 4092will feed the program three lines of input, each terminated by a newline 4093character: 4094.Bl -bullet 4095.It 4096The host name as sent in the CHAP challenge. 4097.It 4098The challenge string as sent in the CHAP challenge. 4099.It 4100The locally defined 4101.Dq authname . 4102.El 4103.Pp 4104Two lines of output are expected: 4105.Bl -bullet 4106.It 4107The 4108.Dq authname 4109to be sent with the CHAP response. 4110.It 4111The 4112.Dq authkey , 4113which is encrypted with the challenge and request id, the answer being sent 4114in the CHAP response packet. 4115.El 4116.Pp 4117When configuring 4118.Nm 4119in this manner, it's expected that the host challenge is a series of ASCII 4120digits or characters. 4121An encryption device or Secure ID card is usually 4122required to calculate the secret appropriate for the given challenge. 4123.It set authname Ar id 4124This sets the authentication id used in client mode PAP or CHAP negotiation. 4125.Pp 4126If used in 4127.Fl direct 4128mode with CHAP enabled, 4129.Ar id 4130is used in the initial authentication challenge and should normally be set to 4131the local machine name. 4132.It set autoload Xo 4133.Ar min-percent max-percent period 4134.Xc 4135These settings apply only in multi-link mode and default to zero, zero and 4136five respectively. 4137When more than one 4138.Ar demand-dial 4139(also known as 4140.Fl auto ) 4141mode link is available, only the first link is made active when 4142.Nm 4143first reads data from the tun device. 4144The next 4145.Ar demand-dial 4146link will be opened only when the current bundle throughput is at least 4147.Ar max-percent 4148percent of the total bundle bandwidth for 4149.Ar period 4150seconds. 4151When the current bundle throughput decreases to 4152.Ar min-percent 4153percent or less of the total bundle bandwidth for 4154.Ar period 4155seconds, a 4156.Ar demand-dial 4157link will be brought down as long as it's not the last active link. 4158.Pp 4159Bundle throughput is measured as the maximum of inbound and outbound 4160traffic. 4161.Pp 4162The default values cause 4163.Ar demand-dial 4164links to simply come up one at a time. 4165.Pp 4166Certain devices cannot determine their physical bandwidth, so it 4167is sometimes necessary to use the 4168.Dq set bandwidth 4169command (described below) to make 4170.Dq set autoload 4171work correctly. 4172.It set bandwidth Ar value 4173This command sets the connection bandwidth in bits per second. 4174.Ar value 4175must be greater than zero. 4176It is currently only used by the 4177.Dq set autoload 4178command above. 4179.It set callback Ar option Ns No ... 4180If no arguments are given, callback is disabled, otherwise, 4181.Nm 4182will request (or in 4183.Fl direct 4184mode, will accept) one of the given 4185.Ar option Ns No s . 4186In client mode, if an 4187.Ar option 4188is NAK'd 4189.Nm 4190will request a different 4191.Ar option , 4192until no options remain at which point 4193.Nm 4194will terminate negotiations (unless 4195.Dq none 4196is one of the specified 4197.Ar option ) . 4198In server mode, 4199.Nm 4200will accept any of the given protocols - but the client 4201.Em must 4202request one of them. 4203If you wish callback to be optional, you must {include} 4204.Ar none 4205as an option. 4206.Pp 4207The 4208.Ar option Ns No s 4209are as follows (in this order of preference): 4210.Bl -tag -width Ds 4211.It auth 4212The callee is expected to decide the callback number based on 4213authentication. 4214If 4215.Nm 4216is the callee, the number should be specified as the fifth field of 4217the peers entry in 4218.Pa /etc/ppp/ppp.secret . 4219.It cbcp 4220Microsoft's callback control protocol is used. 4221See 4222.Dq set cbcp 4223below. 4224.Pp 4225If you wish to negotiate 4226.Ar cbcp 4227in client mode but also wish to allow the server to request no callback at 4228CBCP negotiation time, you must specify both 4229.Ar cbcp 4230and 4231.Ar none 4232as callback options. 4233.It E.164 *| Ns Xo 4234.Ar number Ns Op , Ns Ar number Ns 4235.No ... 4236.Xc 4237The caller specifies the 4238.Ar number . 4239If 4240.Nm 4241is the callee, 4242.Ar number 4243should be either a comma separated list of allowable numbers or a 4244.Dq \&* , 4245meaning any number is permitted. 4246If 4247.Nm 4248is the caller, only a single number should be specified. 4249.Pp 4250Note, this option is very unsafe when used with a 4251.Dq \&* 4252as a malicious caller can tell 4253.Nm 4254to call any (possibly international) number without first authenticating 4255themselves. 4256.It none 4257If the peer does not wish to do callback at all, 4258.Nm 4259will accept the fact and continue without callback rather than terminating 4260the connection. 4261This is required (in addition to one or more other callback 4262options) if you wish callback to be optional. 4263.El 4264.It set cbcp Oo 4265.No *| Ns Ar number Ns Oo 4266.No , Ns Ar number Ns ...\& Oc 4267.Op Ar delay Op Ar retry 4268.Oc 4269If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4270is disabled - ie, configuring CBCP in the 4271.Dq set callback 4272command will result in 4273.Nm 4274requesting no callback in the CBCP phase. 4275Otherwise, 4276.Nm 4277attempts to use the given phone 4278.Ar number Ns No (s). 4279.Pp 4280In server mode 4281.Pq Fl direct , 4282.Nm 4283will insist that the client uses one of these numbers, unless 4284.Dq \&* 4285is used in which case the client is expected to specify the number. 4286.Pp 4287In client mode, 4288.Nm 4289will attempt to use one of the given numbers (whichever it finds to 4290be agreeable with the peer), or if 4291.Dq \&* 4292is specified, 4293.Nm 4294will expect the peer to specify the number. 4295.It set cd Oo 4296.No off| Ns Ar seconds Ns Op !\& 4297.Oc 4298Normally, 4299.Nm 4300checks for the existence of carrier depending on the type of device 4301that has been opened: 4302.Bl -tag -width XXX -offset XXX 4303.It Terminal Devices 4304Carrier is checked one second after the login script is complete. 4305If it's not set, 4306.Nm 4307assumes that this is because the device doesn't support carrier (which 4308is true for most 4309.Dq laplink 4310NULL-modem cables), logs the fact and stops checking 4311for carrier. 4312.Pp 4313As ptys don't support the 4314.Dv TIOCMGET 4315ioctl, the tty device will switch all 4316carrier detection off when it detects that the device is a pty. 4317.It PPPoE (netgraph) Devices 4318Carrier is checked once per second for 5 seconds. 4319If it's not set after 4320the fifth second, the connection attempt is considered to have failed and 4321the device is closed. 4322Carrier is always required for PPPoE devices. 4323.El 4324.Pp 4325All other device types don't support carrier. 4326Setting a carrier value will 4327result in a warning when the device is opened. 4328.Pp 4329Some modems take more than one second after connecting to assert the carrier 4330signal. 4331If this delay isn't increased, this will result in 4332.Nm Ns No 's 4333inability to detect when the link is dropped, as 4334.Nm 4335assumes that the device isn't asserting carrier. 4336.Pp 4337The 4338.Dq set cd 4339command overrides the default carrier behaviour. 4340.Ar seconds 4341specifies the maximum number of seconds that 4342.Nm 4343should wait after the dial script has finished before deciding if 4344carrier is available or not. 4345.Pp 4346If 4347.Dq off 4348is specified, 4349.Nm 4350will not check for carrier on the device, otherwise 4351.Nm 4352will not proceed to the login script until either carrier is detected 4353or until 4354.Ar seconds 4355has elapsed, at which point 4356.Nm 4357assumes that the device will not set carrier. 4358.Pp 4359If no arguments are given, carrier settings will go back to their default 4360values. 4361.Pp 4362If 4363.Ar seconds 4364is followed immediately by an exclamation mark 4365.Pq Dq !\& , 4366.Nm 4367will 4368.Em require 4369carrier. 4370If carrier is not detected after 4371.Ar seconds 4372seconds, the link will be disconnected. 4373.It set choked Op Ar timeout 4374This sets the number of seconds that 4375.Nm 4376will keep a choked output queue before dropping all pending output packets. 4377If 4378.Ar timeout 4379is less than or equal to zero or if 4380.Ar timeout 4381isn't specified, it is set to the default value of 4382.Em 120 seconds . 4383.Pp 4384A choked output queue occurs when 4385.Nm 4386has read a certain number of packets from the local network for transmission, 4387but cannot send the data due to link failure (the peer is busy etc.). 4388.Nm 4389will not read packets indefinitely. 4390Instead, it reads up to 4391.Em 30 4392packets (or 4393.Em 30 No + 4394.Em nlinks No * 4395.Em 2 4396packets in multi-link mode), then stops reading the network interface 4397until either 4398.Ar timeout 4399seconds have passed or at least one packet has been sent. 4400.Pp 4401If 4402.Ar timeout 4403seconds pass, all pending output packets are dropped. 4404.It set ctsrts|crtscts on|off 4405This sets hardware flow control. 4406Hardware flow control is 4407.Ar on 4408by default. 4409.It set deflate Ar out-winsize Op Ar in-winsize 4410This sets the DEFLATE algorithms default outgoing and incoming window 4411sizes. 4412Both 4413.Ar out-winsize 4414and 4415.Ar in-winsize 4416must be values between 4417.Em 8 4418and 4419.Em 15 . 4420If 4421.Ar in-winsize 4422is specified, 4423.Nm 4424will insist that this window size is used and will not accept any other 4425values from the peer. 4426.It set dns Op Ar primary Op Ar secondary 4427This command specifies DNS overrides for the 4428.Dq accept dns 4429command. 4430Refer to the 4431.Dq accept 4432command description above for details. 4433This command does not affect the IP numbers requested using 4434.Dq enable dns . 4435.It set device|line Xo 4436.Ar value Ns No ... 4437.Xc 4438This sets the device(s) to which 4439.Nm 4440will talk to the given 4441.Dq value . 4442.Pp 4443All serial device names are expected to begin with 4444.Pa /dev/ 4445and are usually called 4446.Pa cuaXX . 4447.Pp 4448If 4449.Dq value 4450does not begin with 4451.Pa /dev/ , 4452it must either begin with an exclamation mark 4453.Pq Dq !\& , 4454be of the format 4455.No PPPoE: Ns Ar iface Ns Xo 4456.Op \&: Ns Ar provider Ns 4457.Xc 4458(on 4459.Xr netgraph 4 4460enabled systems), or be of the format 4461.Sm off 4462.Ar host : port Op /tcp|udp . 4463.Sm on 4464.Pp 4465If it begins with an exclamation mark, the rest of the device name is 4466treated as a program name, and that program is executed when the device 4467is opened. 4468Standard input, output and error are fed back to 4469.Nm 4470and are read and written as if they were a regular device. 4471.Pp 4472If a 4473.No PPPoE: Ns Ar iface Ns Xo 4474.Op \&: Ns Ar provider Ns 4475.Xc 4476specification is given, 4477.Nm 4478will attempt to create a 4479.Em PPP 4480over Ethernet connection using the given 4481.Ar iface 4482interface by using 4483.Xr netgraph 4 . 4484If 4485.Xr netgraph 4 4486is not available, 4487.Nm 4488will attempt to load it using 4489.Xr kldload 2 . 4490If this fails, an external program must be used such as the 4491.Xr pppoe 8 4492program available under 4493.Ox . 4494The given 4495.Ar provider 4496is passed as the service name in the PPPoE Discovery Initiation (PADI) 4497packet. 4498If no provider is given, an empty value will be used. 4499.Pp 4500When a PPPoE connection is established, 4501.Nm 4502will place the name of the Access Concentrator in the environment variable 4503.Ev ACNAME . 4504.Pp 4505Refer to 4506.Xr netgraph 4 4507and 4508.Xr ng_pppoe 4 4509for further details. 4510.Pp 4511If a 4512.Ar host Ns No : Ns Ar port Ns Oo 4513.No /tcp|udp 4514.Oc 4515specification is given, 4516.Nm 4517will attempt to connect to the given 4518.Ar host 4519on the given 4520.Ar port . 4521If a 4522.Dq /tcp 4523or 4524.Dq /udp 4525suffix is not provided, the default is 4526.Dq /tcp . 4527Refer to the section on 4528.Em PPP OVER TCP and UDP 4529above for further details. 4530.Pp 4531If multiple 4532.Dq values 4533are specified, 4534.Nm 4535will attempt to open each one in turn until it succeeds or runs out of 4536devices. 4537.It set dial Ar chat-script 4538This specifies the chat script that will be used to dial the other 4539side. 4540See also the 4541.Dq set login 4542command below. 4543Refer to 4544.Xr chat 8 4545and to the example configuration files for details of the chat script 4546format. 4547It is possible to specify some special 4548.Sq values 4549in your chat script as follows: 4550.Bl -tag -width 2n 4551.It Li \ec 4552When used as the last character in a 4553.Sq send 4554string, this indicates that a newline should not be appended. 4555.It Li \ed 4556When the chat script encounters this sequence, it delays two seconds. 4557.It Li \ep 4558When the chat script encounters this sequence, it delays for one quarter of 4559a second. 4560.It Li \en 4561This is replaced with a newline character. 4562.It Li \er 4563This is replaced with a carriage return character. 4564.It Li \es 4565This is replaced with a space character. 4566.It Li \et 4567This is replaced with a tab character. 4568.It Li \eT 4569This is replaced by the current phone number (see 4570.Dq set phone 4571below). 4572.It Li \eP 4573This is replaced by the current 4574.Ar authkey 4575value (see 4576.Dq set authkey 4577above). 4578.It Li \eU 4579This is replaced by the current 4580.Ar authname 4581value (see 4582.Dq set authname 4583above). 4584.El 4585.Pp 4586Note that two parsers will examine these escape sequences, so in order to 4587have the 4588.Sq chat parser 4589see the escape character, it is necessary to escape it from the 4590.Sq command parser . 4591This means that in practice you should use two escapes, for example: 4592.Bd -literal -offset indent 4593set dial "... ATDT\\\\T CONNECT" 4594.Ed 4595.Pp 4596It is also possible to execute external commands from the chat script. 4597To do this, the first character of the expect or send string is an 4598exclamation mark 4599.Pq Dq !\& . 4600If a literal exclamation mark is required, double it up to 4601.Dq !!\& 4602and it will be treated as a single literal 4603.Dq !\& . 4604When the command is executed, standard input and standard output are 4605directed to the open device (see the 4606.Dq set device 4607command), and standard error is read by 4608.Nm 4609and substituted as the expect or send string. 4610If 4611.Nm 4612is running in interactive mode, file descriptor 3 is attached to 4613.Pa /dev/tty . 4614.Pp 4615For example (wrapped for readability): 4616.Bd -literal -offset indent 4617set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4618word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4619\\"!/bin/echo in\\" HELLO" 4620.Ed 4621.Pp 4622would result in the following chat sequence (output using the 4623.Sq set log local chat 4624command before dialing): 4625.Bd -literal -offset indent 4626Dial attempt 1 of 1 4627dial OK! 4628Chat: Expecting: 4629Chat: Sending: 4630Chat: Expecting: login:--login: 4631Chat: Wait for (5): login: 4632Chat: Sending: ppp 4633Chat: Expecting: word: 4634Chat: Wait for (5): word: 4635Chat: Sending: ppp 4636Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4637Chat: Exec: sh -c "echo -n label: >&2" 4638Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4639Chat: Exec: /bin/echo in 4640Chat: Sending: 4641Chat: Expecting: HELLO 4642Chat: Wait for (5): HELLO 4643login OK! 4644.Ed 4645.Pp 4646Note (again) the use of the escape character, allowing many levels of 4647nesting. 4648Here, there are four parsers at work. 4649The first parses the original line, reading it as three arguments. 4650The second parses the third argument, reading it as 11 arguments. 4651At this point, it is 4652important that the 4653.Dq \&- 4654signs are escaped, otherwise this parser will see them as constituting 4655an expect-send-expect sequence. 4656When the 4657.Dq !\& 4658character is seen, the execution parser reads the first command as three 4659arguments, and then 4660.Xr sh 1 4661itself expands the argument after the 4662.Fl c . 4663As we wish to send the output back to the modem, in the first example 4664we redirect our output to file descriptor 2 (stderr) so that 4665.Nm 4666itself sends and logs it, and in the second example, we just output to stdout, 4667which is attached directly to the modem. 4668.Pp 4669This, of course means that it is possible to execute an entirely external 4670.Dq chat 4671command rather than using the internal one. 4672See 4673.Xr chat 8 4674for a good alternative. 4675.Pp 4676The external command that is executed is subjected to the same special 4677word expansions as the 4678.Dq !bg 4679command. 4680.It set enddisc Op label|IP|MAC|magic|psn value 4681This command sets our local endpoint discriminator. 4682If set prior to LCP negotiation, and if no 4683.Dq disable enddisc 4684command has been used, 4685.Nm 4686will send the information to the peer using the LCP endpoint discriminator 4687option. 4688The following discriminators may be set: 4689.Bl -tag -width indent 4690.It Li label 4691The current label is used. 4692.It Li IP 4693Our local IP number is used. 4694As LCP is negotiated prior to IPCP, it is 4695possible that the IPCP layer will subsequently change this value. 4696If 4697it does, the endpoint discriminator stays at the old value unless manually 4698reset. 4699.It Li MAC 4700This is similar to the 4701.Ar IP 4702option above, except that the MAC address associated with the local IP 4703number is used. 4704If the local IP number is not resident on any Ethernet 4705interface, the command will fail. 4706.Pp 4707As the local IP number defaults to whatever the machine host name is, 4708.Dq set enddisc mac 4709is usually done prior to any 4710.Dq set ifaddr 4711commands. 4712.It Li magic 4713A 20 digit random number is used. 4714Care should be taken when using magic numbers as restarting 4715.Nm 4716or creating a link using a different 4717.Nm 4718invocation will also use a different magic number and will therefore not 4719be recognised by the peer as belonging to the same bundle. 4720This makes it unsuitable for 4721.Fl direct 4722connections. 4723.It Li psn Ar value 4724The given 4725.Ar value 4726is used. 4727.Ar Value 4728should be set to an absolute public switched network number with the 4729country code first. 4730.El 4731.Pp 4732If no arguments are given, the endpoint discriminator is reset. 4733.It set escape Ar value... 4734This option is similar to the 4735.Dq set accmap 4736option above. 4737It allows the user to specify a set of characters that will be 4738.Sq escaped 4739as they travel across the link. 4740.It set filter dial|alive|in|out Ar rule-no Xo 4741.No permit|deny|clear| Ns Ar rule-no 4742.Op !\& 4743.Oo Op host 4744.Ar src_addr Ns Op / Ns Ar width 4745.Op Ar dst_addr Ns Op / Ns Ar width 4746.Oc [ Ns Ar proto 4747.Op src lt|eq|gt Ar port 4748.Op dst lt|eq|gt Ar port 4749.Op estab 4750.Op syn 4751.Op finrst 4752.Op timeout Ar secs ] 4753.Xc 4754.Nm 4755supports four filter sets. 4756The 4757.Em alive 4758filter specifies packets that keep the connection alive - resetting the 4759idle timer. 4760The 4761.Em dial 4762filter specifies packets that cause 4763.Nm 4764to dial when in 4765.Fl auto 4766mode. 4767The 4768.Em in 4769filter specifies packets that are allowed to travel 4770into the machine and the 4771.Em out 4772filter specifies packets that are allowed out of the machine. 4773.Pp 4774Filtering is done prior to any IP alterations that might be done by the 4775NAT engine on outgoing packets and after any IP alterations that might 4776be done by the NAT engine on incoming packets. 4777By default all empty filter sets allow all packets to pass. 4778Rules are processed in order according to 4779.Ar rule-no 4780(unless skipped by specifying a rule number as the 4781.Ar action ) . 4782Up to 40 rules may be given for each set. 4783If a packet doesn't match 4784any of the rules in a given set, it is discarded. 4785In the case of 4786.Em in 4787and 4788.Em out 4789filters, this means that the packet is dropped. 4790In the case of 4791.Em alive 4792filters it means that the packet will not reset the idle timer (even if 4793the 4794.Ar in Ns No / Ns Ar out 4795filter has a 4796.Dq timeout 4797value) and in the case of 4798.Em dial 4799filters it means that the packet will not trigger a dial. 4800A packet failing to trigger a dial will be dropped rather than queued. 4801Refer to the 4802section on 4803.Sx PACKET FILTERING 4804above for further details. 4805.It set hangup Ar chat-script 4806This specifies the chat script that will be used to reset the device 4807before it is closed. 4808It should not normally be necessary, but can 4809be used for devices that fail to reset themselves properly on close. 4810.It set help|? Op Ar command 4811This command gives a summary of available set commands, or if 4812.Ar command 4813is specified, the command usage is shown. 4814.It set ifaddr Oo Ar myaddr Ns 4815.Op / Ns Ar \&nn 4816.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4817.Oo Ar netmask 4818.Op Ar triggeraddr 4819.Oc Oc 4820.Oc 4821This command specifies the IP addresses that will be used during 4822IPCP negotiation. 4823Addresses are specified using the format 4824.Pp 4825.Dl a.b.c.d/nn 4826.Pp 4827Where 4828.Dq a.b.c.d 4829is the preferred IP, but 4830.Ar nn 4831specifies how many bits of the address we will insist on. 4832If 4833.No / Ns Ar nn 4834is omitted, it defaults to 4835.Dq /32 4836unless the IP address is 0.0.0.0 in which case it defaults to 4837.Dq /0 . 4838.Pp 4839If you wish to assign a dynamic IP number to the peer, 4840.Ar hisaddr 4841may also be specified as a range of IP numbers in the format 4842.Bd -ragged -offset indent 4843.Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo 4844.Oc Ns Oo , Ns Ar \&IP Ns 4845.Op \&- Ns Ar \&IP Ns 4846.Oc Ns ... 4847.Xc 4848.Ed 4849.Pp 4850for example: 4851.Pp 4852.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4853.Pp 4854will only negotiate 4855.Dq 10.0.0.1 4856as the local IP number, but may assign any of the given 10 IP 4857numbers to the peer. 4858If the peer requests one of these numbers, 4859and that number is not already in use, 4860.Nm 4861will grant the peers request. 4862This is useful if the peer wants 4863to re-establish a link using the same IP number as was previously 4864allocated (thus maintaining any existing tcp or udp connections). 4865.Pp 4866If the peer requests an IP number that's either outside 4867of this range or is already in use, 4868.Nm 4869will suggest a random unused IP number from the range. 4870.Pp 4871If 4872.Ar triggeraddr 4873is specified, it is used in place of 4874.Ar myaddr 4875in the initial IPCP negotiation. 4876However, only an address in the 4877.Ar myaddr 4878range will be accepted. 4879This is useful when negotiating with some 4880.Dv PPP 4881implementations that will not assign an IP number unless their peer 4882requests 4883.Dq 0.0.0.0 . 4884.Pp 4885It should be noted that in 4886.Fl auto 4887mode, 4888.Nm 4889will configure the interface immediately upon reading the 4890.Dq set ifaddr 4891line in the config file. 4892In any other mode, these values are just 4893used for IPCP negotiations, and the interface isn't configured 4894until the IPCP layer is up. 4895.Pp 4896Note that the 4897.Ar HISADDR 4898argument may be overridden by the third field in the 4899.Pa ppp.secret 4900file once the client has authenticated itself 4901(if PAP or CHAP are 4902.Dq enabled ) . 4903Refer to the 4904.Sx AUTHENTICATING INCOMING CONNECTIONS 4905section for details. 4906.Pp 4907In all cases, if the interface is already configured, 4908.Nm 4909will try to maintain the interface IP numbers so that any existing 4910bound sockets will remain valid. 4911.It set ifqueue Ar packets 4912Set the maximum number of packets that 4913.Nm 4914will read from the tunnel interface while data cannot be sent to any of 4915the available links. 4916This queue limit is necessary to flow control outgoing data as the tunnel 4917interface is likely to be far faster than the combined links available to 4918.Nm . 4919.Pp 4920If 4921.Ar packets 4922is set to a value less than the number of links, 4923.Nm 4924will read up to that value regardless. 4925This prevents any possible latency problems. 4926.Pp 4927The default value for 4928.Ar packets 4929is 4930.Dq 30 . 4931.It set ccpretry|ccpretries Oo Ar timeout 4932.Op Ar reqtries Op Ar trmtries 4933.Oc 4934.It set chapretry|chapretries Oo Ar timeout 4935.Op Ar reqtries 4936.Oc 4937.It set ipcpretry|ipcpretries Oo Ar timeout 4938.Op Ar reqtries Op Ar trmtries 4939.Oc 4940.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 4941.Op Ar reqtries Op Ar trmtries 4942.Oc 4943.It set lcpretry|lcpretries Oo Ar timeout 4944.Op Ar reqtries Op Ar trmtries 4945.Oc 4946.It set papretry|papretries Oo Ar timeout 4947.Op Ar reqtries 4948.Oc 4949These commands set the number of seconds that 4950.Nm 4951will wait before resending Finite State Machine (FSM) Request packets. 4952The default 4953.Ar timeout 4954for all FSMs is 3 seconds (which should suffice in most cases). 4955.Pp 4956If 4957.Ar reqtries 4958is specified, it tells 4959.Nm 4960how many configuration request attempts it should make while receiving 4961no reply from the peer before giving up. 4962The default is 5 attempts for 4963CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4964.Pp 4965If 4966.Ar trmtries 4967is specified, it tells 4968.Nm 4969how many terminate requests should be sent before giving up waiting for the 4970peers response. 4971The default is 3 attempts. 4972Authentication protocols are 4973not terminated and it is therefore invalid to specify 4974.Ar trmtries 4975for PAP or CHAP. 4976.Pp 4977In order to avoid negotiations with the peer that will never converge, 4978.Nm 4979will only send at most 3 times the configured number of 4980.Ar reqtries 4981in any given negotiation session before giving up and closing that layer. 4982.It set log Xo 4983.Op local 4984.Op +|- Ns 4985.Ar value Ns No ... 4986.Xc 4987This command allows the adjustment of the current log level. 4988Refer to the Logging Facility section for further details. 4989.It set login Ar chat-script 4990This 4991.Ar chat-script 4992complements the dial-script. 4993If both are specified, the login 4994script will be executed after the dial script. 4995Escape sequences available in the dial script are also available here. 4996.It set logout Ar chat-script 4997This specifies the chat script that will be used to logout 4998before the hangup script is called. 4999It should not normally be necessary. 5000.It set lqrperiod Ar frequency 5001This command sets the 5002.Ar frequency 5003in seconds at which 5004.Em LQR 5005or 5006.Em ECHO LQR 5007packets are sent. 5008The default is 30 seconds. 5009You must also use the 5010.Dq enable lqr 5011command if you wish to send LQR requests to the peer. 5012.It set mode Ar interactive|auto|ddial|background 5013This command allows you to change the 5014.Sq mode 5015of the specified link. 5016This is normally only useful in multi-link mode, 5017but may also be used in uni-link mode. 5018.Pp 5019It is not possible to change a link that is 5020.Sq direct 5021or 5022.Sq dedicated . 5023.Pp 5024Note: If you issue the command 5025.Dq set mode auto , 5026and have network address translation enabled, it may be useful to 5027.Dq enable iface-alias 5028afterwards. 5029This will allow 5030.Nm 5031to do the necessary address translations to enable the process that 5032triggers the connection to connect once the link is up despite the 5033peer assigning us a new (dynamic) IP address. 5034.It set mppe Op 40|56|128|* Op stateless|stateful|* 5035This option selects the encryption parameters used when negotiation 5036MPPE. 5037MPPE can be disabled entirely with the 5038.Dq disable mppe 5039command. 5040If no arguments are given, 5041.Nm 5042will attempt to negotiate a stateful link with a 128 bit key, but 5043will agree to whatever the peer requests (including no encryption 5044at all). 5045.Pp 5046If any arguments are given, 5047.Nm 5048will 5049.Em insist 5050on using MPPE and will close the link if it's rejected by the peer (Note; 5051this behaviour can be overridden by a configured RADIUS server). 5052.Pp 5053The first argument specifies the number of bits that 5054.Nm 5055should insist on during negotiations and the second specifies whether 5056.Nm 5057should insist on stateful or stateless mode. 5058In stateless mode, the 5059encryption dictionary is re-initialised with every packet according to 5060an encryption key that is changed with every packet. 5061In stateful mode, 5062the encryption dictionary is re-initialised every 256 packets or after 5063the loss of any data and the key is changed every 256 packets. 5064Stateless mode is less efficient but is better for unreliable transport 5065layers. 5066.It set mrru Op Ar value 5067Setting this option enables Multi-link PPP negotiations, also known as 5068Multi-link Protocol or MP. 5069There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5070If no argument is given, multi-link mode is disabled. 5071.It set mru Xo 5072.Op max Ns Op imum 5073.Op Ar value 5074.Xc 5075The default MRU (Maximum Receive Unit) is 1500. 5076If it is increased, the other side *may* increase its MTU. 5077In theory there is no point in decreasing the MRU to below the default as the 5078.Em PPP 5079protocol says implementations *must* be able to accept packets of at 5080least 1500 octets. 5081.Pp 5082If the 5083.Dq maximum 5084keyword is used, 5085.Nm 5086will refuse to negotiate a higher value. 5087The maximum MRU can be set to 2048 at most. 5088Setting a maximum of less than 1500 violates the 5089.Em PPP 5090rfc, but may sometimes be necessary. 5091For example, 5092.Em PPPoE 5093imposes a maximum of 1492 due to hardware limitations. 5094.Pp 5095If no argument is given, 1500 is assumed. 5096A value must be given when 5097.Dq maximum 5098is specified. 5099.It set mtu Xo 5100.Op max Ns Op imum 5101.Op Ar value 5102.Xc 5103The default MTU is 1500. 5104At negotiation time, 5105.Nm 5106will accept whatever MRU the peer requests (assuming it's 5107not less than 296 bytes or greater than the assigned maximum). 5108If the MTU is set, 5109.Nm 5110will not accept MRU values less than 5111.Ar value . 5112When negotiations are complete, the MTU is used when writing to the 5113interface, even if the peer requested a higher value MRU. 5114This can be useful for 5115limiting your packet size (giving better bandwidth sharing at the expense 5116of more header data). 5117.Pp 5118If the 5119.Dq maximum 5120keyword is used, 5121.Nm 5122will refuse to negotiate a higher value. 5123The maximum MTU can be set to 2048 at most. 5124.Pp 5125If no 5126.Ar value 5127is given, 1500, or whatever the peer asks for is used. 5128A value must be given when 5129.Dq maximum 5130is specified. 5131.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5132This option allows the setting of the Microsoft NetBIOS name server 5133values to be returned at the peers request. 5134If no values are given, 5135.Nm 5136will reject any such requests. 5137.It set openmode active|passive Op Ar delay 5138By default, 5139.Ar openmode 5140is always 5141.Ar active 5142with a one second 5143.Ar delay . 5144That is, 5145.Nm 5146will always initiate LCP/IPCP/CCP negotiation one second after the line 5147comes up. 5148If you want to wait for the peer to initiate negotiations, you 5149can use the value 5150.Ar passive . 5151If you want to initiate negotiations immediately or after more than one 5152second, the appropriate 5153.Ar delay 5154may be specified here in seconds. 5155.It set parity odd|even|none|mark 5156This allows the line parity to be set. 5157The default value is 5158.Ar none . 5159.It set phone Ar telno Ns Xo 5160.Oo \&| Ns Ar backupnumber 5161.Oc Ns ... Ns Oo : Ns Ar nextnumber 5162.Oc Ns ... 5163.Xc 5164This allows the specification of the phone number to be used in 5165place of the \\\\T string in the dial and login chat scripts. 5166Multiple phone numbers may be given separated either by a pipe 5167.Pq Dq \&| 5168or a colon 5169.Pq Dq \&: . 5170.Pp 5171Numbers after the pipe are only dialed if the dial or login 5172script for the previous number failed. 5173.Pp 5174Numbers after the colon are tried sequentially, irrespective of 5175the reason the line was dropped. 5176.Pp 5177If multiple numbers are given, 5178.Nm 5179will dial them according to these rules until a connection is made, retrying 5180the maximum number of times specified by 5181.Dq set redial 5182below. 5183In 5184.Fl background 5185mode, each number is attempted at most once. 5186.It set Op proc Ns Xo 5187.No title Op Ar value 5188.Xc 5189The current process title as displayed by 5190.Xr ps 1 5191is changed according to 5192.Ar value . 5193If 5194.Ar value 5195is not specified, the original process title is restored. 5196All the 5197word replacements done by the shell commands (see the 5198.Dq bg 5199command above) are done here too. 5200.Pp 5201Note, if USER is required in the process title, the 5202.Dq set proctitle 5203command must appear in 5204.Pa ppp.linkup , 5205as it is not known when the commands in 5206.Pa ppp.conf 5207are executed. 5208.It set radius Op Ar config-file 5209This command enables RADIUS support (if it's compiled in). 5210.Ar config-file 5211refers to the radius client configuration file as described in 5212.Xr radius.conf 5 . 5213If PAP, CHAP, MSCHAP or MSCHAPv2 are 5214.Dq enable Ns No d , 5215.Nm 5216behaves as a 5217.Em \&N Ns No etwork 5218.Em \&A Ns No ccess 5219.Em \&S Ns No erver 5220and uses the configured RADIUS server to authenticate rather than 5221authenticating from the 5222.Pa ppp.secret 5223file or from the passwd database. 5224.Pp 5225If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5226.Dq set radius 5227will do nothing. 5228.Pp 5229.Nm 5230uses the following attributes from the RADIUS reply: 5231.Bl -tag -width XXX -offset XXX 5232.It RAD_FRAMED_IP_ADDRESS 5233The peer IP address is set to the given value. 5234.It RAD_FRAMED_IP_NETMASK 5235The tun interface netmask is set to the given value. 5236.It RAD_FRAMED_MTU 5237If the given MTU is less than the peers MRU as agreed during LCP 5238negotiation, *and* it is less that any configured MTU (see the 5239.Dq set mru 5240command), the tun interface MTU is set to the given value. 5241.It RAD_FRAMED_COMPRESSION 5242If the received compression type is 5243.Dq 1 , 5244.Nm 5245will request VJ compression during IPCP negotiations despite any 5246.Dq disable vj 5247configuration command. 5248.It RAD_FILTER_ID 5249If this attribute is supplied, 5250.Nm 5251will attempt to use it as an additional label to load from the 5252.Pa ppp.linkup 5253and 5254.Pa ppp.linkdown 5255files. 5256The load will be attempted before (and in addition to) the normal 5257label search. 5258If the label doesn't exist, no action is taken and 5259.Nm 5260proceeds to the normal load using the current label. 5261.It RAD_FRAMED_ROUTE 5262The received string is expected to be in the format 5263.Ar dest Ns Op / Ns Ar bits 5264.Ar gw 5265.Op Ar metrics . 5266Any specified metrics are ignored. 5267.Dv MYADDR 5268and 5269.Dv HISADDR 5270are understood as valid values for 5271.Ar dest 5272and 5273.Ar gw , 5274.Dq default 5275can be used for 5276.Ar dest 5277to specify the default route, and 5278.Dq 0.0.0.0 5279is understood to be the same as 5280.Dq default 5281for 5282.Ar dest 5283and 5284.Dv HISADDR 5285for 5286.Ar gw . 5287.Pp 5288For example, a returned value of 5289.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5290would result in a routing table entry to the 1.2.3.0/24 network via 5291.Dv HISADDR 5292and a returned value of 5293.Dq 0.0.0.0 0.0.0.0 5294or 5295.Dq default HISADDR 5296would result in a default route to 5297.Dv HISADDR . 5298.Pp 5299All RADIUS routes are applied after any sticky routes are applied, making 5300RADIUS routes override configured routes. 5301This also applies for RADIUS routes that don't {include} the 5302.Dv MYADDR 5303or 5304.Dv HISADDR 5305keywords. 5306.It RAD_SESSION_TIMEOUT 5307If supplied, the client connection is closed after the given number of 5308seconds. 5309.It RAD_REPLY_MESSAGE 5310If supplied, this message is passed back to the peer as the authentication 5311SUCCESS text. 5312.It RAD_MICROSOFT_MS_CHAP_ERROR 5313If this 5314.Dv RAD_VENDOR_MICROSOFT 5315vendor specific attribute is supplied, it is passed back to the peer as the 5316authentication FAILURE text. 5317.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5318If this 5319.Dv RAD_VENDOR_MICROSOFT 5320vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5321being used, it is passed back to the peer as the authentication SUCCESS text. 5322.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5323If this 5324.Dv RAD_VENDOR_MICROSOFT 5325vendor specific attribute is supplied and has a value of 2 (Required), 5326.Nm 5327will insist that MPPE encryption is used (even if no 5328.Dq set mppe 5329configuration command has been given with arguments). 5330If it is supplied with a value of 1 (Allowed), encryption is made optional 5331(despite any 5332.Dq set mppe 5333configuration commands with arguments). 5334.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5335If this 5336.Dv RAD_VENDOR_MICROSOFT 5337vendor specific attribute is supplied, bits 1 and 2 are examined. 5338If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5339options are set, overriding any given first argument to the 5340.Dq set mppe 5341command. 5342Note, it is not currently possible for the RADIUS server to specify 56 bit 5343encryption. 5344.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5345If this 5346.Dv RAD_VENDOR_MICROSOFT 5347vendor specific attribute is supplied, it's value is used as the master 5348key for decryption of incoming data. When clients are authenticated using 5349MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5350to function. 5351.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5352If this 5353.Dv RAD_VENDOR_MICROSOFT 5354vendor specific attribute is supplied, it's value is used as the master 5355key for encryption of outgoing data. When clients are authenticated using 5356MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5357to function. 5358.El 5359.Pp 5360Values received from the RADIUS server may be viewed using 5361.Dq show bundle . 5362.It set reconnect Ar timeout ntries 5363Should the line drop unexpectedly (due to loss of CD or LQR 5364failure), a connection will be re-established after the given 5365.Ar timeout . 5366The line will be re-connected at most 5367.Ar ntries 5368times. 5369.Ar Ntries 5370defaults to zero. 5371A value of 5372.Ar random 5373for 5374.Ar timeout 5375will result in a variable pause, somewhere between 1 and 30 seconds. 5376.It set recvpipe Op Ar value 5377This sets the routing table RECVPIPE value. 5378The optimum value is just over twice the MTU value. 5379If 5380.Ar value 5381is unspecified or zero, the default kernel controlled value is used. 5382.It set redial Ar secs Ns Xo 5383.Oo + Ns Ar inc Ns 5384.Op - Ns Ar max Ns 5385.Oc Ns Op . Ns Ar next 5386.Op Ar attempts 5387.Xc 5388.Nm 5389can be instructed to attempt to redial 5390.Ar attempts 5391times. 5392If more than one phone number is specified (see 5393.Dq set phone 5394above), a pause of 5395.Ar next 5396is taken before dialing each number. 5397A pause of 5398.Ar secs 5399is taken before starting at the first number again. 5400A literal value of 5401.Dq Li random 5402may be used here in place of 5403.Ar secs 5404and 5405.Ar next , 5406causing a random delay of between 1 and 30 seconds. 5407.Pp 5408If 5409.Ar inc 5410is specified, its value is added onto 5411.Ar secs 5412each time 5413.Nm 5414tries a new number. 5415.Ar secs 5416will only be incremented at most 5417.Ar max 5418times. 5419.Ar max 5420defaults to 10. 5421.Pp 5422Note, the 5423.Ar secs 5424delay will be effective, even after 5425.Ar attempts 5426has been exceeded, so an immediate manual dial may appear to have 5427done nothing. 5428If an immediate dial is required, a 5429.Dq !\& 5430should immediately follow the 5431.Dq open 5432keyword. 5433See the 5434.Dq open 5435description above for further details. 5436.It set sendpipe Op Ar value 5437This sets the routing table SENDPIPE value. 5438The optimum value is just over twice the MTU value. 5439If 5440.Ar value 5441is unspecified or zero, the default kernel controlled value is used. 5442.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5443.Ar LocalName Ns No |none|open|closed 5444.Op password Op Ar mask 5445.Xc 5446This command tells 5447.Nm 5448to listen on the given socket or 5449.Sq diagnostic port 5450for incoming command connections. 5451.Pp 5452The word 5453.Dq none 5454instructs 5455.Nm 5456to close any existing socket and clear the socket configuration. 5457The word 5458.Dq open 5459instructs 5460.Nm 5461to attempt to re-open the port. 5462The word 5463.Dq closed 5464instructs 5465.Nm 5466to close the open port. 5467.Pp 5468If you wish to specify a local domain socket, 5469.Ar LocalName 5470must be specified as an absolute file name, otherwise it is assumed 5471to be the name or number of a TCP port. 5472You may specify the octal umask to be used with a local domain socket. 5473Refer to 5474.Xr umask 2 5475for umask details. 5476Refer to 5477.Xr services 5 5478for details of how to translate TCP port names. 5479.Pp 5480You must also specify the password that must be entered by the client 5481(using the 5482.Dq passwd 5483variable above) when connecting to this socket. 5484If the password is 5485specified as an empty string, no password is required for connecting clients. 5486.Pp 5487When specifying a local domain socket, the first 5488.Dq %d 5489sequence found in the socket name will be replaced with the current 5490interface unit number. 5491This is useful when you wish to use the same 5492profile for more than one connection. 5493.Pp 5494In a similar manner TCP sockets may be prefixed with the 5495.Dq + 5496character, in which case the current interface unit number is added to 5497the port number. 5498.Pp 5499When using 5500.Nm 5501with a server socket, the 5502.Xr pppctl 8 5503command is the preferred mechanism of communications. 5504Currently, 5505.Xr telnet 1 5506can also be used, but link encryption may be implemented in the future, so 5507.Xr telnet 1 5508should be avoided. 5509.Pp 5510Note; 5511.Dv SIGUSR1 5512and 5513.Dv SIGUSR2 5514interact with the diagnostic socket. 5515.It set speed Ar value 5516This sets the speed of the serial device. 5517If speed is specified as 5518.Dq sync , 5519.Nm 5520treats the device as a synchronous device. 5521.Pp 5522Certain device types will know whether they should be specified as 5523synchronous or asynchronous. 5524These devices will override incorrect 5525settings and log a warning to this effect. 5526.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5527If this option is set, 5528.Nm 5529will time out after the given FSM (Finite State Machine) has been in 5530the stopped state for the given number of 5531.Dq seconds . 5532This option may be useful if the peer sends a terminate request, 5533but never actually closes the connection despite our sending a terminate 5534acknowledgement. 5535This is also useful if you wish to 5536.Dq set openmode passive 5537and time out if the peer doesn't send a Configure Request within the 5538given time. 5539Use 5540.Dq set log +lcp +ccp 5541to make 5542.Nm 5543log the appropriate state transitions. 5544.Pp 5545The default value is zero, where 5546.Nm 5547doesn't time out in the stopped state. 5548.Pp 5549This value should not be set to less than the openmode delay (see 5550.Dq set openmode 5551above). 5552.It set timeout Ar idleseconds Op Ar mintimeout 5553This command allows the setting of the idle timer. 5554Refer to the section titled 5555.Sx SETTING THE IDLE TIMER 5556for further details. 5557.Pp 5558If 5559.Ar mintimeout 5560is specified, 5561.Nm 5562will never idle out before the link has been up for at least that number 5563of seconds. 5564.It set urgent Xo 5565.Op tcp|udp|none 5566.Oo Op +|- Ns 5567.Ar port 5568.Oc No ... 5569.Xc 5570This command controls the ports that 5571.Nm 5572prioritizes when transmitting data. 5573The default priority TCP ports 5574are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5575543 (klogin) and 544 (kshell). 5576There are no priority UDP ports by default. 5577See 5578.Xr services 5 5579for details. 5580.Pp 5581If neither 5582.Dq tcp 5583or 5584.Dq udp 5585are specified, 5586.Dq tcp 5587is assumed. 5588.Pp 5589If no 5590.Ar port Ns No s 5591are given, the priority port lists are cleared (although if 5592.Dq tcp 5593or 5594.Dq udp 5595is specified, only that list is cleared). 5596If the first 5597.Ar port 5598argument is prefixed with a plus 5599.Pq Dq \&+ 5600or a minus 5601.Pq Dq \&- , 5602the current list is adjusted, otherwise the list is reassigned. 5603.Ar port Ns No s 5604prefixed with a plus or not prefixed at all are added to the list and 5605.Ar port Ns No s 5606prefixed with a minus are removed from the list. 5607.Pp 5608If 5609.Dq none 5610is specified, all priority port lists are disabled and even 5611.Dv IPTOS_LOWDELAY 5612packets are not prioritised. 5613.It set vj slotcomp on|off 5614This command tells 5615.Nm 5616whether it should attempt to negotiate VJ slot compression. 5617By default, slot compression is turned 5618.Ar on . 5619.It set vj slots Ar nslots 5620This command sets the initial number of slots that 5621.Nm 5622will try to negotiate with the peer when VJ compression is enabled (see the 5623.Sq enable 5624command above). 5625It defaults to a value of 16. 5626.Ar Nslots 5627must be between 5628.Ar 4 5629and 5630.Ar 16 5631inclusive. 5632.El 5633.It shell|! Op Ar command 5634If 5635.Ar command 5636is not specified a shell is invoked according to the 5637.Dv SHELL 5638environment variable. 5639Otherwise, the given 5640.Ar command 5641is executed. 5642Word replacement is done in the same way as for the 5643.Dq !bg 5644command as described above. 5645.Pp 5646Use of the ! character 5647requires a following space as with any of the other commands. 5648You should note that this command is executed in the foreground; 5649.Nm 5650will not continue running until this process has exited. 5651Use the 5652.Dv bg 5653command if you wish processing to happen in the background. 5654.It show Ar var 5655This command allows the user to examine the following: 5656.Bl -tag -width 2n 5657.It show bundle 5658Show the current bundle settings. 5659.It show ccp 5660Show the current CCP compression statistics. 5661.It show compress 5662Show the current VJ compression statistics. 5663.It show escape 5664Show the current escape characters. 5665.It show filter Op Ar name 5666List the current rules for the given filter. 5667If 5668.Ar name 5669is not specified, all filters are shown. 5670.It show hdlc 5671Show the current HDLC statistics. 5672.It show help|? 5673Give a summary of available show commands. 5674.It show iface 5675Show the current interface information 5676(the same as 5677.Dq iface show ) . 5678.It show ipcp 5679Show the current IPCP statistics. 5680.It show layers 5681Show the protocol layers currently in use. 5682.It show lcp 5683Show the current LCP statistics. 5684.It show Op data Ns Xo 5685.No link 5686.Xc 5687Show high level link information. 5688.It show links 5689Show a list of available logical links. 5690.It show log 5691Show the current log values. 5692.It show mem 5693Show current memory statistics. 5694.It show ncp 5695Show the current NCP statistics. 5696.It show physical 5697Show low level link information. 5698.It show mp 5699Show Multi-link information. 5700.It show proto 5701Show current protocol totals. 5702.It show route 5703Show the current routing tables. 5704.It show stopped 5705Show the current stopped timeouts. 5706.It show timer 5707Show the active alarm timers. 5708.It show version 5709Show the current version number of 5710.Nm . 5711.El 5712.It term 5713Go into terminal mode. 5714Characters typed at the keyboard are sent to the device. 5715Characters read from the device are displayed on the screen. 5716When a remote 5717.Em PPP 5718peer is detected, 5719.Nm 5720automatically enables Packet Mode and goes back into command mode. 5721.El 5722.Sh MORE DETAILS 5723.Bl -bullet 5724.It 5725Read the example configuration files. 5726They are a good source of information. 5727.It 5728Use 5729.Dq help , 5730.Dq nat \&? , 5731.Dq enable \&? , 5732.Dq set ?\& 5733and 5734.Dq show ?\& 5735to get online information about what's available. 5736.It 5737The following URLs contain useful information: 5738.Bl -bullet -compact 5739.It 5740.Pa http://www.dragonflybsd.org/docs/handbook/handbook-userppp/ 5741.El 5742.El 5743.Sh FILES 5744.Nm 5745refers to four files: 5746.Pa ppp.conf , 5747.Pa ppp.linkup , 5748.Pa ppp.linkdown 5749and 5750.Pa ppp.secret . 5751These files are placed in the 5752.Pa /etc/ppp 5753directory. 5754.Bl -tag -width 2n 5755.It Pa /etc/ppp/ppp.conf 5756System default configuration file. 5757.It Pa /etc/ppp/ppp.secret 5758An authorisation file for each system. 5759.It Pa /etc/ppp/ppp.linkup 5760A file to check when 5761.Nm 5762establishes a network level connection. 5763.It Pa /etc/ppp/ppp.linkdown 5764A file to check when 5765.Nm 5766closes a network level connection. 5767.It Pa /var/log/ppp.log 5768Logging and debugging information file. 5769Note, this name is specified in 5770.Pa /etc/syslog.conf . 5771See 5772.Xr syslog.conf 5 5773for further details. 5774.It Pa /var/spool/lock/LCK..* 5775tty port locking file. 5776Refer to 5777.Xr uucplock 3 5778for further details. 5779.It Pa /var/run/tunN.pid 5780The process id (pid) of the 5781.Nm 5782program connected to the tunN device, where 5783.Sq N 5784is the number of the device. 5785.It Pa /var/run/ttyXX.if 5786The tun interface used by this port. 5787Again, this file is only created in 5788.Fl background , 5789.Fl auto 5790and 5791.Fl ddial 5792modes. 5793.It Pa /etc/services 5794Get port number if port number is using service name. 5795.It Pa /var/run/ppp-authname-class-value 5796In multi-link mode, local domain sockets are created using the peer 5797authentication name 5798.Pq Sq authname , 5799the peer endpoint discriminator class 5800.Pq Sq class 5801and the peer endpoint discriminator value 5802.Pq Sq value . 5803As the endpoint discriminator value may be a binary value, it is turned 5804to HEX to determine the actual file name. 5805.Pp 5806This socket is used to pass links between different instances of 5807.Nm . 5808.El 5809.Sh SEE ALSO 5810.Xr at 1 , 5811.Xr ftp 1 , 5812.Xr gzip 1 , 5813.Xr hostname 1 , 5814.Xr login 1 , 5815.Xr tcpdump 1 , 5816.Xr telnet 1 , 5817.Xr kldload 2 , 5818ifdef({LOCALNAT},{},{.Xr libalias 3 , 5819})dnl 5820ifdef({LOCALRAD},{},{.Xr libradius 3 , 5821})dnl 5822.Xr syslog 3 , 5823.Xr uucplock 3 , 5824.Xr netgraph 4 , 5825.Xr ng_pppoe 4 , 5826.Xr crontab 5 , 5827.Xr group 5 , 5828.Xr passwd 5 , 5829.Xr protocols 5 , 5830.Xr radius.conf 5 , 5831.Xr resolv.conf 5 , 5832.Xr syslog.conf 5 , 5833.Xr adduser 8 , 5834.Xr chat 8 , 5835.Xr getty 8 , 5836.Xr inetd 8 , 5837.Xr init 8 , 5838.Xr named 8 , 5839.Xr ping 8 , 5840.Xr pppctl 8 , 5841.Xr pppd 8 , 5842.Xr pppoe 8 , 5843.Xr route 8 , 5844.Xr sshd 8 , 5845.Xr syslogd 8 , 5846.Xr traceroute 8 , 5847.Xr vipw 8 5848.Sh HISTORY 5849This program was originally written by 5850.An Toshiharu OHNO Aq Mt tony-o@iij.ad.jp , 5851and was submitted to 5852.Fx 2.0.5 5853by 5854.An Atsushi Murai Aq Mt amurai@spec.co.jp . 5855.Pp 5856It was substantially modified during 1997 by 5857.An Brian Somers Aq Mt brian@Awfulhak.org , 5858and was ported to 5859.Ox 5860in November that year 5861(just after the 2.2 release). 5862.Pp 5863Most of the code was rewritten by 5864.An Brian Somers 5865in early 1998 when multi-link ppp support was added. 5866