1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: src/usr.sbin/ppp/ppp.8.m4,v 1.301.2.1 2002/09/01 02:12:31 brian Exp $ 29.\" 30.Dd June 20, 2015 31.Dt PPP 8 32.Os 33.Sh NAME 34.Nm ppp 35.Nd Point to Point Protocol (a.k.a. user-ppp) 36.Sh SYNOPSIS 37.Nm 38.Op Fl Va mode 39.Op Fl nat 40.Op Fl quiet 41.Op Fl unit Ns Ar N 42.Op Ar system ... 43.Sh DESCRIPTION 44This is a user process 45.Em PPP 46software package. 47Normally, 48.Em PPP 49is implemented as a part of the kernel (e.g., as managed by 50.Xr pppd 8 ) 51and it's thus somewhat hard to debug and/or modify its behaviour. 52However, in this implementation 53.Em PPP 54is done as a user process with the help of the 55tunnel device driver (tun). 56.Pp 57The 58.Fl nat 59flag does the equivalent of a 60.Dq nat enable yes , 61enabling 62.Nm Ns No 's 63network address translation features. 64This allows 65.Nm 66to act as a NAT or masquerading engine for all machines on an internal 67LAN. 68ifdef({LOCALNAT},{},{Refer to 69.Xr libalias 3 70for details on the technical side of the NAT engine. 71})dnl 72Refer to the 73.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 74section of this manual page for details on how to configure NAT in 75.Nm . 76.Pp 77The 78.Fl quiet 79flag tells 80.Nm 81to be silent at startup rather than displaying the mode and interface 82to standard output. 83.Pp 84The 85.Fl unit 86flag tells 87.Nm 88to only attempt to open 89.Pa /dev/tun Ns Ar N . 90Normally, 91.Nm 92will start with a value of 0 for 93.Ar N , 94and keep trying to open a tunnel device by incrementing the value of 95.Ar N 96by one each time until it succeeds. 97If it fails three times in a row 98because the device file is missing, it gives up. 99.Pp 100The following 101.Va mode Ns No s 102are understood by 103.Nm : 104.Bl -tag -width XXX -offset XXX 105.It Fl auto 106.Nm 107opens the tun interface, configures it then goes into the background. 108The link isn't brought up until outgoing data is detected on the tun 109interface at which point 110.Nm 111attempts to bring up the link. 112Packets received (including the first one) while 113.Nm 114is trying to bring the link up will remain queued for a default of 1152 minutes. 116See the 117.Dq set choked 118command below. 119.Pp 120In 121.Fl auto 122mode, at least one 123.Dq system 124must be given on the command line (see below) and a 125.Dq set ifaddr 126must be done in the system profile that specifies a peer IP address to 127use when configuring the interface. 128Something like 129.Dq 10.0.0.1/0 130is usually appropriate. 131See the 132.Dq pmdemand 133system in 134.Pa /usr/share/examples/ppp/ppp.conf.sample 135for an example. 136.It Fl background 137Here, 138.Nm 139attempts to establish a connection with the peer immediately. 140If it succeeds, 141.Nm 142goes into the background and the parent process returns an exit code 143of 0. 144If it fails, 145.Nm 146exits with a non-zero result. 147.It Fl foreground 148In foreground mode, 149.Nm 150attempts to establish a connection with the peer immediately, but never 151becomes a daemon. 152The link is created in background mode. 153This is useful if you wish to control 154.Nm Ns No 's 155invocation from another process. 156.It Fl direct 157This is used for receiving incoming connections. 158.Nm 159ignores the 160.Dq set device 161line and uses descriptor 0 as the link. 162.Pp 163If callback is configured, 164.Nm 165will use the 166.Dq set device 167information when dialing back. 168.It Fl dedicated 169This option is designed for machines connected with a dedicated 170wire. 171.Nm 172will always keep the device open and will never use any configured 173chat scripts. 174.It Fl ddial 175This mode is equivalent to 176.Fl auto 177mode except that 178.Nm 179will bring the link back up any time it's dropped for any reason. 180.It Fl interactive 181This is a no-op, and gives the same behaviour as if none of the above 182modes have been specified. 183.Nm 184loads any sections specified on the command line then provides an 185interactive prompt. 186.El 187.Pp 188One or more configuration entries or systems 189(as specified in 190.Pa /etc/ppp/ppp.conf ) 191may also be specified on the command line. 192.Nm 193will read the 194.Dq default 195system from 196.Pa /etc/ppp/ppp.conf 197at startup, followed by each of the systems specified on the command line. 198.Sh Major Features 199.Bl -diag 200.It Provides an interactive user interface. 201Using its command mode, the user can 202easily enter commands to establish the connection with the remote end, check 203the status of connection and close the connection. 204All functions can also be optionally password protected for security. 205.It Supports both manual and automatic dialing. 206Interactive mode has a 207.Dq term 208command which enables you to talk to the device directly. 209When you are connected to the remote peer and it starts to talk 210.Em PPP , 211.Nm 212detects it and switches to packet mode automatically. 213Once you have 214determined the proper sequence for connecting with the remote host, you 215can write a chat script to {define} the necessary dialing and login 216procedure for later convenience. 217.It Supports on-demand dialup capability. 218By using 219.Fl auto 220mode, 221.Nm 222will act as a daemon and wait for a packet to be sent over the 223.Em PPP 224link. 225When this happens, the daemon automatically dials and establishes the 226connection. 227In almost the same manner 228.Fl ddial 229mode (direct-dial mode) also automatically dials and establishes the 230connection. 231However, it differs in that it will dial the remote site 232any time it detects the link is down, even if there are no packets to be 233sent. 234This mode is useful for full-time connections where we worry less 235about line charges and more about being connected full time. 236A third 237.Fl dedicated 238mode is also available. 239This mode is targeted at a dedicated link between two machines. 240.Nm 241will never voluntarily quit from dedicated mode - you must send it the 242.Dq quit all 243command via its diagnostic socket. 244A 245.Dv SIGHUP 246will force an LCP renegotiation, and a 247.Dv SIGTERM 248will force it to exit. 249.It Supports client callback. 250.Nm 251can use either the standard LCP callback protocol or the Microsoft 252CallBack Control Protocol 253.Pa ( ftp://ftp.microsoft.com/developr/rfc/cbcp.txt ) . 254.It Supports NAT or packet aliasing. 255Packet aliasing (a.k.a. IP masquerading) allows computers on a 256private, unregistered network to access the Internet. 257The 258.Em PPP 259host acts as a masquerading gateway. 260IP addresses as well as TCP and 261UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 262returning packets. 263.It Supports background PPP connections. 264In background mode, if 265.Nm 266successfully establishes the connection, it will become a daemon. 267Otherwise, it will exit with an error. 268This allows the setup of 269scripts that wish to execute certain commands only if the connection 270is successfully established. 271.It Supports server-side PPP connections. 272In direct mode, 273.Nm 274acts as server which accepts incoming 275.Em PPP 276connections on stdin/stdout. 277.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication." 278With PAP or CHAP, it is possible to skip the Unix style 279.Xr login 1 280procedure, and use the 281.Em PPP 282protocol for authentication instead. 283If the peer requests Microsoft CHAP authentication and 284.Nm 285is compiled with DES support, an appropriate MD4/DES response will be 286made. 287.It Supports RADIUS (rfc 2138 & 2548) authentication. 288An extension to PAP and CHAP, 289.Em \&R Ns No emote 290.Em \&A Ns No ccess 291.Em \&D Ns No ial 292.Em \&I Ns No n 293.Em \&U Ns No ser 294.Em \&S Ns No ervice 295allows authentication information to be stored in a central or 296distributed database along with various per-user framed connection 297characteristics. 298ifdef({LOCALRAD},{},{If 299.Xr libradius 3 300is available at compile time, 301.Nm 302will use it to make 303.Em RADIUS 304requests when configured to do so. 305})dnl 306.It Supports Proxy Arp. 307.Nm 308can be configured to make one or more proxy arp entries on behalf of 309the peer. 310This allows routing from the peer to the LAN without 311configuring each machine on that LAN. 312.It Supports packet filtering. 313User can {define} four kinds of filters: the 314.Em in 315filter for incoming packets, the 316.Em out 317filter for outgoing packets, the 318.Em dial 319filter to {define} a dialing trigger packet and the 320.Em alive 321filter for keeping a connection alive with the trigger packet. 322.It Tunnel driver supports bpf. 323The user can use 324.Xr tcpdump 1 325to check the packet flow over the 326.Em PPP 327link. 328.It Supports PPP over TCP and PPP over UDP. 329If a device name is specified as 330.Em host Ns No : Ns Em port Ns 331.Xo 332.Op / Ns tcp|udp , 333.Xc 334.Nm 335will open a TCP or UDP connection for transporting data rather than using a 336conventional serial device. 337UDP connections force 338.Nm 339into synchronous mode. 340.It Supports PPP over Ethernet (rfc 2516). 341If 342.Nm 343is given a device specification of the format 344.No PPPoE: Ns Ar iface Ns Xo 345.Op \&: Ns Ar provider Ns 346.Xc 347and if 348.Xr netgraph 4 349is available, 350.Nm 351will attempt talk 352.Em PPP 353over Ethernet to 354.Ar provider 355using the 356.Ar iface 357network interface. 358.Pp 359On systems that do not support 360.Xr netgraph 4 , 361an external program such as 362.Xr pppoe 8 363may be used. 364.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 365.Nm 366supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 367Normally, a modem has built-in compression (e.g., v42.bis) and the system 368may receive higher data rates from it as a result of such compression. 369While this is generally a good thing in most other situations, this 370higher speed data imposes a penalty on the system by increasing the 371number of serial interrupts the system has to process in talking to the 372modem and also increases latency. 373Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 374.Em all 375network traffic flowing through the link, thus reducing overheads to a 376minimum. 377.It Supports Microsoft's IPCP extensions (rfc 1877). 378Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 379with clients using the Microsoft 380.Em PPP 381stack (i.e., Win95, WinNT) 382.It Supports Multi-link PPP (rfc 1990) 383It is possible to configure 384.Nm 385to open more than one physical connection to the peer, combining the 386bandwidth of all links for better throughput. 387.It Supports MPPE (draft-ietf-pppext-mppe) 388MPPE is Microsoft Point to Point Encryption scheme. 389It is possible to configure 390.Nm 391to participate in Microsoft's Windows VPN. 392For now, 393.Nm 394can only get encryption keys from CHAP 81 authentication. 395.Nm 396must be compiled with DES for MPPE to operate. 397.It Supports IPV6CP (rfc 2023). 398An IPv6 connection can be made in addition to or instead of the normal 399IPv4 connection. 400.El 401.Sh PERMISSIONS 402.Nm 403is installed as user 404.Dv root 405and group 406.Dv network , 407with permissions 408.Dv 04554 . 409By default, 410.Nm 411will not run if the invoking user id is not zero. 412This may be overridden by using the 413.Dq allow users 414command in 415.Pa /etc/ppp/ppp.conf . 416When running as a normal user, 417.Nm 418switches to user id 0 in order to alter the system routing table, set up 419system lock files and read the ppp configuration files. 420All external commands (executed via the "shell" or "!bg" commands) are executed 421as the user id that invoked 422.Nm . 423Refer to the 424.Sq ID0 425logging facility if you're interested in what exactly is done as user id 426zero. 427.Sh GETTING STARTED 428When you first run 429.Nm 430you may need to deal with some initial configuration details. 431.Bl -bullet 432.It 433Your kernel must {include} a tunnel device (the X86_64_GENERIC kernel includes 434one by default). 435If it doesn't, or if you require more than one tun 436interface, you'll need to rebuild your kernel with the following line in 437your kernel configuration file: 438.Pp 439.Dl pseudo-device tun N 440.Pp 441where 442.Ar N 443is the maximum number of 444.Em PPP 445connections you wish to support. 446.It 447Make sure that your system has a group named 448.Dq network 449in the 450.Pa /etc/group 451file and that the group contains the names of all users expected to use 452.Nm . 453Refer to the 454.Xr group 5 455manual page for details. 456Each of these users must also be given access using the 457.Dq allow users 458command in 459.Pa /etc/ppp/ppp.conf . 460.It 461Create a log file. 462.Nm 463uses 464.Xr syslog 3 465to log information. 466A common log file name is 467.Pa /var/log/ppp.log . 468To make output go to this file, put the following lines in the 469.Pa /etc/syslog.conf 470file: 471.Bd -literal -offset indent 472!ppp 473*.*<TAB>/var/log/ppp.log 474.Ed 475.Pp 476It is possible to have more than one 477.Em PPP 478log file by creating a link to the 479.Nm 480executable: 481.Pp 482.Dl # cd /usr/sbin 483.Dl # ln ppp ppp0 484.Pp 485and using 486.Bd -literal -offset indent 487!ppp0 488*.*<TAB>/var/log/ppp0.log 489.Ed 490.Pp 491in 492.Pa /etc/syslog.conf . 493Don't forget to send a 494.Dv HUP 495signal to 496.Xr syslogd 8 497after altering 498.Pa /etc/syslog.conf . 499.It 500Although not strictly relevant to 501.Nm Ns No 's 502operation, you should configure your resolver so that it works correctly. 503This can be done by configuring a local DNS 504(using 505.Xr named 8 ) 506or by adding the correct 507.Sq nameserver 508lines to the file 509.Pa /etc/resolv.conf . 510Refer to the 511.Xr resolv.conf 5 512manual page for details. 513.Pp 514Alternatively, if the peer supports it, 515.Nm 516can be configured to ask the peer for the nameserver address(es) and to 517update 518.Pa /etc/resolv.conf 519automatically. 520Refer to the 521.Dq enable dns 522and 523.Dq resolv 524commands below for details. 525.El 526.Sh MANUAL DIALING 527In the following examples, we assume that your machine name is 528.Dv awfulhak . 529when you invoke 530.Nm 531(see 532.Sx PERMISSIONS 533above) with no arguments, you are presented with a prompt: 534.Bd -literal -offset indent 535ppp ON awfulhak> 536.Ed 537.Pp 538The 539.Sq ON 540part of your prompt should always be in upper case. 541If it is in lower case, it means that you must supply a password using the 542.Dq passwd 543command. 544This only ever happens if you connect to a running version of 545.Nm 546and have not authenticated yourself using the correct password. 547.Pp 548You can start by specifying the device name and speed: 549.Bd -literal -offset indent 550ppp ON awfulhak> set device /dev/cuaa0 551ppp ON awfulhak> set speed 38400 552.Ed 553.Pp 554Normally, hardware flow control (CTS/RTS) is used. 555However, under 556certain circumstances (as may happen when you are connected directly 557to certain PPP-capable terminal servers), this may result in 558.Nm 559hanging as soon as it tries to write data to your communications link 560as it is waiting for the CTS (clear to send) signal - which will never 561come. 562Thus, if you have a direct line and can't seem to make a 563connection, try turning CTS/RTS off with 564.Dq set ctsrts off . 565If you need to do this, check the 566.Dq set accmap 567description below too - you'll probably need to 568.Dq set accmap 000a0000 . 569.Pp 570Usually, parity is set to 571.Dq none , 572and this is 573.Nm Ns No 's 574default. 575Parity is a rather archaic error checking mechanism that is no 576longer used because modern modems do their own error checking, and most 577link-layer protocols (that's what 578.Nm 579is) use much more reliable checking mechanisms. 580Parity has a relatively 581huge overhead (a 12.5% increase in traffic) and as a result, it is always 582disabled 583(set to 584.Dq none ) 585when 586.Dv PPP 587is opened. 588However, some ISPs (Internet Service Providers) may use 589specific parity settings at connection time (before 590.Dv PPP 591is opened). 592Notably, Compuserve insist on even parity when logging in: 593.Bd -literal -offset indent 594ppp ON awfulhak> set parity even 595.Ed 596.Pp 597You can now see what your current device settings look like: 598.Bd -literal -offset indent 599ppp ON awfulhak> show physical 600Name: deflink 601 State: closed 602 Device: N/A 603 Link Type: interactive 604 Connect Count: 0 605 Queued Packets: 0 606 Phone Number: N/A 607 608Defaults: 609 Device List: /dev/cuaa0 610 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 611 612Connect time: 0 secs 6130 octets in, 0 octets out 614Overall 0 bytes/sec 615ppp ON awfulhak> 616.Ed 617.Pp 618The term command can now be used to talk directly to the device: 619.Bd -literal -offset indent 620ppp ON awfulhak> term 621at 622OK 623atdt123456 624CONNECT 625login: myispusername 626Password: myisppassword 627Protocol: ppp 628.Ed 629.Pp 630When the peer starts to talk in 631.Em PPP , 632.Nm 633detects this automatically and returns to command mode. 634.Bd -literal -offset indent 635ppp ON awfulhak> # No link has been established 636Ppp ON awfulhak> # We've connected & finished LCP 637PPp ON awfulhak> # We've authenticated 638PPP ON awfulhak> # We've agreed IP numbers 639.Ed 640.Pp 641If it does not, it's probable that the peer is waiting for your end to 642start negotiating. 643To force 644.Nm 645to start sending 646.Em PPP 647configuration packets to the peer, use the 648.Dq ~p 649command to drop out of terminal mode and enter packet mode. 650.Pp 651If you never even receive a login prompt, it is quite likely that the 652peer wants to use PAP or CHAP authentication instead of using Unix-style 653login/password authentication. 654To set things up properly, drop back to 655the prompt and set your authentication name and key, then reconnect: 656.Bd -literal -offset indent 657~. 658ppp ON awfulhak> set authname myispusername 659ppp ON awfulhak> set authkey myisppassword 660ppp ON awfulhak> term 661at 662OK 663atdt123456 664CONNECT 665.Ed 666.Pp 667You may need to tell ppp to initiate negotiations with the peer here too: 668.Bd -literal -offset indent 669~p 670ppp ON awfulhak> # No link has been established 671Ppp ON awfulhak> # We've connected & finished LCP 672PPp ON awfulhak> # We've authenticated 673PPP ON awfulhak> # We've agreed IP numbers 674.Ed 675.Pp 676You are now connected! 677Note that 678.Sq PPP 679in the prompt has changed to capital letters to indicate that you have 680a peer connection. 681If only some of the three Ps go uppercase, wait until 682either everything is uppercase or lowercase. 683If they revert to lowercase, it means that 684.Nm 685couldn't successfully negotiate with the peer. 686A good first step for troubleshooting at this point would be to 687.Bd -literal -offset indent 688ppp ON awfulhak> set log local phase lcp ipcp 689.Ed 690.Pp 691and try again. 692Refer to the 693.Dq set log 694command description below for further details. 695If things fail at this point, 696it is quite important that you turn logging on and try again. 697It is also 698important that you note any prompt changes and report them to anyone trying 699to help you. 700.Pp 701When the link is established, the show command can be used to see how 702things are going: 703.Bd -literal -offset indent 704PPP ON awfulhak> show physical 705* Modem related information is shown here * 706PPP ON awfulhak> show ccp 707* CCP (compression) related information is shown here * 708PPP ON awfulhak> show lcp 709* LCP (line control) related information is shown here * 710PPP ON awfulhak> show ipcp 711* IPCP (IP) related information is shown here * 712PPP ON awfulhak> show ipv6cp 713* IPV6CP (IPv6) related information is shown here * 714PPP ON awfulhak> show link 715* Link (high level) related information is shown here * 716PPP ON awfulhak> show bundle 717* Logical (high level) connection related information is shown here * 718.Ed 719.Pp 720At this point, your machine has a host route to the peer. 721This means 722that you can only make a connection with the host on the other side 723of the link. 724If you want to add a default route entry (telling your 725machine to send all packets without another routing entry to the other 726side of the 727.Em PPP 728link), enter the following command: 729.Bd -literal -offset indent 730PPP ON awfulhak> add default HISADDR 731.Ed 732.Pp 733The string 734.Sq HISADDR 735represents the IP address of the connected peer. 736If the 737.Dq add 738command fails due to an existing route, you can overwrite the existing 739route using 740.Bd -literal -offset indent 741PPP ON awfulhak> add! default HISADDR 742.Ed 743.Pp 744This command can also be executed before actually making the connection. 745If a new IP address is negotiated at connection time, 746.Nm 747will update your default route accordingly. 748.Pp 749You can now use your network applications (ping, telnet, ftp etc.) 750in other windows or terminals on your machine. 751If you wish to reuse the current terminal, you can put 752.Nm 753into the background using your standard shell suspend and background 754commands (usually 755.Dq ^Z 756followed by 757.Dq bg ) . 758.Pp 759Refer to the 760.Sx PPP COMMAND LIST 761section for details on all available commands. 762.Sh AUTOMATIC DIALING 763To use automatic dialing, you must prepare some Dial and Login chat scripts. 764See the example definitions in 765.Pa /usr/share/examples/ppp/ppp.conf.sample 766(the format of 767.Pa /etc/ppp/ppp.conf 768is pretty simple). 769Each line contains one comment, inclusion, label or command: 770.Bl -bullet 771.It 772A line starting with a 773.Pq Dq # 774character is treated as a comment line. 775Leading whitespace are ignored when identifying comment lines. 776.It 777An inclusion is a line beginning with the word 778.Sq {!include} . 779It must have one argument - the file to {include}. 780You may wish to 781.Dq {!include} ~/.ppp.conf 782for compatibility with older versions of 783.Nm . 784.It 785A label name starts in the first column and is followed by 786a colon 787.Pq Dq \&: . 788.It 789A command line must contain a space or tab in the first column. 790.El 791.Pp 792The 793.Pa /etc/ppp/ppp.conf 794file should consist of at least a 795.Dq default 796section. 797This section is always executed. 798It should also contain 799one or more sections, named according to their purpose, for example, 800.Dq MyISP 801would represent your ISP, and 802.Dq ppp-in 803would represent an incoming 804.Nm 805configuration. 806You can now specify the destination label name when you invoke 807.Nm . 808Commands associated with the 809.Dq default 810label are executed, followed by those associated with the destination 811label provided. 812When 813.Nm 814is started with no arguments, the 815.Dq default 816section is still executed. 817The load command can be used to manually load a section from the 818.Pa /etc/ppp/ppp.conf 819file: 820.Bd -literal -offset indent 821ppp ON awfulhak> load MyISP 822.Ed 823.Pp 824Note, no action is taken by 825.Nm 826after a section is loaded, whether it's the result of passing a label on 827the command line or using the 828.Dq load 829command. 830Only the commands specified for that label in the configuration 831file are executed. 832However, when invoking 833.Nm 834with the 835.Fl background , 836.Fl ddial , 837or 838.Fl dedicated 839switches, the link mode tells 840.Nm 841to establish a connection. 842Refer to the 843.Dq set mode 844command below for further details. 845.Pp 846Once the connection is made, the 847.Sq ppp 848portion of the prompt will change to 849.Sq PPP : 850.Bd -literal -offset indent 851# ppp MyISP 852\&... 853ppp ON awfulhak> dial 854Ppp ON awfulhak> 855PPp ON awfulhak> 856PPP ON awfulhak> 857.Ed 858.Pp 859The Ppp prompt indicates that 860.Nm 861has entered the authentication phase. 862The PPp prompt indicates that 863.Nm 864has entered the network phase. 865The PPP prompt indicates that 866.Nm 867has successfully negotiated a network layer protocol and is in 868a usable state. 869.Pp 870If the 871.Pa /etc/ppp/ppp.linkup 872file is available, its contents are executed 873when the 874.Em PPP 875connection is established. 876See the provided 877.Dq pmdemand 878example in 879.Pa /usr/share/examples/ppp/ppp.conf.sample 880which runs a script in the background after the connection is established 881(refer to the 882.Dq shell 883and 884.Dq bg 885commands below for a description of possible substitution strings). 886Similarly, when a connection is closed, the contents of the 887.Pa /etc/ppp/ppp.linkdown 888file are executed. 889Both of these files have the same format as 890.Pa /etc/ppp/ppp.conf . 891.Pp 892In previous versions of 893.Nm , 894it was necessary to re-add routes such as the default route in the 895.Pa ppp.linkup 896file. 897.Nm 898supports 899.Sq sticky routes , 900where all routes that contain the 901.Dv HISADDR , 902.Dv MYADDR , 903.Dv HISADDR6 904or 905.Dv MYADDR6 906literals will automatically be updated when the values of these variables 907change. 908.Sh BACKGROUND DIALING 909If you want to establish a connection using 910.Nm 911non-interactively (such as from a 912.Xr crontab 5 913entry or an 914.Xr at 1 915job) you should use the 916.Fl background 917option. 918When 919.Fl background 920is specified, 921.Nm 922attempts to establish the connection immediately. 923If multiple phone 924numbers are specified, each phone number will be tried once. 925If the attempt fails, 926.Nm 927exits immediately with a non-zero exit code. 928If it succeeds, then 929.Nm 930becomes a daemon, and returns an exit status of zero to its caller. 931The daemon exits automatically if the connection is dropped by the 932remote system, or it receives a 933.Dv TERM 934signal. 935.Sh DIAL ON DEMAND 936Demand dialing is enabled with the 937.Fl auto 938or 939.Fl ddial 940options. 941You must also specify the destination label in 942.Pa /etc/ppp/ppp.conf 943to use. 944It must contain the 945.Dq set ifaddr 946command to {define} the remote peers IP address. 947(refer to 948.Pa /usr/share/examples/ppp/ppp.conf.sample ) 949.Bd -literal -offset indent 950# ppp -auto pmdemand 951.Ed 952.Pp 953When 954.Fl auto 955or 956.Fl ddial 957is specified, 958.Nm 959runs as a daemon but you can still configure or examine its 960configuration by using the 961.Dq set server 962command in 963.Pa /etc/ppp/ppp.conf , 964(for example, 965.Dq Li "set server +3000 mypasswd" ) 966and connecting to the diagnostic port as follows: 967.Bd -literal -offset indent 968# pppctl 3000 (assuming tun0) 969Password: 970PPP ON awfulhak> show who 971tcp (127.0.0.1:1028) * 972.Ed 973.Pp 974The 975.Dq show who 976command lists users that are currently connected to 977.Nm 978itself. 979If the diagnostic socket is closed or changed to a different 980socket, all connections are immediately dropped. 981.Pp 982In 983.Fl auto 984mode, when an outgoing packet is detected, 985.Nm 986will perform the dialing action (chat script) and try to connect 987with the peer. 988In 989.Fl ddial 990mode, the dialing action is performed any time the line is found 991to be down. 992If the connect fails, the default behaviour is to wait 30 seconds 993and then attempt to connect when another outgoing packet is detected. 994This behaviour can be changed using the 995.Dq set redial 996command: 997.Pp 998.No set redial Ar secs Ns Xo 999.Oo + Ns Ar inc Ns 1000.Op - Ns Ar max Ns 1001.Oc Ns Op . Ns Ar next 1002.Op Ar attempts 1003.Xc 1004.Pp 1005.Bl -tag -width attempts -compact 1006.It Ar secs 1007is the number of seconds to wait before attempting 1008to connect again. 1009If the argument is the literal string 1010.Sq Li random , 1011the delay period is a random value between 1 and 30 seconds inclusive. 1012.It Ar inc 1013is the number of seconds that 1014.Ar secs 1015should be incremented each time a new dial attempt is made. 1016The timeout reverts to 1017.Ar secs 1018only after a successful connection is established. 1019The default value for 1020.Ar inc 1021is zero. 1022.It Ar max 1023is the maximum number of times 1024.Nm 1025should increment 1026.Ar secs . 1027The default value for 1028.Ar max 1029is 10. 1030.It Ar next 1031is the number of seconds to wait before attempting 1032to dial the next number in a list of numbers (see the 1033.Dq set phone 1034command). 1035The default is 3 seconds. 1036Again, if the argument is the literal string 1037.Sq Li random , 1038the delay period is a random value between 1 and 30 seconds. 1039.It Ar attempts 1040is the maximum number of times to try to connect for each outgoing packet 1041that triggers a dial. 1042The previous value is unchanged if this parameter is omitted. 1043If a value of zero is specified for 1044.Ar attempts , 1045.Nm 1046will keep trying until a connection is made. 1047.El 1048.Pp 1049So, for example: 1050.Bd -literal -offset indent 1051set redial 10.3 4 1052.Ed 1053.Pp 1054will attempt to connect 4 times for each outgoing packet that causes 1055a dial attempt with a 3 second delay between each number and a 10 second 1056delay after all numbers have been tried. 1057If multiple phone numbers 1058are specified, the total number of attempts is still 4 (it does not 1059attempt each number 4 times). 1060.Pp 1061Alternatively, 1062.Bd -literal -offset indent 1063set redial 10+10-5.3 20 1064.Ed 1065.Pp 1066tells 1067.Nm 1068to attempt to connect 20 times. 1069After the first attempt, 1070.Nm 1071pauses for 10 seconds. 1072After the next attempt it pauses for 20 seconds 1073and so on until after the sixth attempt it pauses for 1 minute. 1074The next 14 pauses will also have a duration of one minute. 1075If 1076.Nm 1077connects, disconnects and fails to connect again, the timeout starts again 1078at 10 seconds. 1079.Pp 1080Modifying the dial delay is very useful when running 1081.Nm 1082in 1083.Fl auto 1084mode on both ends of the link. 1085If each end has the same timeout, 1086both ends wind up calling each other at the same time if the link 1087drops and both ends have packets queued. 1088At some locations, the serial link may not be reliable, and carrier 1089may be lost at inappropriate times. 1090It is possible to have 1091.Nm 1092redial should carrier be unexpectedly lost during a session. 1093.Bd -literal -offset indent 1094set reconnect timeout ntries 1095.Ed 1096.Pp 1097This command tells 1098.Nm 1099to re-establish the connection 1100.Ar ntries 1101times on loss of carrier with a pause of 1102.Ar timeout 1103seconds before each try. 1104For example, 1105.Bd -literal -offset indent 1106set reconnect 3 5 1107.Ed 1108.Pp 1109tells 1110.Nm 1111that on an unexpected loss of carrier, it should wait 1112.Ar 3 1113seconds before attempting to reconnect. 1114This may happen up to 1115.Ar 5 1116times before 1117.Nm 1118gives up. 1119The default value of ntries is zero (no reconnect). 1120Care should be taken with this option. 1121If the local timeout is slightly 1122longer than the remote timeout, the reconnect feature will always be 1123triggered (up to the given number of times) after the remote side 1124times out and hangs up. 1125NOTE: In this context, losing too many LQRs constitutes a loss of 1126carrier and will trigger a reconnect. 1127If the 1128.Fl background 1129flag is specified, all phone numbers are dialed at most once until 1130a connection is made. 1131The next number redial period specified with the 1132.Dq set redial 1133command is honoured, as is the reconnect tries value. 1134If your redial 1135value is less than the number of phone numbers specified, not all 1136the specified numbers will be tried. 1137To terminate the program, type 1138.Bd -literal -offset indent 1139PPP ON awfulhak> close 1140ppp ON awfulhak> quit all 1141.Ed 1142.Pp 1143A simple 1144.Dq quit 1145command will terminate the 1146.Xr pppctl 8 1147or 1148.Xr telnet 1 1149connection but not the 1150.Nm 1151program itself. 1152You must use 1153.Dq quit all 1154to terminate 1155.Nm 1156as well. 1157.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1158To handle an incoming 1159.Em PPP 1160connection request, follow these steps: 1161.Bl -enum 1162.It 1163Make sure the modem and (optionally) 1164.Pa /etc/rc.d/serial 1165is configured correctly. 1166.Bl -bullet -compact 1167.It 1168Use Hardware Handshake (CTS/RTS) for flow control. 1169.It 1170Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1171.El 1172.It 1173Edit 1174.Pa /etc/ttys 1175to enable a 1176.Xr getty 8 1177on the port where the modem is attached. 1178For example: 1179.Pp 1180.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1181.Pp 1182Don't forget to send a 1183.Dv HUP 1184signal to the 1185.Xr init 8 1186process to start the 1187.Xr getty 8 : 1188.Pp 1189.Dl # kill -HUP 1 1190.Pp 1191It is usually also necessary to train your modem to the same DTR speed 1192as the getty: 1193.Bd -literal -offset indent 1194# ppp 1195ppp ON awfulhak> set device /dev/cuaa1 1196ppp ON awfulhak> set speed 38400 1197ppp ON awfulhak> term 1198deflink: Entering terminal mode on /dev/cuaa1 1199Type `~?' for help 1200at 1201OK 1202at 1203OK 1204atz 1205OK 1206at 1207OK 1208~. 1209ppp ON awfulhak> quit 1210.Ed 1211.It 1212Create a 1213.Pa /usr/local/bin/ppplogin 1214file with the following contents: 1215.Bd -literal -offset indent 1216#! /bin/sh 1217exec /usr/sbin/ppp -direct incoming 1218.Ed 1219.Pp 1220Direct mode 1221.Pq Fl direct 1222lets 1223.Nm 1224work with stdin and stdout. 1225You can also use 1226.Xr pppctl 8 1227to connect to a configured diagnostic port, in the same manner as with 1228client-side 1229.Nm . 1230.Pp 1231Here, the 1232.Ar incoming 1233section must be set up in 1234.Pa /etc/ppp/ppp.conf . 1235.Pp 1236Make sure that the 1237.Ar incoming 1238section contains the 1239.Dq allow users 1240command as appropriate. 1241.It 1242Prepare an account for the incoming user. 1243.Bd -literal 1244ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1245.Ed 1246.Pp 1247Refer to the manual entries for 1248.Xr adduser 8 1249and 1250.Xr vipw 8 1251for details. 1252.It 1253Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1254can be enabled using the 1255.Dq accept dns 1256and 1257.Dq set nbns 1258commands. 1259Refer to their descriptions below. 1260.El 1261.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1262This method differs in that we use 1263.Nm 1264to authenticate the connection rather than 1265.Xr login 1 : 1266.Bl -enum 1267.It 1268Configure your default section in 1269.Pa /etc/gettytab 1270with automatic ppp recognition by specifying the 1271.Dq pp 1272capability: 1273.Bd -literal 1274default:\\ 1275 :pp=/usr/local/bin/ppplogin:\\ 1276 ..... 1277.Ed 1278.It 1279Configure your serial device(s), enable a 1280.Xr getty 8 1281and create 1282.Pa /usr/local/bin/ppplogin 1283as in the first three steps for method 1 above. 1284.It 1285Add either 1286.Dq enable chap 1287or 1288.Dq enable pap 1289(or both) 1290to 1291.Pa /etc/ppp/ppp.conf 1292under the 1293.Sq incoming 1294label (or whatever label 1295.Pa ppplogin 1296uses). 1297.It 1298Create an entry in 1299.Pa /etc/ppp/ppp.secret 1300for each incoming user: 1301.Bd -literal 1302Pfred<TAB>xxxx 1303Pgeorge<TAB>yyyy 1304.Ed 1305.El 1306.Pp 1307Now, as soon as 1308.Xr getty 8 1309detects a ppp connection (by recognising the HDLC frame headers), it runs 1310.Dq /usr/local/bin/ppplogin . 1311.Pp 1312It is 1313.Em VITAL 1314that either PAP or CHAP are enabled as above. 1315If they are not, you are 1316allowing anybody to establish a ppp session with your machine 1317.Em without 1318a password, opening yourself up to all sorts of potential attacks. 1319.Sh AUTHENTICATING INCOMING CONNECTIONS 1320Normally, the receiver of a connection requires that the peer 1321authenticates itself. 1322This may be done using 1323.Xr login 1 , 1324but alternatively, you can use PAP or CHAP. 1325CHAP is the more secure of the two, but some clients may not support it. 1326Once you decide which you wish to use, add the command 1327.Sq enable chap 1328or 1329.Sq enable pap 1330to the relevant section of 1331.Pa ppp.conf . 1332.Pp 1333You must then configure the 1334.Pa /etc/ppp/ppp.secret 1335file. 1336This file contains one line per possible client, each line 1337containing up to five fields: 1338.Pp 1339.Ar name Ar key Oo 1340.Ar hisaddr Op Ar label Op Ar callback-number 1341.Oc 1342.Pp 1343The 1344.Ar name 1345and 1346.Ar key 1347specify the client username and password. 1348If 1349.Ar key 1350is 1351.Dq \&* 1352and PAP is being used, 1353.Nm 1354will look up the password database 1355.Pq Xr passwd 5 1356when authenticating. 1357If the client does not offer a suitable response based on any 1358.Ar name Ns No / Ns Ar key 1359combination in 1360.Pa ppp.secret , 1361authentication fails. 1362.Pp 1363If authentication is successful, 1364.Ar hisaddr 1365(if specified) 1366is used when negotiating IP numbers. 1367See the 1368.Dq set ifaddr 1369command for details. 1370.Pp 1371If authentication is successful and 1372.Ar label 1373is specified, the current system label is changed to match the given 1374.Ar label . 1375This will change the subsequent parsing of the 1376.Pa ppp.linkup 1377and 1378.Pa ppp.linkdown 1379files. 1380.Pp 1381If authentication is successful and 1382.Ar callback-number 1383is specified and 1384.Dq set callback 1385has been used in 1386.Pa ppp.conf , 1387the client will be called back on the given number. 1388If CBCP is being used, 1389.Ar callback-number 1390may also contain a list of numbers or a 1391.Dq \&* , 1392as if passed to the 1393.Dq set cbcp 1394command. 1395The value will be used in 1396.Nm Ns No 's 1397subsequent CBCP phase. 1398.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1399Instead of running 1400.Nm 1401over a serial link, it is possible to 1402use a TCP connection instead by specifying the host, port and protocol as the 1403device: 1404.Pp 1405.Dl set device ui-gate:6669/tcp 1406.Pp 1407Instead of opening a serial device, 1408.Nm 1409will open a TCP connection to the given machine on the given 1410socket. 1411It should be noted however that 1412.Nm 1413doesn't use the telnet protocol and will be unable to negotiate 1414with a telnet server. 1415You should set up a port for receiving this 1416.Em PPP 1417connection on the receiving machine (ui-gate). 1418This is done by first updating 1419.Pa /etc/services 1420to name the service: 1421.Pp 1422.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1423.Pp 1424and updating 1425.Pa /etc/inetd.conf 1426to tell 1427.Xr inetd 8 1428how to deal with incoming connections on that port: 1429.Pp 1430.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1431.Pp 1432Don't forget to send a 1433.Dv HUP 1434signal to 1435.Xr inetd 8 1436after you've updated 1437.Pa /etc/inetd.conf . 1438Here, we use a label named 1439.Dq ppp-in . 1440The entry in 1441.Pa /etc/ppp/ppp.conf 1442on ui-gate (the receiver) should contain the following: 1443.Bd -literal -offset indent 1444ppp-in: 1445 set timeout 0 1446 set ifaddr 10.0.4.1 10.0.4.2 1447.Ed 1448.Pp 1449and the entry in 1450.Pa /etc/ppp/ppp.linkup 1451should contain: 1452.Bd -literal -offset indent 1453ppp-in: 1454 add 10.0.1.0/24 HISADDR 1455.Ed 1456.Pp 1457It is necessary to put the 1458.Dq add 1459command in 1460.Pa ppp.linkup 1461to ensure that the route is only added after 1462.Nm 1463has negotiated and assigned addresses to its interface. 1464.Pp 1465You may also want to enable PAP or CHAP for security. 1466To enable PAP, add the following line: 1467.Bd -literal -offset indent 1468 enable PAP 1469.Ed 1470.Pp 1471You'll also need to create the following entry in 1472.Pa /etc/ppp/ppp.secret : 1473.Bd -literal -offset indent 1474MyAuthName MyAuthPasswd 1475.Ed 1476.Pp 1477If 1478.Ar MyAuthPasswd 1479is a 1480.Dq * , 1481the password is looked up in the 1482.Xr passwd 5 1483database. 1484.Pp 1485The entry in 1486.Pa /etc/ppp/ppp.conf 1487on awfulhak (the initiator) should contain the following: 1488.Bd -literal -offset indent 1489ui-gate: 1490 set escape 0xff 1491 set device ui-gate:ppp-in/tcp 1492 set dial 1493 set timeout 30 1494 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1495 set ifaddr 10.0.4.2 10.0.4.1 1496.Ed 1497.Pp 1498with the route setup in 1499.Pa /etc/ppp/ppp.linkup : 1500.Bd -literal -offset indent 1501ui-gate: 1502 add 10.0.2.0/24 HISADDR 1503.Ed 1504.Pp 1505Again, if you're enabling PAP, you'll also need this in the 1506.Pa /etc/ppp/ppp.conf 1507profile: 1508.Bd -literal -offset indent 1509 set authname MyAuthName 1510 set authkey MyAuthKey 1511.Ed 1512.Pp 1513We're assigning the address of 10.0.4.1 to ui-gate, and the address 151410.0.4.2 to awfulhak. 1515To open the connection, just type 1516.Pp 1517.Dl awfulhak # ppp -background ui-gate 1518.Pp 1519The result will be an additional "route" on awfulhak to the 152010.0.2.0/24 network via the TCP connection, and an additional 1521"route" on ui-gate to the 10.0.1.0/24 network. 1522The networks are effectively bridged - the underlying TCP 1523connection may be across a public network (such as the 1524Internet), and the 1525.Em PPP 1526traffic is conceptually encapsulated 1527(although not packet by packet) inside the TCP stream between 1528the two gateways. 1529.Pp 1530The major disadvantage of this mechanism is that there are two 1531"guaranteed delivery" mechanisms in place - the underlying TCP 1532stream and whatever protocol is used over the 1533.Em PPP 1534link - probably TCP again. 1535If packets are lost, both levels will 1536get in each others way trying to negotiate sending of the missing 1537packet. 1538.Pp 1539To avoid this overhead, it is also possible to do all this using 1540UDP instead of TCP as the transport by simply changing the protocol 1541from "tcp" to "udp". 1542When using UDP as a transport, 1543.Nm 1544will operate in synchronous mode. 1545This is another gain as the incoming 1546data does not have to be rearranged into packets. 1547.Pp 1548Care should be taken when adding a default route through a tunneled 1549setup like this. 1550It is quite common for the default route 1551(added in 1552.Pa /etc/ppp/ppp.linkup ) 1553to end up routing the link's TCP connection through the tunnel, 1554effectively garrotting the connection. 1555To avoid this, make sure you add a static route for the benefit of 1556the link: 1557.Bd -literal -offset indent 1558ui-gate: 1559 set escape 0xff 1560 set device ui-gate:ppp-in/tcp 1561 add ui-gate x.x.x.x 1562 ..... 1563.Ed 1564.Pp 1565where 1566.Dq x.x.x.x 1567is the IP number that your route to 1568.Dq ui-gate 1569would normally use. 1570.Pp 1571When routing your connection across a public network such as the Internet, 1572it is preferable to encrypt the data. 1573This can be done with the help of the MPPE protocol, although currently this 1574means that you will not be able to also compress the traffic as MPPE is 1575implemented as a compression layer (thank Microsoft for this). 1576To enable MPPE encryption, add the following lines to 1577.Pa /etc/ppp/ppp.conf 1578on the server: 1579.Bd -literal -offset indent 1580 enable MSCHAPv2 1581 disable deflate pred1 1582 deny deflate pred1 1583.Ed 1584.Pp 1585ensuring that you've put the requisite entry in 1586.Pa /etc/ppp/ppp.secret 1587(MSCHAPv2 is challenge based, so 1588.Xr passwd 5 1589cannot be used) 1590.Pp 1591MSCHAPv2 and MPPE are accepted by default, so the client end should work 1592without any additional changes (although ensure you have 1593.Dq set authname 1594and 1595.Dq set authkey 1596in your profile). 1597.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1598The 1599.Fl nat 1600command line option enables network address translation (a.k.a. packet 1601aliasing). 1602This allows the 1603.Nm 1604host to act as a masquerading gateway for other computers over 1605a local area network. 1606Outgoing IP packets are NAT'd so that they appear to come from the 1607.Nm 1608host, and incoming packets are de-NAT'd so that they are routed 1609to the correct machine on the local area network. 1610NAT allows computers on private, unregistered subnets to have Internet 1611access, although they are invisible from the outside world. 1612In general, correct 1613.Nm 1614operation should first be verified with network address translation disabled. 1615Then, the 1616.Fl nat 1617option should be switched on, and network applications (web browser, 1618.Xr telnet 1 , 1619.Xr ftp 1 , 1620.Xr ping 8 , 1621.Xr traceroute 8 ) 1622should be checked on the 1623.Nm 1624host. 1625Finally, the same or similar applications should be checked on other 1626computers in the LAN. 1627If network applications work correctly on the 1628.Nm 1629host, but not on other machines in the LAN, then the masquerading 1630software is working properly, but the host is either not forwarding 1631or possibly receiving IP packets. 1632Check that IP forwarding is enabled in 1633.Pa /etc/rc.conf 1634and that other machines have designated the 1635.Nm 1636host as the gateway for the LAN. 1637.Sh PACKET FILTERING 1638This implementation supports packet filtering. 1639There are four kinds of 1640filters: the 1641.Em in 1642filter, the 1643.Em out 1644filter, the 1645.Em dial 1646filter and the 1647.Em alive 1648filter. 1649Here are the basics: 1650.Bl -bullet 1651.It 1652A filter definition has the following syntax: 1653.Pp 1654set filter 1655.Ar name 1656.Ar rule-no 1657.Ar action 1658.Op !\& 1659.Oo 1660.Op host 1661.Ar src_addr Ns Op / Ns Ar width 1662.Op Ar dst_addr Ns Op / Ns Ar width 1663.Oc 1664.Ar [ proto Op src Ar cmp port 1665.Op dst Ar cmp port 1666.Op estab 1667.Op syn 1668.Op finrst 1669.Op timeout Ar secs ] 1670.Bl -enum 1671.It 1672.Ar Name 1673should be one of 1674.Sq in , 1675.Sq out , 1676.Sq dial 1677or 1678.Sq alive . 1679.It 1680.Ar Rule-no 1681is a numeric value between 1682.Sq 0 1683and 1684.Sq 39 1685specifying the rule number. 1686Rules are specified in numeric order according to 1687.Ar rule-no , 1688but only if rule 1689.Sq 0 1690is defined. 1691.It 1692.Ar Action 1693may be specified as 1694.Sq permit 1695or 1696.Sq deny , 1697in which case, if a given packet matches the rule, the associated action 1698is taken immediately. 1699.Ar Action 1700can also be specified as 1701.Sq clear 1702to clear the action associated with that particular rule, or as a new 1703rule number greater than the current rule. 1704In this case, if a given 1705packet matches the current rule, the packet will next be matched against 1706the new rule number (rather than the next rule number). 1707.Pp 1708The 1709.Ar action 1710may optionally be followed with an exclamation mark 1711.Pq Dq !\& , 1712telling 1713.Nm 1714to reverse the sense of the following match. 1715.It 1716.Op Ar src_addr Ns Op / Ns Ar width 1717and 1718.Op Ar dst_addr Ns Op / Ns Ar width 1719are the source and destination IP number specifications. 1720If 1721.Op / Ns Ar width 1722is specified, it gives the number of relevant netmask bits, 1723allowing the specification of an address range. 1724.Pp 1725Either 1726.Ar src_addr 1727or 1728.Ar dst_addr 1729may be given the values 1730.Dv MYADDR , 1731.Dv HISADDR , 1732.Dv MYADDR6 1733or 1734.Dv HISADDR6 1735(refer to the description of the 1736.Dq bg 1737command for a description of these values). 1738When these values are used, 1739the filters will be updated any time the values change. 1740This is similar to the behaviour of the 1741.Dq add 1742command below. 1743.It 1744.Ar Proto 1745may be any protocol from 1746.Xr protocols 5 . 1747.It 1748.Ar Cmp 1749is one of 1750.Sq \< , 1751.Sq \&eq 1752or 1753.Sq \> , 1754meaning less-than, equal and greater-than respectively. 1755.Ar Port 1756can be specified as a numeric port or by service name from 1757.Pa /etc/services . 1758.It 1759The 1760.Sq estab , 1761.Sq syn , 1762and 1763.Sq finrst 1764flags are only allowed when 1765.Ar proto 1766is set to 1767.Sq tcp , 1768and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1769.It 1770The timeout value adjusts the current idle timeout to at least 1771.Ar secs 1772seconds. 1773If a timeout is given in the alive filter as well as in the in/out 1774filter, the in/out value is used. 1775If no timeout is given, the default timeout (set using 1776.Ic set timeout 1777and defaulting to 180 seconds) is used. 1778.El 1779.It 1780Each filter can hold up to 40 rules, starting from rule 0. 1781The entire rule set is not effective until rule 0 is defined, 1782i.e., the default is to allow everything through. 1783.It 1784If no rule in a defined set of rules matches a packet, that packet will 1785be discarded (blocked). 1786If there are no rules in a given filter, the packet will be permitted. 1787.It 1788It's possible to filter based on the payload of UDP frames where those 1789frames contain a 1790.Em PROTO_IP 1791.Em PPP 1792frame header. 1793See the 1794.Ar filter-decapsulation 1795option below for further details. 1796.It 1797Use 1798.Dq set filter Ar name No -1 1799to flush all rules. 1800.El 1801.Pp 1802See 1803.Pa /usr/share/examples/ppp/ppp.conf.sample . 1804.Sh SETTING THE IDLE TIMER 1805To check/set the idle timer, use the 1806.Dq show bundle 1807and 1808.Dq set timeout 1809commands: 1810.Bd -literal -offset indent 1811ppp ON awfulhak> set timeout 600 1812.Ed 1813.Pp 1814The timeout period is measured in seconds, the default value for which 1815is 180 seconds 1816(or 3 min). 1817To disable the idle timer function, use the command 1818.Bd -literal -offset indent 1819ppp ON awfulhak> set timeout 0 1820.Ed 1821.Pp 1822In 1823.Fl ddial 1824and 1825.Fl dedicated 1826modes, the idle timeout is ignored. 1827In 1828.Fl auto 1829mode, when the idle timeout causes the 1830.Em PPP 1831session to be 1832closed, the 1833.Nm 1834program itself remains running. 1835Another trigger packet will cause it to attempt to re-establish the link. 1836.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1837.Nm 1838supports both Predictor type 1 and deflate compression. 1839By default, 1840.Nm 1841will attempt to use (or be willing to accept) both compression protocols 1842when the peer agrees 1843(or requests them). 1844The deflate protocol is preferred by 1845.Nm . 1846Refer to the 1847.Dq disable 1848and 1849.Dq deny 1850commands if you wish to disable this functionality. 1851.Pp 1852It is possible to use a different compression algorithm in each direction 1853by using only one of 1854.Dq disable deflate 1855and 1856.Dq deny deflate 1857(assuming that the peer supports both algorithms). 1858.Pp 1859By default, when negotiating DEFLATE, 1860.Nm 1861will use a window size of 15. 1862Refer to the 1863.Dq set deflate 1864command if you wish to change this behaviour. 1865.Pp 1866A special algorithm called DEFLATE24 is also available, and is disabled 1867and denied by default. 1868This is exactly the same as DEFLATE except that 1869it uses CCP ID 24 to negotiate. 1870This allows 1871.Nm 1872to successfully negotiate DEFLATE with 1873.Nm pppd 1874version 2.3.*. 1875.Sh CONTROLLING IP ADDRESS 1876For IPv4, 1877.Nm 1878uses IPCP to negotiate IP addresses. 1879Each side of the connection 1880specifies the IP address that it's willing to use, and if the requested 1881IP address is acceptable then 1882.Nm 1883returns an ACK to the requester. 1884Otherwise, 1885.Nm 1886returns NAK to suggest that the peer use a different IP address. 1887When 1888both sides of the connection agree to accept the received request (and 1889send an ACK), IPCP is set to the open state and a network level connection 1890is established. 1891To control this IPCP behaviour, this implementation has the 1892.Dq set ifaddr 1893command for defining the local and remote IP address: 1894.Bd -ragged -offset indent 1895.No set ifaddr Oo Ar src_addr Ns 1896.Op / Ns Ar \&nn 1897.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1898.Oo Ar netmask 1899.Op Ar trigger_addr 1900.Oc 1901.Oc 1902.Oc 1903.Ed 1904.Pp 1905where, 1906.Sq src_addr 1907is the IP address that the local side is willing to use, 1908.Sq dst_addr 1909is the IP address which the remote side should use and 1910.Sq netmask 1911is the netmask that should be used. 1912.Sq Src_addr 1913defaults to the current 1914.Xr hostname 1 , 1915.Sq dst_addr 1916defaults to 0.0.0.0, and 1917.Sq netmask 1918defaults to whatever mask is appropriate for 1919.Sq src_addr . 1920It is only possible to make 1921.Sq netmask 1922smaller than the default. 1923The usual value is 255.255.255.255, as 1924most kernels ignore the netmask of a POINTOPOINT interface. 1925.Pp 1926Some incorrect 1927.Em PPP 1928implementations require that the peer negotiates a specific IP 1929address instead of 1930.Sq src_addr . 1931If this is the case, 1932.Sq trigger_addr 1933may be used to specify this IP number. 1934This will not affect the 1935routing table unless the other side agrees with this proposed number. 1936.Bd -literal -offset indent 1937set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1938.Ed 1939.Pp 1940The above specification means: 1941.Pp 1942.Bl -bullet -compact 1943.It 1944I will first suggest that my IP address should be 0.0.0.0, but I 1945will only accept an address of 192.244.177.38. 1946.It 1947I strongly insist that the peer uses 192.244.177.2 as his own 1948address and won't permit the use of any IP address but 192.244.177.2. 1949When the peer requests another IP address, I will always suggest that 1950it uses 192.244.177.2. 1951.It 1952The routing table entry will have a netmask of 0xffffffff. 1953.El 1954.Pp 1955This is all fine when each side has a pre-determined IP address, however 1956it is often the case that one side is acting as a server which controls 1957all IP addresses and the other side should go along with it. 1958In order to allow more flexible behaviour, the 1959.Dq set ifaddr 1960command allows the user to specify IP addresses more loosely: 1961.Pp 1962.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1963.Pp 1964A number followed by a slash 1965.Pq Dq / 1966represents the number of bits significant in the IP address. 1967The above example means: 1968.Pp 1969.Bl -bullet -compact 1970.It 1971I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1972also accept any IP address between 192.244.177.0 and 192.244.177.255. 1973.It 1974I'd like to make him use 192.244.177.2 as his own address, but I'll also 1975permit him to use any IP address between 192.244.176.0 and 1976192.244.191.255. 1977.It 1978As you may have already noticed, 192.244.177.2 is equivalent to saying 1979192.244.177.2/32. 1980.It 1981As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 1982preferred IP address and will obey the remote peers selection. 1983When using zero, no routing table entries will be made until a connection 1984is established. 1985.It 1986192.244.177.2/0 means that I'll accept/permit any IP address but I'll 1987suggest that 192.244.177.2 be used first. 1988.El 1989.Pp 1990When negotiating IPv6 addresses, no control is given to the user. 1991IPV6CP negotiation is fully automatic. 1992.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 1993The following steps should be taken when connecting to your ISP: 1994.Bl -enum 1995.It 1996Describe your providers phone number(s) in the dial script using the 1997.Dq set phone 1998command. 1999This command allows you to set multiple phone numbers for 2000dialing and redialing separated by either a pipe 2001.Pq Dq \&| 2002or a colon 2003.Pq Dq \&: : 2004.Bd -ragged -offset indent 2005.No set phone Ar telno Ns Xo 2006.Oo \&| Ns Ar backupnumber 2007.Oc Ns ... Ns Oo : Ns Ar nextnumber 2008.Oc Ns ... 2009.Xc 2010.Ed 2011.Pp 2012Numbers after the first in a pipe-separated list are only used if the 2013previous number was used in a failed dial or login script. 2014Numbers 2015separated by a colon are used sequentially, irrespective of what happened 2016as a result of using the previous number. 2017For example: 2018.Bd -literal -offset indent 2019set phone "1234567|2345678:3456789|4567890" 2020.Ed 2021.Pp 2022Here, the 1234567 number is attempted. 2023If the dial or login script fails, 2024the 2345678 number is used next time, but *only* if the dial or login script 2025fails. 2026On the dial after this, the 3456789 number is used. 2027The 4567890 2028number is only used if the dial or login script using the 3456789 fails. 2029If the login script of the 2345678 number fails, the next number is still the 20303456789 number. 2031As many pipes and colons can be used as are necessary 2032(although a given site would usually prefer to use either the pipe or the 2033colon, but not both). 2034The next number redial timeout is used between all numbers. 2035When the end of the list is reached, the normal redial period is 2036used before starting at the beginning again. 2037The selected phone number is substituted for the \\\\T string in the 2038.Dq set dial 2039command (see below). 2040.It 2041Set up your redial requirements using 2042.Dq set redial . 2043For example, if you have a bad telephone line or your provider is 2044usually engaged (not so common these days), you may want to specify 2045the following: 2046.Bd -literal -offset indent 2047set redial 10 4 2048.Ed 2049.Pp 2050This says that up to 4 phone calls should be attempted with a pause of 10 2051seconds before dialing the first number again. 2052.It 2053Describe your login procedure using the 2054.Dq set dial 2055and 2056.Dq set login 2057commands. 2058The 2059.Dq set dial 2060command is used to talk to your modem and establish a link with your 2061ISP, for example: 2062.Bd -literal -offset indent 2063set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2064 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2065.Ed 2066.Pp 2067This modem "chat" string means: 2068.Bl -bullet 2069.It 2070Abort if the string "BUSY" or "NO CARRIER" are received. 2071.It 2072Set the timeout to 4 seconds. 2073.It 2074Expect nothing. 2075.It 2076Send ATZ. 2077.It 2078Expect OK. 2079If that's not received within the 4 second timeout, send ATZ 2080and expect OK. 2081.It 2082Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2083above. 2084.It 2085Set the timeout to 60. 2086.It 2087Wait for the CONNECT string. 2088.El 2089.Pp 2090Once the connection is established, the login script is executed. 2091This script is written in the same style as the dial script, but care should 2092be taken to avoid having your password logged: 2093.Bd -literal -offset indent 2094set authkey MySecret 2095set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2096 word: \\\\P ocol: PPP HELLO" 2097.Ed 2098.Pp 2099This login "chat" string means: 2100.Bl -bullet 2101.It 2102Set the timeout to 15 seconds. 2103.It 2104Expect "login:". 2105If it's not received, send a carriage return and expect 2106"login:" again. 2107.It 2108Send "awfulhak" 2109.It 2110Expect "word:" (the tail end of a "Password:" prompt). 2111.It 2112Send whatever our current 2113.Ar authkey 2114value is set to. 2115.It 2116Expect "ocol:" (the tail end of a "Protocol:" prompt). 2117.It 2118Send "PPP". 2119.It 2120Expect "HELLO". 2121.El 2122.Pp 2123The 2124.Dq set authkey 2125command is logged specially. 2126When 2127.Ar command 2128or 2129.Ar chat 2130logging is enabled, the actual password is not logged; 2131.Sq ******** 2132is logged instead. 2133.Pp 2134Login scripts vary greatly between ISPs. 2135If you're setting one up for the first time, 2136.Em ENABLE CHAT LOGGING 2137so that you can see if your script is behaving as you expect. 2138.It 2139Use 2140.Dq set device 2141and 2142.Dq set speed 2143to specify your serial line and speed, for example: 2144.Bd -literal -offset indent 2145set device /dev/cuaa0 2146set speed 115200 2147.Ed 2148.Pp 2149Cuaa0 is the first serial port on 2150.Dx . 2151If you're running 2152.Nm 2153on 2154.Ox , 2155cua00 is the first. 2156A speed of 115200 should be specified 2157if you have a modem capable of bit rates of 28800 or more. 2158In general, the serial speed should be about four times the modem speed. 2159.It 2160Use the 2161.Dq set ifaddr 2162command to {define} the IP address. 2163.Bl -bullet 2164.It 2165If you know what IP address your provider uses, then use it as the remote 2166address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2167.It 2168If your provider has assigned a particular IP address to you, then use 2169it as your address (src_addr). 2170.It 2171If your provider assigns your address dynamically, choose a suitably 2172unobtrusive and unspecific IP number as your address. 217310.0.0.1/0 would be appropriate. 2174The bit after the / specifies how many bits of the 2175address you consider to be important, so if you wanted to insist on 2176something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2177.It 2178If you find that your ISP accepts the first IP number that you suggest, 2179specify third and forth arguments of 2180.Dq 0.0.0.0 . 2181This will force your ISP to assign a number. 2182(The third argument will 2183be ignored as it is less restrictive than the default mask for your 2184.Sq src_addr ) . 2185.El 2186.Pp 2187An example for a connection where you don't know your IP number or your 2188ISPs IP number would be: 2189.Bd -literal -offset indent 2190set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2191.Ed 2192.It 2193In most cases, your ISP will also be your default router. 2194If this is the case, add the line 2195.Bd -literal -offset indent 2196add default HISADDR 2197.Ed 2198.Pp 2199to 2200.Pa /etc/ppp/ppp.conf 2201(or to 2202.Pa /etc/ppp/ppp.linkup 2203for setups that don't use 2204.Fl auto 2205mode). 2206.Pp 2207This tells 2208.Nm 2209to add a default route to whatever the peer address is 2210(10.0.0.2 in this example). 2211This route is 2212.Sq sticky , 2213meaning that should the value of 2214.Dv HISADDR 2215change, the route will be updated accordingly. 2216.It 2217If your provider requests that you use PAP/CHAP authentication methods, add 2218the next lines to your 2219.Pa /etc/ppp/ppp.conf 2220file: 2221.Bd -literal -offset indent 2222set authname MyName 2223set authkey MyPassword 2224.Ed 2225.Pp 2226Both are accepted by default, so 2227.Nm 2228will provide whatever your ISP requires. 2229.Pp 2230It should be noted that a login script is rarely (if ever) required 2231when PAP or CHAP are in use. 2232.It 2233Ask your ISP to authenticate your nameserver address(es) with the line 2234.Bd -literal -offset indent 2235enable dns 2236.Ed 2237.Pp 2238Do 2239.Em NOT 2240do this if you are running a local DNS unless you also either use 2241.Dq resolv readonly 2242or have 2243.Dq resolv restore 2244in 2245.Pa /etc/ppp/ppp.linkdown , 2246as 2247.Nm 2248will simply circumvent its use by entering some nameserver lines in 2249.Pa /etc/resolv.conf . 2250.El 2251.Pp 2252Please refer to 2253.Pa /usr/share/examples/ppp/ppp.conf.sample 2254and 2255.Pa /usr/share/examples/ppp/ppp.linkup.sample 2256for some real examples. 2257The pmdemand label should be appropriate for most ISPs. 2258.Sh LOGGING FACILITY 2259.Nm 2260is able to generate the following log info either via 2261.Xr syslog 3 2262or directly to the screen: 2263.Pp 2264.Bl -tag -width XXXXXXXXX -offset XXX -compact 2265.It Li All 2266Enable all logging facilities. 2267This generates a lot of log. 2268The most common use of 'all' is as a basis, where you remove some facilities 2269after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2270.It Li Async 2271Dump async level packet in hex. 2272.It Li CBCP 2273Generate CBCP (CallBack Control Protocol) logs. 2274.It Li CCP 2275Generate a CCP packet trace. 2276.It Li Chat 2277Generate 2278.Sq dial , 2279.Sq login , 2280.Sq logout 2281and 2282.Sq hangup 2283chat script trace logs. 2284.It Li Command 2285Log commands executed either from the command line or any of the configuration 2286files. 2287.It Li Connect 2288Log Chat lines containing the string "CONNECT". 2289.It Li Debug 2290Log debug information. 2291.It Li DNS 2292Log DNS QUERY packets. 2293.It Li Filter 2294Log packets permitted by the dial filter and denied by any filter. 2295.It Li HDLC 2296Dump HDLC packet in hex. 2297.It Li ID0 2298Log all function calls specifically made as user id 0. 2299.It Li IPCP 2300Generate an IPCP packet trace. 2301.It Li LCP 2302Generate an LCP packet trace. 2303.It Li LQM 2304Generate LQR reports. 2305.It Li Phase 2306Phase transition log output. 2307.It Li Physical 2308Dump physical level packet in hex. 2309.It Li Sync 2310Dump sync level packet in hex. 2311.It Li TCP/IP 2312Dump all TCP/IP packets. 2313.It Li Timer 2314Log timer manipulation. 2315.It Li TUN 2316Include the tun device on each log line. 2317.It Li Warning 2318Output to the terminal device. 2319If there is currently no terminal, 2320output is sent to the log file using syslogs 2321.Dv LOG_WARNING . 2322.It Li Error 2323Output to both the terminal device 2324and the log file using syslogs 2325.Dv LOG_ERROR . 2326.It Li Alert 2327Output to the log file using 2328.Dv LOG_ALERT . 2329.El 2330.Pp 2331The 2332.Dq set log 2333command allows you to set the logging output level. 2334Multiple levels can be specified on a single command line. 2335The default is equivalent to 2336.Dq set log Phase . 2337.Pp 2338It is also possible to log directly to the screen. 2339The syntax is the same except that the word 2340.Dq local 2341should immediately follow 2342.Dq set log . 2343The default is 2344.Dq set log local 2345(i.e., only the un-maskable warning, error and alert output). 2346.Pp 2347If The first argument to 2348.Dq set log Op local 2349begins with a 2350.Sq + 2351or a 2352.Sq - 2353character, the current log levels are 2354not cleared, for example: 2355.Bd -literal -offset indent 2356PPP ON awfulhak> set log phase 2357PPP ON awfulhak> show log 2358Log: Phase Warning Error Alert 2359Local: Warning Error Alert 2360PPP ON awfulhak> set log +tcp/ip -warning 2361PPP ON awfulhak> set log local +command 2362PPP ON awfulhak> show log 2363Log: Phase TCP/IP Warning Error Alert 2364Local: Command Warning Error Alert 2365.Ed 2366.Pp 2367Log messages of level Warning, Error and Alert are not controllable 2368using 2369.Dq set log Op local . 2370.Pp 2371The 2372.Ar Warning 2373level is special in that it will not be logged if it can be displayed 2374locally. 2375.Sh SIGNAL HANDLING 2376.Nm 2377deals with the following signals: 2378.Bl -tag -width "USR2" 2379.It INT 2380Receipt of this signal causes the termination of the current connection 2381(if any). 2382This will cause 2383.Nm 2384to exit unless it is in 2385.Fl auto 2386or 2387.Fl ddial 2388mode. 2389.It HUP, TERM & QUIT 2390These signals tell 2391.Nm 2392to exit. 2393.It USR1 2394This signal, tells 2395.Nm 2396to re-open any existing server socket, dropping all existing diagnostic 2397connections. 2398Sockets that couldn't previously be opened will be retried. 2399.It USR2 2400This signal, tells 2401.Nm 2402to close any existing server socket, dropping all existing diagnostic 2403connections. 2404.Dv SIGUSR1 2405can still be used to re-open the socket. 2406.El 2407.Sh MULTI-LINK PPP 2408If you wish to use more than one physical link to connect to a 2409.Em PPP 2410peer, that peer must also understand the 2411.Em MULTI-LINK PPP 2412protocol. 2413Refer to RFC 1990 for specification details. 2414.Pp 2415The peer is identified using a combination of his 2416.Dq endpoint discriminator 2417and his 2418.Dq authentication id . 2419Either or both of these may be specified. 2420It is recommended that 2421at least one is specified, otherwise there is no way of ensuring that 2422all links are actually connected to the same peer program, and some 2423confusing lock-ups may result. 2424Locally, these identification variables are specified using the 2425.Dq set enddisc 2426and 2427.Dq set authname 2428commands. 2429The 2430.Sq authname 2431(and 2432.Sq authkey ) 2433must be agreed in advance with the peer. 2434.Pp 2435Multi-link capabilities are enabled using the 2436.Dq set mrru 2437command (set maximum reconstructed receive unit). 2438Once multi-link is enabled, 2439.Nm 2440will attempt to negotiate a multi-link connection with the peer. 2441.Pp 2442By default, only one 2443.Sq link 2444is available 2445(called 2446.Sq deflink ) . 2447To create more links, the 2448.Dq clone 2449command is used. 2450This command will clone existing links, where all 2451characteristics are the same except: 2452.Bl -enum 2453.It 2454The new link has its own name as specified on the 2455.Dq clone 2456command line. 2457.It 2458The new link is an 2459.Sq interactive 2460link. 2461Its mode may subsequently be changed using the 2462.Dq set mode 2463command. 2464.It 2465The new link is in a 2466.Sq closed 2467state. 2468.El 2469.Pp 2470A summary of all available links can be seen using the 2471.Dq show links 2472command. 2473.Pp 2474Once a new link has been created, command usage varies. 2475All link specific commands must be prefixed with the 2476.Dq link Ar name 2477command, specifying on which link the command is to be applied. 2478When only a single link is available, 2479.Nm 2480is smart enough not to require the 2481.Dq link Ar name 2482prefix. 2483.Pp 2484Some commands can still be used without specifying a link - resulting 2485in an operation at the 2486.Sq bundle 2487level. 2488For example, once two or more links are available, the command 2489.Dq show ccp 2490will show CCP configuration and statistics at the multi-link level, and 2491.Dq link deflink show ccp 2492will show the same information at the 2493.Dq deflink 2494link level. 2495.Pp 2496Armed with this information, the following configuration might be used: 2497.Bd -literal -offset indent 2498mp: 2499 set timeout 0 2500 set log phase chat 2501 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2502 set phone "123456789" 2503 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2504 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2505 set login 2506 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2507 set authname ppp 2508 set authkey ppppassword 2509 2510 set mrru 1500 2511 clone 1,2,3 # Create 3 new links - duplicates of the default 2512 link deflink remove # Delete the default link (called ``deflink'') 2513.Ed 2514.Pp 2515Note how all cloning is done at the end of the configuration. 2516Usually, the link will be configured first, then cloned. 2517If you wish all links 2518to be up all the time, you can add the following line to the end of your 2519configuration. 2520.Bd -literal -offset indent 2521 link 1,2,3 set mode ddial 2522.Ed 2523.Pp 2524If you want the links to dial on demand, this command could be used: 2525.Bd -literal -offset indent 2526 link * set mode auto 2527.Ed 2528.Pp 2529Links may be tied to specific names by removing the 2530.Dq set device 2531line above, and specifying the following after the 2532.Dq clone 2533command: 2534.Bd -literal -offset indent 2535 link 1 set device /dev/cuaa0 2536 link 2 set device /dev/cuaa1 2537 link 3 set device /dev/cuaa2 2538.Ed 2539.Pp 2540Use the 2541.Dq help 2542command to see which commands require context (using the 2543.Dq link 2544command), which have optional 2545context and which should not have any context. 2546.Pp 2547When 2548.Nm 2549has negotiated 2550.Em MULTI-LINK 2551mode with the peer, it creates a local domain socket in the 2552.Pa /var/run 2553directory. 2554This socket is used to pass link information (including 2555the actual link file descriptor) between different 2556.Nm 2557invocations. 2558This facilitates 2559.Nm Ns No 's 2560ability to be run from a 2561.Xr getty 8 2562or directly from 2563.Pa /etc/gettydefs 2564(using the 2565.Sq pp= 2566capability), without needing to have initial control of the serial 2567line. 2568Once 2569.Nm 2570negotiates multi-link mode, it will pass its open link to any 2571already running process. 2572If there is no already running process, 2573.Nm 2574will act as the master, creating the socket and listening for new 2575connections. 2576.Sh PPP COMMAND LIST 2577This section lists the available commands and their effect. 2578They are usable either from an interactive 2579.Nm 2580session, from a configuration file or from a 2581.Xr pppctl 8 2582or 2583.Xr telnet 1 2584session. 2585.Bl -tag -width 2n 2586.It accept|deny|enable|disable Ar option.... 2587These directives tell 2588.Nm 2589how to negotiate the initial connection with the peer. 2590Each 2591.Dq option 2592has a default of either accept or deny and enable or disable. 2593.Dq Accept 2594means that the option will be ACK'd if the peer asks for it. 2595.Dq Deny 2596means that the option will be NAK'd if the peer asks for it. 2597.Dq Enable 2598means that the option will be requested by us. 2599.Dq Disable 2600means that the option will not be requested by us. 2601.Pp 2602.Dq Option 2603may be one of the following: 2604.Bl -tag -width 2n 2605.It acfcomp 2606Default: Enabled and Accepted. 2607ACFComp stands for Address and Control Field Compression. 2608Non LCP packets will usually have an address 2609field of 0xff (the All-Stations address) and a control field of 26100x03 (the Unnumbered Information command). 2611If this option is 2612negotiated, these two bytes are simply not sent, thus minimising 2613traffic. 2614.Pp 2615See 2616.Pa rfc1662 2617for details. 2618.It chap Ns Op \&05 2619Default: Disabled and Accepted. 2620CHAP stands for Challenge Handshake Authentication Protocol. 2621Only one of CHAP and PAP (below) may be negotiated. 2622With CHAP, the authenticator sends a "challenge" message to its peer. 2623The peer uses a one-way hash function to encrypt the 2624challenge and sends the result back. 2625The authenticator does the same, and compares the results. 2626The advantage of this mechanism is that no 2627passwords are sent across the connection. 2628A challenge is made when the connection is first made. 2629Subsequent challenges may occur. 2630If you want to have your peer authenticate itself, you must 2631.Dq enable chap . 2632in 2633.Pa /etc/ppp/ppp.conf , 2634and have an entry in 2635.Pa /etc/ppp/ppp.secret 2636for the peer. 2637.Pp 2638When using CHAP as the client, you need only specify 2639.Dq AuthName 2640and 2641.Dq AuthKey 2642in 2643.Pa /etc/ppp/ppp.conf . 2644CHAP is accepted by default. 2645Some 2646.Em PPP 2647implementations use "MS-CHAP" rather than MD5 when encrypting the 2648challenge. 2649MS-CHAP is a combination of MD4 and DES. 2650If 2651.Nm 2652was built on a machine with DES libraries available, it will respond 2653to MS-CHAP authentication requests, but will never request them. 2654.It deflate 2655Default: Enabled and Accepted. 2656This option decides if deflate 2657compression will be used by the Compression Control Protocol (CCP). 2658This is the same algorithm as used by the 2659.Xr gzip 1 2660program. 2661Note: There is a problem negotiating 2662.Ar deflate 2663capabilities with 2664.Xr pppd 8 2665- a 2666.Em PPP 2667implementation available under many operating systems. 2668.Nm pppd 2669(version 2.3.1) incorrectly attempts to negotiate 2670.Ar deflate 2671compression using type 2672.Em 24 2673as the CCP configuration type rather than type 2674.Em 26 2675as specified in 2676.Pa rfc1979 . 2677Type 2678.Ar 24 2679is actually specified as 2680.Dq PPP Magna-link Variable Resource Compression 2681in 2682.Pa rfc1975 ! 2683.Nm 2684is capable of negotiating with 2685.Nm pppd , 2686but only if 2687.Dq deflate24 2688is 2689.Ar enable Ns No d 2690and 2691.Ar accept Ns No ed . 2692.It deflate24 2693Default: Disabled and Denied. 2694This is a variance of the 2695.Ar deflate 2696option, allowing negotiation with the 2697.Xr pppd 8 2698program. 2699Refer to the 2700.Ar deflate 2701section above for details. 2702It is disabled by default as it violates 2703.Pa rfc1975 . 2704.It dns 2705Default: Disabled and Denied. 2706This option allows DNS negotiation. 2707.Pp 2708If 2709.Dq enable Ns No d, 2710.Nm 2711will request that the peer confirms the entries in 2712.Pa /etc/resolv.conf . 2713If the peer NAKs our request (suggesting new IP numbers), 2714.Pa /etc/resolv.conf 2715is updated and another request is sent to confirm the new entries. 2716.Pp 2717If 2718.Dq accept Ns No ed, 2719.Nm 2720will answer any DNS queries requested by the peer rather than rejecting 2721them. 2722The answer is taken from 2723.Pa /etc/resolv.conf 2724unless the 2725.Dq set dns 2726command is used as an override. 2727.It enddisc 2728Default: Enabled and Accepted. 2729This option allows control over whether we 2730negotiate an endpoint discriminator. 2731We only send our discriminator if 2732.Dq set enddisc 2733is used and 2734.Ar enddisc 2735is enabled. 2736We reject the peers discriminator if 2737.Ar enddisc 2738is denied. 2739.It LANMan|chap80lm 2740Default: Disabled and Accepted. 2741The use of this authentication protocol 2742is discouraged as it partially violates the authentication protocol by 2743implementing two different mechanisms (LANMan & NT) under the guise of 2744a single CHAP type (0x80). 2745.Dq LANMan 2746uses a simple DES encryption mechanism and is the least secure of the 2747CHAP alternatives (although is still more secure than PAP). 2748.Pp 2749Refer to the 2750.Dq MSChap 2751description below for more details. 2752.It lqr 2753Default: Disabled and Accepted. 2754This option decides if Link Quality Requests will be sent or accepted. 2755LQR is a protocol that allows 2756.Nm 2757to determine that the link is down without relying on the modems 2758carrier detect. 2759When LQR is enabled, 2760.Nm 2761sends the 2762.Em QUALPROTO 2763option (see 2764.Dq set lqrperiod 2765below) as part of the LCP request. 2766If the peer agrees, both sides will 2767exchange LQR packets at the agreed frequency, allowing detailed link 2768quality monitoring by enabling LQM logging. 2769If the peer doesn't agree, 2770.Nm 2771will send ECHO LQR requests instead. 2772These packets pass no information of interest, but they 2773.Em MUST 2774be replied to by the peer. 2775.Pp 2776Whether using LQR or ECHO LQR, 2777.Nm 2778will abruptly drop the connection if 5 unacknowledged packets have been 2779sent rather than sending a 6th. 2780A message is logged at the 2781.Em PHASE 2782level, and any appropriate 2783.Dq reconnect 2784values are honoured as if the peer were responsible for dropping the 2785connection. 2786.It mppe 2787Default: Enabled and Accepted. 2788This is Microsoft Point to Point Encryption scheme. 2789MPPE key size can be 279040-, 56- and 128-bits. 2791Refer to 2792.Dq set mppe 2793command. 2794.It MSChapV2|chap81 2795Default: Disabled and Accepted. 2796It is very similar to standard CHAP (type 0x05) 2797except that it issues challenges of a fixed 16 bytes in length and uses a 2798combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2799standard MD5 mechanism. 2800.It MSChap|chap80nt 2801Default: Disabled and Accepted. 2802The use of this authentication protocol 2803is discouraged as it partially violates the authentication protocol by 2804implementing two different mechanisms (LANMan & NT) under the guise of 2805a single CHAP type (0x80). 2806It is very similar to standard CHAP (type 0x05) 2807except that it issues challenges of a fixed 8 bytes in length and uses a 2808combination of MD4 and DES to encrypt the challenge rather than using the 2809standard MD5 mechanism. 2810CHAP type 0x80 for LANMan is also supported - see 2811.Dq enable LANMan 2812for details. 2813.Pp 2814Because both 2815.Dq LANMan 2816and 2817.Dq NT 2818use CHAP type 0x80, when acting as authenticator with both 2819.Dq enable Ns No d , 2820.Nm 2821will rechallenge the peer up to three times if it responds using the wrong 2822one of the two protocols. 2823This gives the peer a chance to attempt using both protocols. 2824.Pp 2825Conversely, when 2826.Nm 2827acts as the authenticatee with both protocols 2828.Dq accept Ns No ed , 2829the protocols are used alternately in response to challenges. 2830.Pp 2831Note: If only LANMan is enabled, 2832.Xr pppd 8 2833(version 2.3.5) misbehaves when acting as authenticatee. 2834It provides both 2835the NT and the LANMan answers, but also suggests that only the NT answer 2836should be used. 2837.It pap 2838Default: Disabled and Accepted. 2839PAP stands for Password Authentication Protocol. 2840Only one of PAP and CHAP (above) may be negotiated. 2841With PAP, the ID and Password are sent repeatedly to the peer until 2842authentication is acknowledged or the connection is terminated. 2843This is a rather poor security mechanism. 2844It is only performed when the connection is first established. 2845If you want to have your peer authenticate itself, you must 2846.Dq enable pap . 2847in 2848.Pa /etc/ppp/ppp.conf , 2849and have an entry in 2850.Pa /etc/ppp/ppp.secret 2851for the peer (although see the 2852.Dq passwdauth 2853and 2854.Dq set radius 2855options below). 2856.Pp 2857When using PAP as the client, you need only specify 2858.Dq AuthName 2859and 2860.Dq AuthKey 2861in 2862.Pa /etc/ppp/ppp.conf . 2863PAP is accepted by default. 2864.It pred1 2865Default: Enabled and Accepted. 2866This option decides if Predictor 1 2867compression will be used by the Compression Control Protocol (CCP). 2868.It protocomp 2869Default: Enabled and Accepted. 2870This option is used to negotiate 2871PFC (Protocol Field Compression), a mechanism where the protocol 2872field number is reduced to one octet rather than two. 2873.It shortseq 2874Default: Enabled and Accepted. 2875This option determines if 2876.Nm 2877will request and accept requests for short 2878(12 bit) 2879sequence numbers when negotiating multi-link mode. 2880This is only applicable if our MRRU is set (thus enabling multi-link). 2881.It vjcomp 2882Default: Enabled and Accepted. 2883This option determines if Van Jacobson header compression will be used. 2884.El 2885.Pp 2886The following options are not actually negotiated with the peer. 2887Therefore, accepting or denying them makes no sense. 2888.Bl -tag -width 2n 2889.It filter-decapsulation 2890Default: Disabled. 2891When this option is enabled, 2892.Nm 2893will examine UDP frames to see if they actually contain a 2894.Em PPP 2895frame as their payload. 2896If this is the case, all filters will operate on the payload rather 2897than the actual packet. 2898.Pp 2899This is useful if you want to send PPPoUDP traffic over a 2900.Em PPP 2901link, but want that link to do smart things with the real data rather than 2902the UDP wrapper. 2903.Pp 2904The UDP frame payload must not be compressed in any way, otherwise 2905.Nm 2906will not be able to interpret it. 2907It's therefore recommended that you 2908.Ic disable vj pred1 deflate 2909and 2910.Ic deny vj pred1 deflate 2911in the configuration for the 2912.Nm 2913invocation with the udp link. 2914.It idcheck 2915Default: Enabled. 2916When 2917.Nm 2918exchanges low-level LCP, CCP and IPCP configuration traffic, the 2919.Em Identifier 2920field of any replies is expected to be the same as that of the request. 2921By default, 2922.Nm 2923drops any reply packets that do not contain the expected identifier 2924field, reporting the fact at the respective log level. 2925If 2926.Ar idcheck 2927is disabled, 2928.Nm 2929will ignore the identifier field. 2930.It iface-alias 2931Default: Enabled if 2932.Fl nat 2933is specified. 2934This option simply tells 2935.Nm 2936to add new interface addresses to the interface rather than replacing them. 2937The option can only be enabled if network address translation is enabled 2938.Pq Dq nat enable yes . 2939.Pp 2940With this option enabled, 2941.Nm 2942will pass traffic for old interface addresses through the NAT 2943ifdef({LOCALNAT},{engine,},{engine 2944(see 2945.Xr libalias 3 ) ,}) 2946resulting in the ability (in 2947.Fl auto 2948mode) to properly connect the process that caused the PPP link to 2949come up in the first place. 2950.Pp 2951Disabling NAT with 2952.Dq nat enable no 2953will also disable 2954.Sq iface-alias . 2955.It ipcp 2956Default: Enabled. 2957This option allows 2958.Nm 2959to attempt to negotiate IP control protocol capabilities and if 2960successful to exchange IP datagrams with the peer. 2961.It ipv6cp 2962Default: Enabled. 2963This option allows 2964.Nm 2965to attempt to negotiate IPv6 control protocol capabilities and if 2966successful to exchange IPv6 datagrams with the peer. 2967.It keep-session 2968Default: Disabled. 2969When 2970.Nm 2971runs as a Multi-link server, a different 2972.Nm 2973instance initially receives each connection. 2974After determining that 2975the link belongs to an already existing bundle (controlled by another 2976.Nm 2977invocation), 2978.Nm 2979will transfer the link to that process. 2980.Pp 2981If the link is a tty device or if this option is enabled, 2982.Nm 2983will not exit, but will change its process name to 2984.Dq session owner 2985and wait for the controlling 2986.Nm 2987to finish with the link and deliver a signal back to the idle process. 2988This prevents the confusion that results from 2989.Nm Ns No 's 2990parent considering the link resource available again. 2991.Pp 2992For tty devices that have entries in 2993.Pa /etc/ttys , 2994this is necessary to prevent another 2995.Xr getty 8 2996from being started, and for program links such as 2997.Xr sshd 8 , 2998it prevents 2999.Xr sshd 8 3000from exiting due to the death of its child. 3001As 3002.Nm 3003cannot determine its parents requirements (except for the tty case), this 3004option must be enabled manually depending on the circumstances. 3005.It loopback 3006Default: Enabled. 3007When 3008.Ar loopback 3009is enabled, 3010.Nm 3011will automatically loop back packets being sent 3012out with a destination address equal to that of the 3013.Em PPP 3014interface. 3015If disabled, 3016.Nm 3017will send the packet, probably resulting in an ICMP redirect from 3018the other end. 3019It is convenient to have this option enabled when 3020the interface is also the default route as it avoids the necessity 3021of a loopback route. 3022.It passwdauth 3023Default: Disabled. 3024Enabling this option will tell the PAP authentication 3025code to use the password database (see 3026.Xr passwd 5 ) 3027to authenticate the caller if they cannot be found in the 3028.Pa /etc/ppp/ppp.secret 3029file. 3030.Pa /etc/ppp/ppp.secret 3031is always checked first. 3032If you wish to use passwords from 3033.Xr passwd 5 , 3034but also to specify an IP number or label for a given client, use 3035.Dq \&* 3036as the client password in 3037.Pa /etc/ppp/ppp.secret . 3038.It proxy 3039Default: Disabled. 3040Enabling this option will tell 3041.Nm 3042to proxy ARP for the peer. 3043This means that 3044.Nm 3045will make an entry in the ARP table using 3046.Dv HISADDR 3047and the 3048.Dv MAC 3049address of the local network in which 3050.Dv HISADDR 3051appears. 3052This allows other machines connected to the LAN to talk to 3053the peer as if the peer itself was connected to the LAN. 3054The proxy entry cannot be made unless 3055.Dv HISADDR 3056is an address from a LAN. 3057.It proxyall 3058Default: Disabled. 3059Enabling this will tell 3060.Nm 3061to add proxy arp entries for every IP address in all class C or 3062smaller subnets routed via the tun interface. 3063.Pp 3064Proxy arp entries are only made for sticky routes that are added 3065using the 3066.Dq add 3067command. 3068No proxy arp entries are made for the interface address itself 3069(as created by the 3070.Dq set ifaddr 3071command). 3072.It sroutes 3073Default: Enabled. 3074When the 3075.Dq add 3076command is used with the 3077.Dv HISADDR , 3078.Dv MYADDR , 3079.Dv HISADDR6 3080or 3081.Dv MYADDR6 3082values, entries are stored in the 3083.Sq sticky route 3084list. 3085Each time these variables change, this list is re-applied to the routing table. 3086.Pp 3087Disabling this option will prevent the re-application of sticky routes, 3088although the 3089.Sq stick route 3090list will still be maintained. 3091.It Oo tcp Oc Ns Xo 3092.No mssfixup 3093.Xc 3094Default: Enabled. 3095This option tells 3096.Nm 3097to adjust TCP SYN packets so that the maximum receive segment 3098size is not greater than the amount allowed by the interface MTU. 3099.It throughput 3100Default: Enabled. 3101This option tells 3102.Nm 3103to gather throughput statistics. 3104Input and output is sampled over 3105a rolling 5 second window, and current, best and total figures are retained. 3106This data is output when the relevant 3107.Em PPP 3108layer shuts down, and is also available using the 3109.Dq show 3110command. 3111Throughput statistics are available at the 3112.Dq IPCP 3113and 3114.Dq physical 3115levels. 3116.It utmp 3117Default: Enabled. 3118Normally, when a user is authenticated using PAP or CHAP, and when 3119.Nm 3120is running in 3121.Fl direct 3122mode, an entry is made in the utmp and wtmp files for that user. 3123Disabling this option will tell 3124.Nm 3125not to make any utmp or wtmp entries. 3126This is usually only necessary if 3127you require the user to both login and authenticate themselves. 3128.El 3129.It add Ns Xo 3130.Op !\& 3131.Ar dest Ns Op / Ns Ar nn 3132.Op Ar mask 3133.Op Ar gateway 3134.Xc 3135.Ar Dest 3136is the destination IP address. 3137The netmask is specified either as a number of bits with 3138.Ar /nn 3139or as an IP number using 3140.Ar mask . 3141.Ar 0 0 3142or simply 3143.Ar 0 3144with no mask refers to the default route. 3145It is also possible to use the literal name 3146.Sq default 3147instead of 3148.Ar 0 . 3149.Ar Gateway 3150is the next hop gateway to get to the given 3151.Ar dest 3152machine/network. 3153Refer to the 3154.Xr route 8 3155command for further details. 3156.Pp 3157It is possible to use the symbolic names 3158.Sq MYADDR , 3159.Sq HISADDR , 3160.Sq MYADDR6 3161or 3162.Sq HISADDR6 3163as the destination, and 3164.Sq HISADDR 3165or 3166.Sq HISADDR6 3167as the 3168.Ar gateway . 3169.Sq MYADDR 3170is replaced with the interface IP address, 3171.Sq HISADDR 3172is replaced with the interface IP destination (peer) address, 3173.Sq MYADDR6 3174is replaced with the interface IPv6 address, and 3175.Sq HISADDR6 3176is replaced with the interface IPv6 destination address, 3177.Pp 3178If the 3179.Ar add!\& 3180command is used 3181(note the trailing 3182.Dq !\& ) , 3183then if the route already exists, it will be updated as with the 3184.Sq route change 3185command (see 3186.Xr route 8 3187for further details). 3188.Pp 3189Routes that contain the 3190.Dq HISADDR , 3191.Dq MYADDR , 3192.Dq HISADDR6 , 3193.Dq MYADDR6 , 3194.Dq DNS0 , 3195or 3196.Dq DNS1 3197constants are considered 3198.Sq sticky . 3199They are stored in a list (use 3200.Dq show ncp 3201to see the list), and each time the value of one of these variables 3202changes, the appropriate routing table entries are updated. 3203This facility may be disabled using 3204.Dq disable sroutes . 3205.It allow Ar command Op Ar args 3206This command controls access to 3207.Nm 3208and its configuration files. 3209It is possible to allow user-level access, 3210depending on the configuration file label and on the mode that 3211.Nm 3212is being run in. 3213For example, you may wish to configure 3214.Nm 3215so that only user 3216.Sq fred 3217may access label 3218.Sq fredlabel 3219in 3220.Fl background 3221mode. 3222.Pp 3223User id 0 is immune to these commands. 3224.Bl -tag -width 2n 3225.It allow user Ns Xo 3226.Op s 3227.Ar logname Ns No ... 3228.Xc 3229By default, only user id 0 is allowed access to 3230.Nm . 3231If this command is used, all of the listed users are allowed access to 3232the section in which the 3233.Dq allow users 3234command is found. 3235The 3236.Sq default 3237section is always checked first (even though it is only ever automatically 3238loaded at startup). 3239.Dq allow users 3240commands are cumulative in a given section, but users allowed in any given 3241section override users allowed in the default section, so it's possible to 3242allow users access to everything except a given label by specifying default 3243users in the 3244.Sq default 3245section, and then specifying a new user list for that label. 3246.Pp 3247If user 3248.Sq * 3249is specified, access is allowed to all users. 3250.It allow mode Ns Xo 3251.Op s 3252.Ar mode Ns No ... 3253.Xc 3254By default, access using any 3255.Nm 3256mode is possible. 3257If this command is used, it restricts the access 3258.Ar modes 3259allowed to load the label under which this command is specified. 3260Again, as with the 3261.Dq allow users 3262command, each 3263.Dq allow modes 3264command overrides any previous settings, and the 3265.Sq default 3266section is always checked first. 3267.Pp 3268Possible modes are: 3269.Sq interactive , 3270.Sq auto , 3271.Sq direct , 3272.Sq dedicated , 3273.Sq ddial , 3274.Sq background 3275and 3276.Sq * . 3277.Pp 3278When running in multi-link mode, a section can be loaded if it allows 3279.Em any 3280of the currently existing line modes. 3281.El 3282.It nat Ar command Op Ar args 3283This command allows the control of the network address translation (also 3284known as masquerading or IP aliasing) facilities that are built into 3285.Nm . 3286NAT is done on the external interface only, and is unlikely to make sense 3287if used with the 3288.Fl direct 3289flag. 3290.Pp 3291If nat is enabled on your system (it may be omitted at compile time), 3292the following commands are possible: 3293.Bl -tag -width 2n 3294.It nat enable yes|no 3295This command either switches network address translation on or turns it off. 3296The 3297.Fl nat 3298command line flag is synonymous with 3299.Dq nat enable yes . 3300.It nat addr Op Ar addr_local addr_alias 3301This command allows data for 3302.Ar addr_alias 3303to be redirected to 3304.Ar addr_local . 3305It is useful if you own a small number of real IP numbers that 3306you wish to map to specific machines behind your gateway. 3307.It nat deny_incoming yes|no 3308If set to yes, this command will refuse all incoming packets where an 3309aliasing link doesn't already exist. 3310ifdef({LOCALNAT},{},{Refer to the 3311.Sx CONCEPTUAL BACKGROUND 3312section of 3313.Xr libalias 3 3314for a description of what an 3315.Dq aliasing link 3316is. 3317})dnl 3318.Pp 3319It should be noted under what circumstances an aliasing link is 3320ifdef({LOCALNAT},{created.},{created by 3321.Xr libalias 3 .}) 3322It may be necessary to further protect your network from outside 3323connections using the 3324.Dq set filter 3325or 3326.Dq nat target 3327commands. 3328.It nat help|? 3329This command gives a summary of available nat commands. 3330.It nat log yes|no 3331This option causes various NAT statistics and information to 3332be logged to the file 3333.Pa /var/log/alias.log . 3334.It nat port Ar proto Ar targetIP Ns Xo 3335.No : Ns Ar targetPort Ns 3336.Oo 3337.No - Ns Ar targetPort 3338.Oc Ar aliasPort Ns 3339.Oo 3340.No - Ns Ar aliasPort 3341.Oc Oo Ar remoteIP : Ns 3342.Ar remotePort Ns 3343.Oo 3344.No - Ns Ar remotePort 3345.Oc Ns 3346.Oc 3347.Xc 3348This command causes incoming 3349.Ar proto 3350connections to 3351.Ar aliasPort 3352to be redirected to 3353.Ar targetPort 3354on 3355.Ar targetIP . 3356.Ar proto 3357is either 3358.Dq tcp 3359or 3360.Dq udp . 3361.Pp 3362A range of port numbers may be specified as shown above. 3363The ranges must be of the same size. 3364.Pp 3365If 3366.Ar remoteIP 3367is specified, only data coming from that IP number is redirected. 3368.Ar remotePort 3369must either be 3370.Dq 0 3371(indicating any source port) 3372or a range of ports the same size as the other ranges. 3373.Pp 3374This option is useful if you wish to run things like Internet phone on 3375machines behind your gateway, but is limited in that connections to only 3376one interior machine per source machine and target port are possible. 3377.It nat proto Ar proto localIP Oo 3378.Ar publicIP Op Ar remoteIP 3379.Oc 3380This command tells 3381.Nm 3382to redirect packets of protocol type 3383.Ar proto 3384(see 3385.Xr protocols 5 ) 3386to the internal address 3387.Ar localIP . 3388.Pp 3389If 3390.Ar publicIP 3391is specified, only packets destined for that address are matched, 3392otherwise the default alias address is used. 3393.Pp 3394If 3395.Ar remoteIP 3396is specified, only packets matching that source address are matched, 3397.Pp 3398This command is useful for redirecting tunnel endpoints to an internal machine, 3399for example: 3400.Pp 3401.Dl nat proto ipencap 10.0.0.1 3402.It "nat proxy cmd" Ar arg Ns No ... 3403This command tells 3404.Nm 3405to proxy certain connections, redirecting them to a given server. 3406ifdef({LOCALNAT},{},{Refer to the description of 3407.Fn PacketAliasProxyRule 3408in 3409.Xr libalias 3 3410for details of the available commands. 3411})dnl 3412.It nat punch_fw Op Ar base count 3413This command tells 3414.Nm 3415to punch holes in the firewall for FTP or IRC DCC connections. 3416This is done dynamically by installing temporary firewall rules which 3417allow a particular connection (and only that connection) to go through 3418the firewall. 3419The rules are removed once the corresponding connection terminates. 3420.Pp 3421A maximum of 3422.Ar count 3423rules starting from rule number 3424.Ar base 3425will be used for punching firewall holes. 3426The range will be cleared when the 3427.Dq nat punch_fw 3428command is run. 3429.Pp 3430If no arguments are given, firewall punching is disabled. 3431.It nat same_ports yes|no 3432When enabled, this command will tell the network address translation engine to 3433attempt to avoid changing the port number on outgoing packets. 3434This is useful 3435if you want to support protocols such as RPC and LPD which require 3436connections to come from a well known port. 3437.It nat target Op Ar address 3438Set the given target address or clear it if no address is given. 3439The target address is used 3440ifdef({LOCALNAT},{},{by libalias })dnl 3441to specify how to NAT incoming packets by default. 3442If a target address is not set or if 3443.Dq default 3444is given, packets are not altered and are allowed to route to the internal 3445network. 3446.Pp 3447The target address may be set to 3448.Dq MYADDR , 3449in which case 3450ifdef({LOCALNAT},{all packets will be redirected}, 3451{libalias will redirect all packets}) 3452to the interface address. 3453.It nat use_sockets yes|no 3454When enabled, this option tells the network address translation engine to 3455create a socket so that it can guarantee a correct incoming ftp data or 3456IRC connection. 3457.It nat unregistered_only yes|no 3458Only alter outgoing packets with an unregistered source address. 3459According to RFC 1918, unregistered source addresses 3460are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3461.El 3462.Pp 3463These commands are also discussed in the file 3464.Pa README.nat 3465which comes with the source distribution. 3466.It Oo !\& Oc Ns Xo 3467.No bg Ar command 3468.Xc 3469The given 3470.Ar command 3471is executed in the background with the following words replaced: 3472.Bl -tag -width COMPILATIONDATE 3473.It Li AUTHNAME 3474This is replaced with the local 3475.Ar authname 3476value. 3477See the 3478.Dq set authname 3479command below. 3480.It Li COMPILATIONDATE 3481This is replaced with the date on which 3482.Nm 3483was compiled. 3484.It Li DNS0 & DNS1 3485These are replaced with the primary and secondary nameserver IP numbers. 3486If nameservers are negotiated by IPCP, the values of these macros will change. 3487.It Li ENDDISC 3488This is replaced with the local endpoint discriminator value. 3489See the 3490.Dq set enddisc 3491command below. 3492.It Li HISADDR 3493This is replaced with the peers IP number. 3494.It Li HISADDR6 3495This is replaced with the peers IPv6 number. 3496.It Li INTERFACE 3497This is replaced with the name of the interface that's in use. 3498.It Li IPOCTETSIN 3499This is replaced with the number of IP bytes received since the connection 3500was established. 3501.It Li IPOCTETSOUT 3502This is replaced with the number of IP bytes sent since the connection 3503was established. 3504.It Li IPPACKETSIN 3505This is replaced with the number of IP packets received since the connection 3506was established. 3507.It Li IPPACKETSOUT 3508This is replaced with the number of IP packets sent since the connection 3509was established. 3510.It Li IPV6OCTETSIN 3511This is replaced with the number of IPv6 bytes received since the connection 3512was established. 3513.It Li IPV6OCTETSOUT 3514This is replaced with the number of IPv6 bytes sent since the connection 3515was established. 3516.It Li IPV6PACKETSIN 3517This is replaced with the number of IPv6 packets received since the connection 3518was established. 3519.It Li IPV6PACKETSOUT 3520This is replaced with the number of IPv6 packets sent since the connection 3521was established. 3522.It Li LABEL 3523This is replaced with the last label name used. 3524A label may be specified on the 3525.Nm 3526command line, via the 3527.Dq load 3528or 3529.Dq dial 3530commands and in the 3531.Pa ppp.secret 3532file. 3533.It Li MYADDR 3534This is replaced with the IP number assigned to the local interface. 3535.It Li MYADDR6 3536This is replaced with the IPv6 number assigned to the local interface. 3537.It Li OCTETSIN 3538This is replaced with the number of bytes received since the connection 3539was established. 3540.It Li OCTETSOUT 3541This is replaced with the number of bytes sent since the connection 3542was established. 3543.It Li PACKETSIN 3544This is replaced with the number of packets received since the connection 3545was established. 3546.It Li PACKETSOUT 3547This is replaced with the number of packets sent since the connection 3548was established. 3549.It Li PEER_ENDDISC 3550This is replaced with the value of the peers endpoint discriminator. 3551.It Li PROCESSID 3552This is replaced with the current process id. 3553.It Li SOCKNAME 3554This is replaced with the name of the diagnostic socket. 3555.It Li UPTIME 3556This is replaced with the bundle uptime in HH:MM:SS format. 3557.It Li USER 3558This is replaced with the username that has been authenticated with PAP or 3559CHAP. 3560Normally, this variable is assigned only in -direct mode. 3561This value is available irrespective of whether utmp logging is enabled. 3562.It Li VERSION 3563This is replaced with the current version number of 3564.Nm . 3565.El 3566.Pp 3567These substitutions are also done by the 3568.Dq set proctitle , 3569.Dq ident 3570and 3571.Dq log 3572commands. 3573.Pp 3574If you wish to pause 3575.Nm 3576while the command executes, use the 3577.Dq shell 3578command instead. 3579.It clear physical|ipcp|ipv6 Op current|overall|peak... 3580Clear the specified throughput values at either the 3581.Dq physical , 3582.Dq ipcp 3583or 3584.Dq ipv6cp 3585level. 3586If 3587.Dq physical 3588is specified, context must be given (see the 3589.Dq link 3590command below). 3591If no second argument is given, all values are cleared. 3592.It clone Ar name Ns Xo 3593.Op \&, Ns Ar name Ns 3594.No ... 3595.Xc 3596Clone the specified link, creating one or more new links according to the 3597.Ar name 3598argument(s). 3599This command must be used from the 3600.Dq link 3601command below unless you've only got a single link (in which case that 3602link becomes the default). 3603Links may be removed using the 3604.Dq remove 3605command below. 3606.Pp 3607The default link name is 3608.Dq deflink . 3609.It close Op lcp|ccp Ns Op !\& 3610If no arguments are given, the relevant protocol layers will be brought 3611down and the link will be closed. 3612If 3613.Dq lcp 3614is specified, the LCP layer is brought down, but 3615.Nm 3616will not bring the link offline. 3617It is subsequently possible to use 3618.Dq term 3619(see below) 3620to talk to the peer machine if, for example, something like 3621.Dq slirp 3622is being used. 3623If 3624.Dq ccp 3625is specified, only the relevant compression layer is closed. 3626If the 3627.Dq !\& 3628is used, the compression layer will remain in the closed state, otherwise 3629it will re-enter the STOPPED state, waiting for the peer to initiate 3630further CCP negotiation. 3631In any event, this command does not disconnect the user from 3632.Nm 3633or exit 3634.Nm . 3635See the 3636.Dq quit 3637command below. 3638.It delete Ns Xo 3639.Op !\& 3640.Ar dest 3641.Xc 3642This command deletes the route with the given 3643.Ar dest 3644IP address. 3645If 3646.Ar dest 3647is specified as 3648.Sq ALL , 3649all non-direct entries in the routing table for the current interface, 3650and all 3651.Sq sticky route 3652entries are deleted. 3653If 3654.Ar dest 3655is specified as 3656.Sq default , 3657the default route is deleted. 3658.Pp 3659If the 3660.Ar delete!\& 3661command is used 3662(note the trailing 3663.Dq !\& ) , 3664.Nm 3665will not complain if the route does not already exist. 3666.It Xo 3667.Ic dial No \&| 3668.Ic call 3669.Op Ar label ... 3670.Xc 3671This command is the equivalent of 3672.Dq load label 3673followed by 3674.Dq open , 3675and is provided for backwards compatibility. 3676.It down Op Ar lcp|ccp 3677Bring the relevant layer down ungracefully, as if the underlying layer 3678had become unavailable. 3679It's not considered polite to use this command on 3680a Finite State Machine that's in the OPEN state. 3681If no arguments are 3682supplied, the entire link is closed (or if no context is given, all links 3683are terminated). 3684If 3685.Sq lcp 3686is specified, the 3687.Em LCP 3688layer is terminated but the device is not brought offline and the link 3689is not closed. 3690If 3691.Sq ccp 3692is specified, only the relevant compression layer(s) are terminated. 3693.It help|? Op Ar command 3694Show a list of available commands. 3695If 3696.Ar command 3697is specified, show the usage string for that command. 3698.It ident Op Ar text Ns No ... 3699Identify the link to the peer using 3700.Ar text . 3701If 3702.Ar text 3703is empty, link identification is disabled. 3704It is possible to use any of the words described for the 3705.Ic bg 3706command above. 3707Refer to the 3708.Ic sendident 3709command for details of when 3710.Nm 3711identifies itself to the peer. 3712.It iface Ar command Op args 3713This command is used to control the interface used by 3714.Nm . 3715.Ar Command 3716may be one of the following: 3717.Bl -tag -width 2n 3718.It iface add Ns Xo 3719.Op !\& 3720.Ar addr Ns Op / Ns Ar bits 3721.Op Ar peer 3722.Xc 3723.It iface add Ns Xo 3724.Op !\& 3725.Ar addr 3726.Ar mask 3727.Ar peer 3728.Xc 3729Add the given 3730.Ar addr mask peer 3731combination to the interface. 3732Instead of specifying 3733.Ar mask , 3734.Ar /bits 3735can be used 3736(with no space between it and 3737.Ar addr ) . 3738If the given address already exists, the command fails unless the 3739.Dq !\& 3740is used - in which case the previous interface address entry is overwritten 3741with the new one, allowing a change of netmask or peer address. 3742.Pp 3743If only 3744.Ar addr 3745is specified, 3746.Ar bits 3747defaults to 3748.Dq 32 3749and 3750.Ar peer 3751defaults to 3752.Dq 255.255.255.255 . 3753This address (the broadcast address) is the only duplicate peer address that 3754.Nm 3755allows. 3756.It iface clear Op INET | INET6 3757If this command is used while 3758.Nm 3759is in the OPENED state or while in 3760.Fl auto 3761mode, all addresses except for the NCP negotiated address are deleted 3762from the interface. 3763If 3764.Nm 3765is not in the OPENED state and is not in 3766.Fl auto 3767mode, all interface addresses are deleted. 3768.Pp 3769If the INET or INET6 arguments are used, only addresses for that address 3770family are cleared. 3771.It iface delete Ns Xo 3772.Op !\& Ns 3773.No |rm Ns Op !\& 3774.Ar addr 3775.Xc 3776This command deletes the given 3777.Ar addr 3778from the interface. 3779If the 3780.Dq !\& 3781is used, no error is given if the address isn't currently assigned to 3782the interface (and no deletion takes place). 3783.It iface show 3784Shows the current state and current addresses for the interface. 3785It is much the same as running 3786.Dq ifconfig INTERFACE . 3787.It iface help Op Ar sub-command 3788This command, when invoked without 3789.Ar sub-command , 3790will show a list of possible 3791.Dq iface 3792sub-commands and a brief synopsis for each. 3793When invoked with 3794.Ar sub-command , 3795only the synopsis for the given sub-command is shown. 3796.El 3797.It Oo Ic data Oc Ns Xo 3798.Ic link 3799.Ar name Ns Op , Ns Ar name Ns 3800.No ... Ar command Op Ar args 3801.Xc 3802This command may prefix any other command if the user wishes to 3803specify which link the command should affect. 3804This is only applicable after multiple links have been created in Multi-link 3805mode using the 3806.Dq clone 3807command. 3808.Pp 3809.Ar Name 3810specifies the name of an existing link. 3811If 3812.Ar name 3813is a comma separated list, 3814.Ar command 3815is executed on each link. 3816If 3817.Ar name 3818is 3819.Dq * , 3820.Ar command 3821is executed on all links. 3822.It Ic load Oo Ar label Oc Ns Xo 3823.No ... 3824.Xc 3825Load the given 3826.Ar label Ns No (s) 3827from the 3828.Pa ppp.conf 3829file. 3830If 3831.Ar label 3832is not given, the 3833.Ar default 3834label is used. 3835.Pp 3836Unless the 3837.Ar label 3838section uses the 3839.Dq set mode , 3840.Dq open 3841or 3842.Dq dial 3843commands, 3844.Nm 3845will not attempt to make an immediate connection. 3846.It log Ar word Ns No ... 3847Send the given word(s) to the log file with the prefix 3848.Dq LOG: . 3849Word substitutions are done as explained under the 3850.Dq !bg 3851command above. 3852.It open Op lcp|ccp|ipcp 3853This is the opposite of the 3854.Dq close 3855command. 3856All closed links are immediately brought up apart from second and subsequent 3857.Ar demand-dial 3858links - these will come up based on the 3859.Dq set autoload 3860command that has been used. 3861.Pp 3862If the 3863.Dq lcp 3864argument is used while the LCP layer is already open, LCP will be 3865renegotiated. 3866This allows various LCP options to be changed, after which 3867.Dq open lcp 3868can be used to put them into effect. 3869After renegotiating LCP, 3870any agreed authentication will also take place. 3871.Pp 3872If the 3873.Dq ccp 3874argument is used, the relevant compression layer is opened. 3875Again, if it is already open, it will be renegotiated. 3876.Pp 3877If the 3878.Dq ipcp 3879argument is used, the link will be brought up as normal, but if 3880IPCP is already open, it will be renegotiated and the network 3881interface will be reconfigured. 3882.Pp 3883It is probably not good practice to re-open the PPP state machines 3884like this as it's possible that the peer will not behave correctly. 3885It 3886.Em is 3887however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3888.It passwd Ar pass 3889Specify the password required for access to the full 3890.Nm 3891command set. 3892This password is required when connecting to the diagnostic port (see the 3893.Dq set server 3894command). 3895.Ar Pass 3896is specified on the 3897.Dq set server 3898command line. 3899The value of 3900.Ar pass 3901is not logged when 3902.Ar command 3903logging is active, instead, the literal string 3904.Sq ******** 3905is logged. 3906.It quit|bye Op all 3907If 3908.Dq quit 3909is executed from the controlling connection or from a command file, 3910ppp will exit after closing all connections. 3911Otherwise, if the user 3912is connected to a diagnostic socket, the connection is simply dropped. 3913.Pp 3914If the 3915.Ar all 3916argument is given, 3917.Nm 3918will exit despite the source of the command after closing all existing 3919connections. 3920.It remove|rm 3921This command removes the given link. 3922It is only really useful in multi-link mode. 3923A link must be in the 3924.Dv CLOSED 3925state before it is removed. 3926.It rename|mv Ar name 3927This command renames the given link to 3928.Ar name . 3929It will fail if 3930.Ar name 3931is already used by another link. 3932.Pp 3933The default link name is 3934.Sq deflink . 3935Renaming it to 3936.Sq modem , 3937.Sq cuaa0 3938or 3939.Sq USR 3940may make the log file more readable. 3941.It resolv Ar command 3942This command controls 3943.Nm Ns No 's 3944manipulation of the 3945.Xr resolv.conf 5 3946file. 3947When 3948.Nm 3949starts up, it loads the contents of this file into memory and retains this 3950image for future use. 3951.Ar command 3952is one of the following: 3953.Bl -tag -width readonly 3954.It Em readonly 3955Treat 3956.Pa /etc/resolv.conf 3957as read only. 3958If 3959.Dq dns 3960is enabled, 3961.Nm 3962will still attempt to negotiate nameservers with the peer, making the results 3963available via the 3964.Dv DNS0 3965and 3966.Dv DNS1 3967macros. 3968This is the opposite of the 3969.Dq resolv writable 3970command. 3971.It Em reload 3972Reload 3973.Pa /etc/resolv.conf 3974into memory. 3975This may be necessary if for example a DHCP client overwrote 3976.Pa /etc/resolv.conf . 3977.It Em restore 3978Replace 3979.Pa /etc/resolv.conf 3980with the version originally read at startup or with the last 3981.Dq resolv reload 3982command. 3983This is sometimes a useful command to put in the 3984.Pa /etc/ppp/ppp.linkdown 3985file. 3986.It Em rewrite 3987Rewrite the 3988.Pa /etc/resolv.conf 3989file. 3990This command will work even if the 3991.Dq resolv readonly 3992command has been used. 3993It may be useful as a command in the 3994.Pa /etc/ppp/ppp.linkup 3995file if you wish to defer updating 3996.Pa /etc/resolv.conf 3997until after other commands have finished. 3998.It Em writable 3999Allow 4000.Nm 4001to update 4002.Pa /etc/resolv.conf 4003if 4004.Dq dns 4005is enabled and 4006.Nm 4007successfully negotiates a DNS. 4008This is the opposite of the 4009.Dq resolv readonly 4010command. 4011.El 4012.It save 4013This option is not (yet) implemented. 4014.It sendident 4015This command tells 4016.Nm 4017to identify itself to the peer. 4018The link must be in LCP state or higher. 4019If no identity has been set (via the 4020.Ic ident 4021command), 4022.Ic sendident 4023will fail. 4024.Pp 4025When an identity has been set, 4026.Nm 4027will automatically identify itself when it sends or receives a configure 4028reject, when negotiation fails or when LCP reaches the opened state. 4029.Pp 4030Received identification packets are logged to the LCP log (see 4031.Ic set log 4032for details) and are never responded to. 4033.It set Ns Xo 4034.Op up 4035.Ar var value 4036.Xc 4037This option allows the setting of any of the following variables: 4038.Bl -tag -width 2n 4039.It set accmap Ar hex-value 4040ACCMap stands for Asynchronous Control Character Map. 4041This is always 4042negotiated with the peer, and defaults to a value of 00000000 in hex. 4043This protocol is required to defeat hardware that depends on passing 4044certain characters from end to end (such as XON/XOFF etc). 4045.Pp 4046For the XON/XOFF scenario, use 4047.Dq set accmap 000a0000 . 4048.It Ic set Oo Ic auth Oc Ns Xo 4049.Ic key Ar value 4050.Xc 4051This sets the authentication key (or password) used in client mode 4052PAP or CHAP negotiation to the given value. 4053It also specifies the 4054password to be used in the dial or login scripts in place of the 4055.Sq \eP 4056sequence, preventing the actual password from being logged. 4057If 4058.Ar command 4059or 4060.Ar chat 4061logging is in effect, 4062.Ar value 4063is logged as 4064.Sq ******** 4065for security reasons. 4066.Pp 4067If the first character of 4068.Ar value 4069is an exclamation mark 4070.Pq Dq !\& , 4071.Nm 4072treats the remainder of the string as a program that must be executed 4073to determine the 4074.Dq authname 4075and 4076.Dq authkey 4077values. 4078.Pp 4079If the 4080.Dq !\& 4081is doubled up 4082(to 4083.Dq !! ) , 4084it is treated as a single literal 4085.Dq !\& , 4086otherwise, ignoring the 4087.Dq !\& , 4088.Ar value 4089is parsed as a program to execute in the same was as the 4090.Dq !bg 4091command above, substituting special names in the same manner. 4092Once executed, 4093.Nm 4094will feed the program three lines of input, each terminated by a newline 4095character: 4096.Bl -bullet 4097.It 4098The host name as sent in the CHAP challenge. 4099.It 4100The challenge string as sent in the CHAP challenge. 4101.It 4102The locally defined 4103.Dq authname . 4104.El 4105.Pp 4106Two lines of output are expected: 4107.Bl -bullet 4108.It 4109The 4110.Dq authname 4111to be sent with the CHAP response. 4112.It 4113The 4114.Dq authkey , 4115which is encrypted with the challenge and request id, the answer being sent 4116in the CHAP response packet. 4117.El 4118.Pp 4119When configuring 4120.Nm 4121in this manner, it's expected that the host challenge is a series of ASCII 4122digits or characters. 4123An encryption device or Secure ID card is usually 4124required to calculate the secret appropriate for the given challenge. 4125.It set authname Ar id 4126This sets the authentication id used in client mode PAP or CHAP negotiation. 4127.Pp 4128If used in 4129.Fl direct 4130mode with CHAP enabled, 4131.Ar id 4132is used in the initial authentication challenge and should normally be set to 4133the local machine name. 4134.It set autoload Xo 4135.Ar min-percent max-percent period 4136.Xc 4137These settings apply only in multi-link mode and default to zero, zero and 4138five respectively. 4139When more than one 4140.Ar demand-dial 4141(also known as 4142.Fl auto ) 4143mode link is available, only the first link is made active when 4144.Nm 4145first reads data from the tun device. 4146The next 4147.Ar demand-dial 4148link will be opened only when the current bundle throughput is at least 4149.Ar max-percent 4150percent of the total bundle bandwidth for 4151.Ar period 4152seconds. 4153When the current bundle throughput decreases to 4154.Ar min-percent 4155percent or less of the total bundle bandwidth for 4156.Ar period 4157seconds, a 4158.Ar demand-dial 4159link will be brought down as long as it's not the last active link. 4160.Pp 4161Bundle throughput is measured as the maximum of inbound and outbound 4162traffic. 4163.Pp 4164The default values cause 4165.Ar demand-dial 4166links to simply come up one at a time. 4167.Pp 4168Certain devices cannot determine their physical bandwidth, so it 4169is sometimes necessary to use the 4170.Dq set bandwidth 4171command (described below) to make 4172.Dq set autoload 4173work correctly. 4174.It set bandwidth Ar value 4175This command sets the connection bandwidth in bits per second. 4176.Ar value 4177must be greater than zero. 4178It is currently only used by the 4179.Dq set autoload 4180command above. 4181.It set callback Ar option Ns No ... 4182If no arguments are given, callback is disabled, otherwise, 4183.Nm 4184will request (or in 4185.Fl direct 4186mode, will accept) one of the given 4187.Ar option Ns No s . 4188In client mode, if an 4189.Ar option 4190is NAK'd 4191.Nm 4192will request a different 4193.Ar option , 4194until no options remain at which point 4195.Nm 4196will terminate negotiations (unless 4197.Dq none 4198is one of the specified 4199.Ar option ) . 4200In server mode, 4201.Nm 4202will accept any of the given protocols - but the client 4203.Em must 4204request one of them. 4205If you wish callback to be optional, you must {include} 4206.Ar none 4207as an option. 4208.Pp 4209The 4210.Ar option Ns No s 4211are as follows (in this order of preference): 4212.Bl -tag -width Ds 4213.It auth 4214The callee is expected to decide the callback number based on 4215authentication. 4216If 4217.Nm 4218is the callee, the number should be specified as the fifth field of 4219the peers entry in 4220.Pa /etc/ppp/ppp.secret . 4221.It cbcp 4222Microsoft's callback control protocol is used. 4223See 4224.Dq set cbcp 4225below. 4226.Pp 4227If you wish to negotiate 4228.Ar cbcp 4229in client mode but also wish to allow the server to request no callback at 4230CBCP negotiation time, you must specify both 4231.Ar cbcp 4232and 4233.Ar none 4234as callback options. 4235.It E.164 *| Ns Xo 4236.Ar number Ns Op , Ns Ar number Ns 4237.No ... 4238.Xc 4239The caller specifies the 4240.Ar number . 4241If 4242.Nm 4243is the callee, 4244.Ar number 4245should be either a comma separated list of allowable numbers or a 4246.Dq \&* , 4247meaning any number is permitted. 4248If 4249.Nm 4250is the caller, only a single number should be specified. 4251.Pp 4252Note, this option is very unsafe when used with a 4253.Dq \&* 4254as a malicious caller can tell 4255.Nm 4256to call any (possibly international) number without first authenticating 4257themselves. 4258.It none 4259If the peer does not wish to do callback at all, 4260.Nm 4261will accept the fact and continue without callback rather than terminating 4262the connection. 4263This is required (in addition to one or more other callback 4264options) if you wish callback to be optional. 4265.El 4266.It set cbcp Oo 4267.No *| Ns Ar number Ns Oo 4268.No , Ns Ar number Ns ...\& Oc 4269.Op Ar delay Op Ar retry 4270.Oc 4271If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4272is disabled - ie, configuring CBCP in the 4273.Dq set callback 4274command will result in 4275.Nm 4276requesting no callback in the CBCP phase. 4277Otherwise, 4278.Nm 4279attempts to use the given phone 4280.Ar number Ns No (s). 4281.Pp 4282In server mode 4283.Pq Fl direct , 4284.Nm 4285will insist that the client uses one of these numbers, unless 4286.Dq \&* 4287is used in which case the client is expected to specify the number. 4288.Pp 4289In client mode, 4290.Nm 4291will attempt to use one of the given numbers (whichever it finds to 4292be agreeable with the peer), or if 4293.Dq \&* 4294is specified, 4295.Nm 4296will expect the peer to specify the number. 4297.It set cd Oo 4298.No off| Ns Ar seconds Ns Op !\& 4299.Oc 4300Normally, 4301.Nm 4302checks for the existence of carrier depending on the type of device 4303that has been opened: 4304.Bl -tag -width XXX -offset XXX 4305.It Terminal Devices 4306Carrier is checked one second after the login script is complete. 4307If it's not set, 4308.Nm 4309assumes that this is because the device doesn't support carrier (which 4310is true for most 4311.Dq laplink 4312NULL-modem cables), logs the fact and stops checking 4313for carrier. 4314.Pp 4315As ptys don't support the 4316.Dv TIOCMGET 4317ioctl, the tty device will switch all 4318carrier detection off when it detects that the device is a pty. 4319.It PPPoE (netgraph) Devices 4320Carrier is checked once per second for 5 seconds. 4321If it's not set after 4322the fifth second, the connection attempt is considered to have failed and 4323the device is closed. 4324Carrier is always required for PPPoE devices. 4325.El 4326.Pp 4327All other device types don't support carrier. 4328Setting a carrier value will 4329result in a warning when the device is opened. 4330.Pp 4331Some modems take more than one second after connecting to assert the carrier 4332signal. 4333If this delay isn't increased, this will result in 4334.Nm Ns No 's 4335inability to detect when the link is dropped, as 4336.Nm 4337assumes that the device isn't asserting carrier. 4338.Pp 4339The 4340.Dq set cd 4341command overrides the default carrier behaviour. 4342.Ar seconds 4343specifies the maximum number of seconds that 4344.Nm 4345should wait after the dial script has finished before deciding if 4346carrier is available or not. 4347.Pp 4348If 4349.Dq off 4350is specified, 4351.Nm 4352will not check for carrier on the device, otherwise 4353.Nm 4354will not proceed to the login script until either carrier is detected 4355or until 4356.Ar seconds 4357has elapsed, at which point 4358.Nm 4359assumes that the device will not set carrier. 4360.Pp 4361If no arguments are given, carrier settings will go back to their default 4362values. 4363.Pp 4364If 4365.Ar seconds 4366is followed immediately by an exclamation mark 4367.Pq Dq !\& , 4368.Nm 4369will 4370.Em require 4371carrier. 4372If carrier is not detected after 4373.Ar seconds 4374seconds, the link will be disconnected. 4375.It set choked Op Ar timeout 4376This sets the number of seconds that 4377.Nm 4378will keep a choked output queue before dropping all pending output packets. 4379If 4380.Ar timeout 4381is less than or equal to zero or if 4382.Ar timeout 4383isn't specified, it is set to the default value of 4384.Em 120 seconds . 4385.Pp 4386A choked output queue occurs when 4387.Nm 4388has read a certain number of packets from the local network for transmission, 4389but cannot send the data due to link failure (the peer is busy etc.). 4390.Nm 4391will not read packets indefinitely. 4392Instead, it reads up to 4393.Em 30 4394packets (or 4395.Em 30 No + 4396.Em nlinks No * 4397.Em 2 4398packets in multi-link mode), then stops reading the network interface 4399until either 4400.Ar timeout 4401seconds have passed or at least one packet has been sent. 4402.Pp 4403If 4404.Ar timeout 4405seconds pass, all pending output packets are dropped. 4406.It set ctsrts|crtscts on|off 4407This sets hardware flow control. 4408Hardware flow control is 4409.Ar on 4410by default. 4411.It set deflate Ar out-winsize Op Ar in-winsize 4412This sets the DEFLATE algorithms default outgoing and incoming window 4413sizes. 4414Both 4415.Ar out-winsize 4416and 4417.Ar in-winsize 4418must be values between 4419.Em 8 4420and 4421.Em 15 . 4422If 4423.Ar in-winsize 4424is specified, 4425.Nm 4426will insist that this window size is used and will not accept any other 4427values from the peer. 4428.It set dns Op Ar primary Op Ar secondary 4429This command specifies DNS overrides for the 4430.Dq accept dns 4431command. 4432Refer to the 4433.Dq accept 4434command description above for details. 4435This command does not affect the IP numbers requested using 4436.Dq enable dns . 4437.It set device|line Xo 4438.Ar value Ns No ... 4439.Xc 4440This sets the device(s) to which 4441.Nm 4442will talk to the given 4443.Dq value . 4444.Pp 4445All serial device names are expected to begin with 4446.Pa /dev/ 4447and are usually called 4448.Pa cuaXX . 4449.Pp 4450If 4451.Dq value 4452does not begin with 4453.Pa /dev/ , 4454it must either begin with an exclamation mark 4455.Pq Dq !\& , 4456be of the format 4457.No PPPoE: Ns Ar iface Ns Xo 4458.Op \&: Ns Ar provider Ns 4459.Xc 4460(on 4461.Xr netgraph 4 4462enabled systems), or be of the format 4463.Sm off 4464.Ar host : port Op /tcp|udp . 4465.Sm on 4466.Pp 4467If it begins with an exclamation mark, the rest of the device name is 4468treated as a program name, and that program is executed when the device 4469is opened. 4470Standard input, output and error are fed back to 4471.Nm 4472and are read and written as if they were a regular device. 4473.Pp 4474If a 4475.No PPPoE: Ns Ar iface Ns Xo 4476.Op \&: Ns Ar provider Ns 4477.Xc 4478specification is given, 4479.Nm 4480will attempt to create a 4481.Em PPP 4482over Ethernet connection using the given 4483.Ar iface 4484interface by using 4485.Xr netgraph 4 . 4486If 4487.Xr netgraph 4 4488is not available, 4489.Nm 4490will attempt to load it using 4491.Xr kldload 2 . 4492If this fails, an external program must be used such as the 4493.Xr pppoe 8 4494program available under 4495.Ox . 4496The given 4497.Ar provider 4498is passed as the service name in the PPPoE Discovery Initiation (PADI) 4499packet. 4500If no provider is given, an empty value will be used. 4501.Pp 4502When a PPPoE connection is established, 4503.Nm 4504will place the name of the Access Concentrator in the environment variable 4505.Ev ACNAME . 4506.Pp 4507Refer to 4508.Xr netgraph 4 4509and 4510.Xr ng_pppoe 4 4511for further details. 4512.Pp 4513If a 4514.Ar host Ns No : Ns Ar port Ns Oo 4515.No /tcp|udp 4516.Oc 4517specification is given, 4518.Nm 4519will attempt to connect to the given 4520.Ar host 4521on the given 4522.Ar port . 4523If a 4524.Dq /tcp 4525or 4526.Dq /udp 4527suffix is not provided, the default is 4528.Dq /tcp . 4529Refer to the section on 4530.Em PPP OVER TCP and UDP 4531above for further details. 4532.Pp 4533If multiple 4534.Dq values 4535are specified, 4536.Nm 4537will attempt to open each one in turn until it succeeds or runs out of 4538devices. 4539.It set dial Ar chat-script 4540This specifies the chat script that will be used to dial the other 4541side. 4542See also the 4543.Dq set login 4544command below. 4545Refer to 4546.Xr chat 8 4547and to the example configuration files for details of the chat script 4548format. 4549It is possible to specify some special 4550.Sq values 4551in your chat script as follows: 4552.Bl -tag -width 2n 4553.It Li \ec 4554When used as the last character in a 4555.Sq send 4556string, this indicates that a newline should not be appended. 4557.It Li \ed 4558When the chat script encounters this sequence, it delays two seconds. 4559.It Li \ep 4560When the chat script encounters this sequence, it delays for one quarter of 4561a second. 4562.It Li \en 4563This is replaced with a newline character. 4564.It Li \er 4565This is replaced with a carriage return character. 4566.It Li \es 4567This is replaced with a space character. 4568.It Li \et 4569This is replaced with a tab character. 4570.It Li \eT 4571This is replaced by the current phone number (see 4572.Dq set phone 4573below). 4574.It Li \eP 4575This is replaced by the current 4576.Ar authkey 4577value (see 4578.Dq set authkey 4579above). 4580.It Li \eU 4581This is replaced by the current 4582.Ar authname 4583value (see 4584.Dq set authname 4585above). 4586.El 4587.Pp 4588Note that two parsers will examine these escape sequences, so in order to 4589have the 4590.Sq chat parser 4591see the escape character, it is necessary to escape it from the 4592.Sq command parser . 4593This means that in practice you should use two escapes, for example: 4594.Bd -literal -offset indent 4595set dial "... ATDT\\\\T CONNECT" 4596.Ed 4597.Pp 4598It is also possible to execute external commands from the chat script. 4599To do this, the first character of the expect or send string is an 4600exclamation mark 4601.Pq Dq !\& . 4602If a literal exclamation mark is required, double it up to 4603.Dq !!\& 4604and it will be treated as a single literal 4605.Dq !\& . 4606When the command is executed, standard input and standard output are 4607directed to the open device (see the 4608.Dq set device 4609command), and standard error is read by 4610.Nm 4611and substituted as the expect or send string. 4612If 4613.Nm 4614is running in interactive mode, file descriptor 3 is attached to 4615.Pa /dev/tty . 4616.Pp 4617For example (wrapped for readability): 4618.Bd -literal -offset indent 4619set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4620word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4621\\"!/bin/echo in\\" HELLO" 4622.Ed 4623.Pp 4624would result in the following chat sequence (output using the 4625.Sq set log local chat 4626command before dialing): 4627.Bd -literal -offset indent 4628Dial attempt 1 of 1 4629dial OK! 4630Chat: Expecting: 4631Chat: Sending: 4632Chat: Expecting: login:--login: 4633Chat: Wait for (5): login: 4634Chat: Sending: ppp 4635Chat: Expecting: word: 4636Chat: Wait for (5): word: 4637Chat: Sending: ppp 4638Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4639Chat: Exec: sh -c "echo -n label: >&2" 4640Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4641Chat: Exec: /bin/echo in 4642Chat: Sending: 4643Chat: Expecting: HELLO 4644Chat: Wait for (5): HELLO 4645login OK! 4646.Ed 4647.Pp 4648Note (again) the use of the escape character, allowing many levels of 4649nesting. 4650Here, there are four parsers at work. 4651The first parses the original line, reading it as three arguments. 4652The second parses the third argument, reading it as 11 arguments. 4653At this point, it is 4654important that the 4655.Dq \&- 4656signs are escaped, otherwise this parser will see them as constituting 4657an expect-send-expect sequence. 4658When the 4659.Dq !\& 4660character is seen, the execution parser reads the first command as three 4661arguments, and then 4662.Xr sh 1 4663itself expands the argument after the 4664.Fl c . 4665As we wish to send the output back to the modem, in the first example 4666we redirect our output to file descriptor 2 (stderr) so that 4667.Nm 4668itself sends and logs it, and in the second example, we just output to stdout, 4669which is attached directly to the modem. 4670.Pp 4671This, of course means that it is possible to execute an entirely external 4672.Dq chat 4673command rather than using the internal one. 4674See 4675.Xr chat 8 4676for a good alternative. 4677.Pp 4678The external command that is executed is subjected to the same special 4679word expansions as the 4680.Dq !bg 4681command. 4682.It set enddisc Op label|IP|MAC|magic|psn value 4683This command sets our local endpoint discriminator. 4684If set prior to LCP negotiation, and if no 4685.Dq disable enddisc 4686command has been used, 4687.Nm 4688will send the information to the peer using the LCP endpoint discriminator 4689option. 4690The following discriminators may be set: 4691.Bl -tag -width indent 4692.It Li label 4693The current label is used. 4694.It Li IP 4695Our local IP number is used. 4696As LCP is negotiated prior to IPCP, it is 4697possible that the IPCP layer will subsequently change this value. 4698If 4699it does, the endpoint discriminator stays at the old value unless manually 4700reset. 4701.It Li MAC 4702This is similar to the 4703.Ar IP 4704option above, except that the MAC address associated with the local IP 4705number is used. 4706If the local IP number is not resident on any Ethernet 4707interface, the command will fail. 4708.Pp 4709As the local IP number defaults to whatever the machine host name is, 4710.Dq set enddisc mac 4711is usually done prior to any 4712.Dq set ifaddr 4713commands. 4714.It Li magic 4715A 20 digit random number is used. 4716Care should be taken when using magic numbers as restarting 4717.Nm 4718or creating a link using a different 4719.Nm 4720invocation will also use a different magic number and will therefore not 4721be recognised by the peer as belonging to the same bundle. 4722This makes it unsuitable for 4723.Fl direct 4724connections. 4725.It Li psn Ar value 4726The given 4727.Ar value 4728is used. 4729.Ar Value 4730should be set to an absolute public switched network number with the 4731country code first. 4732.El 4733.Pp 4734If no arguments are given, the endpoint discriminator is reset. 4735.It set escape Ar value... 4736This option is similar to the 4737.Dq set accmap 4738option above. 4739It allows the user to specify a set of characters that will be 4740.Sq escaped 4741as they travel across the link. 4742.It set filter dial|alive|in|out Ar rule-no Xo 4743.No permit|deny|clear| Ns Ar rule-no 4744.Op !\& 4745.Oo Op host 4746.Ar src_addr Ns Op / Ns Ar width 4747.Op Ar dst_addr Ns Op / Ns Ar width 4748.Oc [ Ns Ar proto 4749.Op src lt|eq|gt Ar port 4750.Op dst lt|eq|gt Ar port 4751.Op estab 4752.Op syn 4753.Op finrst 4754.Op timeout Ar secs ] 4755.Xc 4756.Nm 4757supports four filter sets. 4758The 4759.Em alive 4760filter specifies packets that keep the connection alive - resetting the 4761idle timer. 4762The 4763.Em dial 4764filter specifies packets that cause 4765.Nm 4766to dial when in 4767.Fl auto 4768mode. 4769The 4770.Em in 4771filter specifies packets that are allowed to travel 4772into the machine and the 4773.Em out 4774filter specifies packets that are allowed out of the machine. 4775.Pp 4776Filtering is done prior to any IP alterations that might be done by the 4777NAT engine on outgoing packets and after any IP alterations that might 4778be done by the NAT engine on incoming packets. 4779By default all empty filter sets allow all packets to pass. 4780Rules are processed in order according to 4781.Ar rule-no 4782(unless skipped by specifying a rule number as the 4783.Ar action ) . 4784Up to 40 rules may be given for each set. 4785If a packet doesn't match 4786any of the rules in a given set, it is discarded. 4787In the case of 4788.Em in 4789and 4790.Em out 4791filters, this means that the packet is dropped. 4792In the case of 4793.Em alive 4794filters it means that the packet will not reset the idle timer (even if 4795the 4796.Ar in Ns No / Ns Ar out 4797filter has a 4798.Dq timeout 4799value) and in the case of 4800.Em dial 4801filters it means that the packet will not trigger a dial. 4802A packet failing to trigger a dial will be dropped rather than queued. 4803Refer to the 4804section on 4805.Sx PACKET FILTERING 4806above for further details. 4807.It set hangup Ar chat-script 4808This specifies the chat script that will be used to reset the device 4809before it is closed. 4810It should not normally be necessary, but can 4811be used for devices that fail to reset themselves properly on close. 4812.It set help|? Op Ar command 4813This command gives a summary of available set commands, or if 4814.Ar command 4815is specified, the command usage is shown. 4816.It set ifaddr Oo Ar myaddr Ns 4817.Op / Ns Ar \&nn 4818.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4819.Oo Ar netmask 4820.Op Ar triggeraddr 4821.Oc Oc 4822.Oc 4823This command specifies the IP addresses that will be used during 4824IPCP negotiation. 4825Addresses are specified using the format 4826.Pp 4827.Dl a.b.c.d/nn 4828.Pp 4829Where 4830.Dq a.b.c.d 4831is the preferred IP, but 4832.Ar nn 4833specifies how many bits of the address we will insist on. 4834If 4835.No / Ns Ar nn 4836is omitted, it defaults to 4837.Dq /32 4838unless the IP address is 0.0.0.0 in which case it defaults to 4839.Dq /0 . 4840.Pp 4841If you wish to assign a dynamic IP number to the peer, 4842.Ar hisaddr 4843may also be specified as a range of IP numbers in the format 4844.Bd -ragged -offset indent 4845.Sm off 4846.Ar \&IP Oo \&- Ar \&IP Oc Oo , 4847.Ar \&IP Oo \&- Ar \&IP Oc Oc ... 4848.Sm on 4849.Ed 4850.Pp 4851for example: 4852.Pp 4853.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4854.Pp 4855will only negotiate 4856.Dq 10.0.0.1 4857as the local IP number, but may assign any of the given 10 IP 4858numbers to the peer. 4859If the peer requests one of these numbers, 4860and that number is not already in use, 4861.Nm 4862will grant the peers request. 4863This is useful if the peer wants 4864to re-establish a link using the same IP number as was previously 4865allocated (thus maintaining any existing tcp or udp connections). 4866.Pp 4867If the peer requests an IP number that's either outside 4868of this range or is already in use, 4869.Nm 4870will suggest a random unused IP number from the range. 4871.Pp 4872If 4873.Ar triggeraddr 4874is specified, it is used in place of 4875.Ar myaddr 4876in the initial IPCP negotiation. 4877However, only an address in the 4878.Ar myaddr 4879range will be accepted. 4880This is useful when negotiating with some 4881.Dv PPP 4882implementations that will not assign an IP number unless their peer 4883requests 4884.Dq 0.0.0.0 . 4885.Pp 4886It should be noted that in 4887.Fl auto 4888mode, 4889.Nm 4890will configure the interface immediately upon reading the 4891.Dq set ifaddr 4892line in the config file. 4893In any other mode, these values are just 4894used for IPCP negotiations, and the interface isn't configured 4895until the IPCP layer is up. 4896.Pp 4897Note that the 4898.Ar HISADDR 4899argument may be overridden by the third field in the 4900.Pa ppp.secret 4901file once the client has authenticated itself 4902(if PAP or CHAP are 4903.Dq enabled ) . 4904Refer to the 4905.Sx AUTHENTICATING INCOMING CONNECTIONS 4906section for details. 4907.Pp 4908In all cases, if the interface is already configured, 4909.Nm 4910will try to maintain the interface IP numbers so that any existing 4911bound sockets will remain valid. 4912.It set ifqueue Ar packets 4913Set the maximum number of packets that 4914.Nm 4915will read from the tunnel interface while data cannot be sent to any of 4916the available links. 4917This queue limit is necessary to flow control outgoing data as the tunnel 4918interface is likely to be far faster than the combined links available to 4919.Nm . 4920.Pp 4921If 4922.Ar packets 4923is set to a value less than the number of links, 4924.Nm 4925will read up to that value regardless. 4926This prevents any possible latency problems. 4927.Pp 4928The default value for 4929.Ar packets 4930is 4931.Dq 30 . 4932.It set ccpretry|ccpretries Oo Ar timeout 4933.Op Ar reqtries Op Ar trmtries 4934.Oc 4935.It set chapretry|chapretries Oo Ar timeout 4936.Op Ar reqtries 4937.Oc 4938.It set ipcpretry|ipcpretries Oo Ar timeout 4939.Op Ar reqtries Op Ar trmtries 4940.Oc 4941.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 4942.Op Ar reqtries Op Ar trmtries 4943.Oc 4944.It set lcpretry|lcpretries Oo Ar timeout 4945.Op Ar reqtries Op Ar trmtries 4946.Oc 4947.It set papretry|papretries Oo Ar timeout 4948.Op Ar reqtries 4949.Oc 4950These commands set the number of seconds that 4951.Nm 4952will wait before resending Finite State Machine (FSM) Request packets. 4953The default 4954.Ar timeout 4955for all FSMs is 3 seconds (which should suffice in most cases). 4956.Pp 4957If 4958.Ar reqtries 4959is specified, it tells 4960.Nm 4961how many configuration request attempts it should make while receiving 4962no reply from the peer before giving up. 4963The default is 5 attempts for 4964CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4965.Pp 4966If 4967.Ar trmtries 4968is specified, it tells 4969.Nm 4970how many terminate requests should be sent before giving up waiting for the 4971peers response. 4972The default is 3 attempts. 4973Authentication protocols are 4974not terminated and it is therefore invalid to specify 4975.Ar trmtries 4976for PAP or CHAP. 4977.Pp 4978In order to avoid negotiations with the peer that will never converge, 4979.Nm 4980will only send at most 3 times the configured number of 4981.Ar reqtries 4982in any given negotiation session before giving up and closing that layer. 4983.It set log Xo 4984.Op local 4985.Op +|- Ns 4986.Ar value Ns No ... 4987.Xc 4988This command allows the adjustment of the current log level. 4989Refer to the Logging Facility section for further details. 4990.It set login Ar chat-script 4991This 4992.Ar chat-script 4993complements the dial-script. 4994If both are specified, the login 4995script will be executed after the dial script. 4996Escape sequences available in the dial script are also available here. 4997.It set logout Ar chat-script 4998This specifies the chat script that will be used to logout 4999before the hangup script is called. 5000It should not normally be necessary. 5001.It set lqrperiod Ar frequency 5002This command sets the 5003.Ar frequency 5004in seconds at which 5005.Em LQR 5006or 5007.Em ECHO LQR 5008packets are sent. 5009The default is 30 seconds. 5010You must also use the 5011.Dq enable lqr 5012command if you wish to send LQR requests to the peer. 5013.It set mode Ar interactive|auto|ddial|background 5014This command allows you to change the 5015.Sq mode 5016of the specified link. 5017This is normally only useful in multi-link mode, 5018but may also be used in uni-link mode. 5019.Pp 5020It is not possible to change a link that is 5021.Sq direct 5022or 5023.Sq dedicated . 5024.Pp 5025Note: If you issue the command 5026.Dq set mode auto , 5027and have network address translation enabled, it may be useful to 5028.Dq enable iface-alias 5029afterwards. 5030This will allow 5031.Nm 5032to do the necessary address translations to enable the process that 5033triggers the connection to connect once the link is up despite the 5034peer assigning us a new (dynamic) IP address. 5035.It set mppe Op 40|56|128|* Op stateless|stateful|* 5036This option selects the encryption parameters used when negotiation 5037MPPE. 5038MPPE can be disabled entirely with the 5039.Dq disable mppe 5040command. 5041If no arguments are given, 5042.Nm 5043will attempt to negotiate a stateful link with a 128 bit key, but 5044will agree to whatever the peer requests (including no encryption 5045at all). 5046.Pp 5047If any arguments are given, 5048.Nm 5049will 5050.Em insist 5051on using MPPE and will close the link if it's rejected by the peer (Note; 5052this behaviour can be overridden by a configured RADIUS server). 5053.Pp 5054The first argument specifies the number of bits that 5055.Nm 5056should insist on during negotiations and the second specifies whether 5057.Nm 5058should insist on stateful or stateless mode. 5059In stateless mode, the 5060encryption dictionary is re-initialised with every packet according to 5061an encryption key that is changed with every packet. 5062In stateful mode, 5063the encryption dictionary is re-initialised every 256 packets or after 5064the loss of any data and the key is changed every 256 packets. 5065Stateless mode is less efficient but is better for unreliable transport 5066layers. 5067.It set mrru Op Ar value 5068Setting this option enables Multi-link PPP negotiations, also known as 5069Multi-link Protocol or MP. 5070There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5071If no argument is given, multi-link mode is disabled. 5072.It set mru Xo 5073.Op max Ns Op imum 5074.Op Ar value 5075.Xc 5076The default MRU (Maximum Receive Unit) is 1500. 5077If it is increased, the other side *may* increase its MTU. 5078In theory there is no point in decreasing the MRU to below the default as the 5079.Em PPP 5080protocol says implementations *must* be able to accept packets of at 5081least 1500 octets. 5082.Pp 5083If the 5084.Dq maximum 5085keyword is used, 5086.Nm 5087will refuse to negotiate a higher value. 5088The maximum MRU can be set to 2048 at most. 5089Setting a maximum of less than 1500 violates the 5090.Em PPP 5091rfc, but may sometimes be necessary. 5092For example, 5093.Em PPPoE 5094imposes a maximum of 1492 due to hardware limitations. 5095.Pp 5096If no argument is given, 1500 is assumed. 5097A value must be given when 5098.Dq maximum 5099is specified. 5100.It set mtu Xo 5101.Op max Ns Op imum 5102.Op Ar value 5103.Xc 5104The default MTU is 1500. 5105At negotiation time, 5106.Nm 5107will accept whatever MRU the peer requests (assuming it's 5108not less than 296 bytes or greater than the assigned maximum). 5109If the MTU is set, 5110.Nm 5111will not accept MRU values less than 5112.Ar value . 5113When negotiations are complete, the MTU is used when writing to the 5114interface, even if the peer requested a higher value MRU. 5115This can be useful for 5116limiting your packet size (giving better bandwidth sharing at the expense 5117of more header data). 5118.Pp 5119If the 5120.Dq maximum 5121keyword is used, 5122.Nm 5123will refuse to negotiate a higher value. 5124The maximum MTU can be set to 2048 at most. 5125.Pp 5126If no 5127.Ar value 5128is given, 1500, or whatever the peer asks for is used. 5129A value must be given when 5130.Dq maximum 5131is specified. 5132.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5133This option allows the setting of the Microsoft NetBIOS name server 5134values to be returned at the peers request. 5135If no values are given, 5136.Nm 5137will reject any such requests. 5138.It set openmode active|passive Op Ar delay 5139By default, 5140.Ar openmode 5141is always 5142.Ar active 5143with a one second 5144.Ar delay . 5145That is, 5146.Nm 5147will always initiate LCP/IPCP/CCP negotiation one second after the line 5148comes up. 5149If you want to wait for the peer to initiate negotiations, you 5150can use the value 5151.Ar passive . 5152If you want to initiate negotiations immediately or after more than one 5153second, the appropriate 5154.Ar delay 5155may be specified here in seconds. 5156.It set parity odd|even|none|mark 5157This allows the line parity to be set. 5158The default value is 5159.Ar none . 5160.It set phone Ar telno Ns Xo 5161.Oo \&| Ns Ar backupnumber 5162.Oc Ns ... Ns Oo : Ns Ar nextnumber 5163.Oc Ns ... 5164.Xc 5165This allows the specification of the phone number to be used in 5166place of the \\\\T string in the dial and login chat scripts. 5167Multiple phone numbers may be given separated either by a pipe 5168.Pq Dq \&| 5169or a colon 5170.Pq Dq \&: . 5171.Pp 5172Numbers after the pipe are only dialed if the dial or login 5173script for the previous number failed. 5174.Pp 5175Numbers after the colon are tried sequentially, irrespective of 5176the reason the line was dropped. 5177.Pp 5178If multiple numbers are given, 5179.Nm 5180will dial them according to these rules until a connection is made, retrying 5181the maximum number of times specified by 5182.Dq set redial 5183below. 5184In 5185.Fl background 5186mode, each number is attempted at most once. 5187.It Ic set Oo Ic proc Oc Ns Xo 5188.Ic title Op Ar value 5189.Xc 5190The current process title as displayed by 5191.Xr ps 1 5192is changed according to 5193.Ar value . 5194If 5195.Ar value 5196is not specified, the original process title is restored. 5197All the 5198word replacements done by the shell commands (see the 5199.Dq bg 5200command above) are done here too. 5201.Pp 5202Note, if USER is required in the process title, the 5203.Dq set proctitle 5204command must appear in 5205.Pa ppp.linkup , 5206as it is not known when the commands in 5207.Pa ppp.conf 5208are executed. 5209.It set radius Op Ar config-file 5210This command enables RADIUS support (if it's compiled in). 5211.Ar config-file 5212refers to the radius client configuration file as described in 5213.Xr radius.conf 5 . 5214If PAP, CHAP, MSCHAP or MSCHAPv2 are 5215.Dq enable Ns No d , 5216.Nm 5217behaves as a 5218.Em \&N Ns No etwork 5219.Em \&A Ns No ccess 5220.Em \&S Ns No erver 5221and uses the configured RADIUS server to authenticate rather than 5222authenticating from the 5223.Pa ppp.secret 5224file or from the passwd database. 5225.Pp 5226If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5227.Dq set radius 5228will do nothing. 5229.Pp 5230.Nm 5231uses the following attributes from the RADIUS reply: 5232.Bl -tag -width XXX -offset XXX 5233.It RAD_FRAMED_IP_ADDRESS 5234The peer IP address is set to the given value. 5235.It RAD_FRAMED_IP_NETMASK 5236The tun interface netmask is set to the given value. 5237.It RAD_FRAMED_MTU 5238If the given MTU is less than the peers MRU as agreed during LCP 5239negotiation, *and* it is less that any configured MTU (see the 5240.Dq set mru 5241command), the tun interface MTU is set to the given value. 5242.It RAD_FRAMED_COMPRESSION 5243If the received compression type is 5244.Dq 1 , 5245.Nm 5246will request VJ compression during IPCP negotiations despite any 5247.Dq disable vj 5248configuration command. 5249.It RAD_FILTER_ID 5250If this attribute is supplied, 5251.Nm 5252will attempt to use it as an additional label to load from the 5253.Pa ppp.linkup 5254and 5255.Pa ppp.linkdown 5256files. 5257The load will be attempted before (and in addition to) the normal 5258label search. 5259If the label doesn't exist, no action is taken and 5260.Nm 5261proceeds to the normal load using the current label. 5262.It RAD_FRAMED_ROUTE 5263The received string is expected to be in the format 5264.Ar dest Ns Op / Ns Ar bits 5265.Ar gw 5266.Op Ar metrics . 5267Any specified metrics are ignored. 5268.Dv MYADDR 5269and 5270.Dv HISADDR 5271are understood as valid values for 5272.Ar dest 5273and 5274.Ar gw , 5275.Dq default 5276can be used for 5277.Ar dest 5278to specify the default route, and 5279.Dq 0.0.0.0 5280is understood to be the same as 5281.Dq default 5282for 5283.Ar dest 5284and 5285.Dv HISADDR 5286for 5287.Ar gw . 5288.Pp 5289For example, a returned value of 5290.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5291would result in a routing table entry to the 1.2.3.0/24 network via 5292.Dv HISADDR 5293and a returned value of 5294.Dq 0.0.0.0 0.0.0.0 5295or 5296.Dq default HISADDR 5297would result in a default route to 5298.Dv HISADDR . 5299.Pp 5300All RADIUS routes are applied after any sticky routes are applied, making 5301RADIUS routes override configured routes. 5302This also applies for RADIUS routes that don't {include} the 5303.Dv MYADDR 5304or 5305.Dv HISADDR 5306keywords. 5307.It RAD_SESSION_TIMEOUT 5308If supplied, the client connection is closed after the given number of 5309seconds. 5310.It RAD_REPLY_MESSAGE 5311If supplied, this message is passed back to the peer as the authentication 5312SUCCESS text. 5313.It RAD_MICROSOFT_MS_CHAP_ERROR 5314If this 5315.Dv RAD_VENDOR_MICROSOFT 5316vendor specific attribute is supplied, it is passed back to the peer as the 5317authentication FAILURE text. 5318.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5319If this 5320.Dv RAD_VENDOR_MICROSOFT 5321vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5322being used, it is passed back to the peer as the authentication SUCCESS text. 5323.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5324If this 5325.Dv RAD_VENDOR_MICROSOFT 5326vendor specific attribute is supplied and has a value of 2 (Required), 5327.Nm 5328will insist that MPPE encryption is used (even if no 5329.Dq set mppe 5330configuration command has been given with arguments). 5331If it is supplied with a value of 1 (Allowed), encryption is made optional 5332(despite any 5333.Dq set mppe 5334configuration commands with arguments). 5335.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5336If this 5337.Dv RAD_VENDOR_MICROSOFT 5338vendor specific attribute is supplied, bits 1 and 2 are examined. 5339If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5340options are set, overriding any given first argument to the 5341.Dq set mppe 5342command. 5343Note, it is not currently possible for the RADIUS server to specify 56 bit 5344encryption. 5345.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5346If this 5347.Dv RAD_VENDOR_MICROSOFT 5348vendor specific attribute is supplied, it's value is used as the master 5349key for decryption of incoming data. When clients are authenticated using 5350MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5351to function. 5352.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5353If this 5354.Dv RAD_VENDOR_MICROSOFT 5355vendor specific attribute is supplied, it's value is used as the master 5356key for encryption of outgoing data. When clients are authenticated using 5357MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5358to function. 5359.El 5360.Pp 5361Values received from the RADIUS server may be viewed using 5362.Dq show bundle . 5363.It set reconnect Ar timeout ntries 5364Should the line drop unexpectedly (due to loss of CD or LQR 5365failure), a connection will be re-established after the given 5366.Ar timeout . 5367The line will be re-connected at most 5368.Ar ntries 5369times. 5370.Ar Ntries 5371defaults to zero. 5372A value of 5373.Ar random 5374for 5375.Ar timeout 5376will result in a variable pause, somewhere between 1 and 30 seconds. 5377.It set recvpipe Op Ar value 5378This sets the routing table RECVPIPE value. 5379The optimum value is just over twice the MTU value. 5380If 5381.Ar value 5382is unspecified or zero, the default kernel controlled value is used. 5383.It set redial Ar secs Ns Xo 5384.Oo + Ns Ar inc Ns 5385.Op - Ns Ar max Ns 5386.Oc Ns Op . Ns Ar next 5387.Op Ar attempts 5388.Xc 5389.Nm 5390can be instructed to attempt to redial 5391.Ar attempts 5392times. 5393If more than one phone number is specified (see 5394.Dq set phone 5395above), a pause of 5396.Ar next 5397is taken before dialing each number. 5398A pause of 5399.Ar secs 5400is taken before starting at the first number again. 5401A literal value of 5402.Dq Li random 5403may be used here in place of 5404.Ar secs 5405and 5406.Ar next , 5407causing a random delay of between 1 and 30 seconds. 5408.Pp 5409If 5410.Ar inc 5411is specified, its value is added onto 5412.Ar secs 5413each time 5414.Nm 5415tries a new number. 5416.Ar secs 5417will only be incremented at most 5418.Ar max 5419times. 5420.Ar max 5421defaults to 10. 5422.Pp 5423Note, the 5424.Ar secs 5425delay will be effective, even after 5426.Ar attempts 5427has been exceeded, so an immediate manual dial may appear to have 5428done nothing. 5429If an immediate dial is required, a 5430.Dq !\& 5431should immediately follow the 5432.Dq open 5433keyword. 5434See the 5435.Dq open 5436description above for further details. 5437.It set sendpipe Op Ar value 5438This sets the routing table SENDPIPE value. 5439The optimum value is just over twice the MTU value. 5440If 5441.Ar value 5442is unspecified or zero, the default kernel controlled value is used. 5443.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5444.Ar LocalName Ns No |none|open|closed 5445.Op password Op Ar mask 5446.Xc 5447This command tells 5448.Nm 5449to listen on the given socket or 5450.Sq diagnostic port 5451for incoming command connections. 5452.Pp 5453The word 5454.Dq none 5455instructs 5456.Nm 5457to close any existing socket and clear the socket configuration. 5458The word 5459.Dq open 5460instructs 5461.Nm 5462to attempt to re-open the port. 5463The word 5464.Dq closed 5465instructs 5466.Nm 5467to close the open port. 5468.Pp 5469If you wish to specify a local domain socket, 5470.Ar LocalName 5471must be specified as an absolute file name, otherwise it is assumed 5472to be the name or number of a TCP port. 5473You may specify the octal umask to be used with a local domain socket. 5474Refer to 5475.Xr umask 2 5476for umask details. 5477Refer to 5478.Xr services 5 5479for details of how to translate TCP port names. 5480.Pp 5481You must also specify the password that must be entered by the client 5482(using the 5483.Dq passwd 5484variable above) when connecting to this socket. 5485If the password is 5486specified as an empty string, no password is required for connecting clients. 5487.Pp 5488When specifying a local domain socket, the first 5489.Dq %d 5490sequence found in the socket name will be replaced with the current 5491interface unit number. 5492This is useful when you wish to use the same 5493profile for more than one connection. 5494.Pp 5495In a similar manner TCP sockets may be prefixed with the 5496.Dq + 5497character, in which case the current interface unit number is added to 5498the port number. 5499.Pp 5500When using 5501.Nm 5502with a server socket, the 5503.Xr pppctl 8 5504command is the preferred mechanism of communications. 5505Currently, 5506.Xr telnet 1 5507can also be used, but link encryption may be implemented in the future, so 5508.Xr telnet 1 5509should be avoided. 5510.Pp 5511Note; 5512.Dv SIGUSR1 5513and 5514.Dv SIGUSR2 5515interact with the diagnostic socket. 5516.It set speed Ar value 5517This sets the speed of the serial device. 5518If speed is specified as 5519.Dq sync , 5520.Nm 5521treats the device as a synchronous device. 5522.Pp 5523Certain device types will know whether they should be specified as 5524synchronous or asynchronous. 5525These devices will override incorrect 5526settings and log a warning to this effect. 5527.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5528If this option is set, 5529.Nm 5530will time out after the given FSM (Finite State Machine) has been in 5531the stopped state for the given number of 5532.Dq seconds . 5533This option may be useful if the peer sends a terminate request, 5534but never actually closes the connection despite our sending a terminate 5535acknowledgement. 5536This is also useful if you wish to 5537.Dq set openmode passive 5538and time out if the peer doesn't send a Configure Request within the 5539given time. 5540Use 5541.Dq set log +lcp +ccp 5542to make 5543.Nm 5544log the appropriate state transitions. 5545.Pp 5546The default value is zero, where 5547.Nm 5548doesn't time out in the stopped state. 5549.Pp 5550This value should not be set to less than the openmode delay (see 5551.Dq set openmode 5552above). 5553.It set timeout Ar idleseconds Op Ar mintimeout 5554This command allows the setting of the idle timer. 5555Refer to the section titled 5556.Sx SETTING THE IDLE TIMER 5557for further details. 5558.Pp 5559If 5560.Ar mintimeout 5561is specified, 5562.Nm 5563will never idle out before the link has been up for at least that number 5564of seconds. 5565.It set urgent Xo 5566.Op tcp|udp|none 5567.Oo Op +|- Ns 5568.Ar port 5569.Oc No ... 5570.Xc 5571This command controls the ports that 5572.Nm 5573prioritizes when transmitting data. 5574The default priority TCP ports 5575are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5576543 (klogin) and 544 (kshell). 5577There are no priority UDP ports by default. 5578See 5579.Xr services 5 5580for details. 5581.Pp 5582If neither 5583.Dq tcp 5584or 5585.Dq udp 5586are specified, 5587.Dq tcp 5588is assumed. 5589.Pp 5590If no 5591.Ar port Ns No s 5592are given, the priority port lists are cleared (although if 5593.Dq tcp 5594or 5595.Dq udp 5596is specified, only that list is cleared). 5597If the first 5598.Ar port 5599argument is prefixed with a plus 5600.Pq Dq \&+ 5601or a minus 5602.Pq Dq \&- , 5603the current list is adjusted, otherwise the list is reassigned. 5604.Ar port Ns No s 5605prefixed with a plus or not prefixed at all are added to the list and 5606.Ar port Ns No s 5607prefixed with a minus are removed from the list. 5608.Pp 5609If 5610.Dq none 5611is specified, all priority port lists are disabled and even 5612.Dv IPTOS_LOWDELAY 5613packets are not prioritised. 5614.It set vj slotcomp on|off 5615This command tells 5616.Nm 5617whether it should attempt to negotiate VJ slot compression. 5618By default, slot compression is turned 5619.Ar on . 5620.It set vj slots Ar nslots 5621This command sets the initial number of slots that 5622.Nm 5623will try to negotiate with the peer when VJ compression is enabled (see the 5624.Sq enable 5625command above). 5626It defaults to a value of 16. 5627.Ar Nslots 5628must be between 5629.Ar 4 5630and 5631.Ar 16 5632inclusive. 5633.El 5634.It shell|! Op Ar command 5635If 5636.Ar command 5637is not specified a shell is invoked according to the 5638.Dv SHELL 5639environment variable. 5640Otherwise, the given 5641.Ar command 5642is executed. 5643Word replacement is done in the same way as for the 5644.Dq !bg 5645command as described above. 5646.Pp 5647Use of the ! character 5648requires a following space as with any of the other commands. 5649You should note that this command is executed in the foreground; 5650.Nm 5651will not continue running until this process has exited. 5652Use the 5653.Dv bg 5654command if you wish processing to happen in the background. 5655.It show Ar var 5656This command allows the user to examine the following: 5657.Bl -tag -width 2n 5658.It show bundle 5659Show the current bundle settings. 5660.It show ccp 5661Show the current CCP compression statistics. 5662.It show compress 5663Show the current VJ compression statistics. 5664.It show escape 5665Show the current escape characters. 5666.It show filter Op Ar name 5667List the current rules for the given filter. 5668If 5669.Ar name 5670is not specified, all filters are shown. 5671.It show hdlc 5672Show the current HDLC statistics. 5673.It show help|? 5674Give a summary of available show commands. 5675.It show iface 5676Show the current interface information 5677(the same as 5678.Dq iface show ) . 5679.It show ipcp 5680Show the current IPCP statistics. 5681.It show layers 5682Show the protocol layers currently in use. 5683.It show lcp 5684Show the current LCP statistics. 5685.It Ic show Oo Ic data Oc Ns Xo 5686.Ic link 5687.Xc 5688Show high level link information. 5689.It show links 5690Show a list of available logical links. 5691.It show log 5692Show the current log values. 5693.It show mem 5694Show current memory statistics. 5695.It show ncp 5696Show the current NCP statistics. 5697.It show physical 5698Show low level link information. 5699.It show mp 5700Show Multi-link information. 5701.It show proto 5702Show current protocol totals. 5703.It show route 5704Show the current routing tables. 5705.It show stopped 5706Show the current stopped timeouts. 5707.It show timer 5708Show the active alarm timers. 5709.It show version 5710Show the current version number of 5711.Nm . 5712.El 5713.It term 5714Go into terminal mode. 5715Characters typed at the keyboard are sent to the device. 5716Characters read from the device are displayed on the screen. 5717When a remote 5718.Em PPP 5719peer is detected, 5720.Nm 5721automatically enables Packet Mode and goes back into command mode. 5722.El 5723.Sh MORE DETAILS 5724.Bl -bullet 5725.It 5726Read the example configuration files. 5727They are a good source of information. 5728.It 5729Use 5730.Dq help , 5731.Dq nat \&? , 5732.Dq enable \&? , 5733.Dq set ?\& 5734and 5735.Dq show ?\& 5736to get online information about what's available. 5737.It 5738The following URLs contain useful information: 5739.Bl -bullet -compact 5740.It 5741.Pa http://www.dragonflybsd.org/docs/handbook/handbook-userppp/ 5742.El 5743.El 5744.Sh FILES 5745.Nm 5746refers to four files: 5747.Pa ppp.conf , 5748.Pa ppp.linkup , 5749.Pa ppp.linkdown 5750and 5751.Pa ppp.secret . 5752These files are placed in the 5753.Pa /etc/ppp 5754directory. 5755.Bl -tag -width 2n 5756.It Pa /etc/ppp/ppp.conf 5757System default configuration file. 5758.It Pa /etc/ppp/ppp.secret 5759An authorisation file for each system. 5760.It Pa /etc/ppp/ppp.linkup 5761A file to check when 5762.Nm 5763establishes a network level connection. 5764.It Pa /etc/ppp/ppp.linkdown 5765A file to check when 5766.Nm 5767closes a network level connection. 5768.It Pa /var/log/ppp.log 5769Logging and debugging information file. 5770Note, this name is specified in 5771.Pa /etc/syslog.conf . 5772See 5773.Xr syslog.conf 5 5774for further details. 5775.It Pa /var/spool/lock/LCK..* 5776tty port locking file. 5777Refer to 5778.Xr uucplock 3 5779for further details. 5780.It Pa /var/run/tunN.pid 5781The process id (pid) of the 5782.Nm 5783program connected to the tunN device, where 5784.Sq N 5785is the number of the device. 5786.It Pa /var/run/ttyXX.if 5787The tun interface used by this port. 5788Again, this file is only created in 5789.Fl background , 5790.Fl auto 5791and 5792.Fl ddial 5793modes. 5794.It Pa /etc/services 5795Get port number if port number is using service name. 5796.It Pa /var/run/ppp-authname-class-value 5797In multi-link mode, local domain sockets are created using the peer 5798authentication name 5799.Pq Sq authname , 5800the peer endpoint discriminator class 5801.Pq Sq class 5802and the peer endpoint discriminator value 5803.Pq Sq value . 5804As the endpoint discriminator value may be a binary value, it is turned 5805to HEX to determine the actual file name. 5806.Pp 5807This socket is used to pass links between different instances of 5808.Nm . 5809.El 5810.Sh SEE ALSO 5811.Xr at 1 , 5812.Xr ftp 1 , 5813.Xr gzip 1 , 5814.Xr hostname 1 , 5815.Xr login 1 , 5816.Xr tcpdump 1 , 5817.Xr telnet 1 , 5818.Xr kldload 2 , 5819ifdef({LOCALNAT},{},{.Xr libalias 3 , 5820})dnl 5821ifdef({LOCALRAD},{},{.Xr libradius 3 , 5822})dnl 5823.Xr syslog 3 , 5824.Xr uucplock 3 , 5825.Xr netgraph 4 , 5826.Xr ng_pppoe 4 , 5827.Xr crontab 5 , 5828.Xr group 5 , 5829.Xr passwd 5 , 5830.Xr protocols 5 , 5831.Xr radius.conf 5 , 5832.Xr resolv.conf 5 , 5833.Xr syslog.conf 5 , 5834.Xr adduser 8 , 5835.Xr chat 8 , 5836.Xr getty 8 , 5837.Xr inetd 8 , 5838.Xr init 8 , 5839.Xr named 8 , 5840.Xr ping 8 , 5841.Xr pppctl 8 , 5842.Xr pppd 8 , 5843.Xr pppoe 8 , 5844.Xr route 8 , 5845.Xr sshd 8 , 5846.Xr syslogd 8 , 5847.Xr traceroute 8 , 5848.Xr vipw 8 5849.Sh HISTORY 5850This program was originally written by 5851.An Toshiharu OHNO Aq Mt tony-o@iij.ad.jp , 5852and was submitted to 5853.Fx 2.0.5 5854by 5855.An Atsushi Murai Aq Mt amurai@spec.co.jp . 5856.Pp 5857It was substantially modified during 1997 by 5858.An Brian Somers Aq Mt brian@Awfulhak.org , 5859and was ported to 5860.Ox 5861in November that year 5862(just after the 2.2 release). 5863.Pp 5864Most of the code was rewritten by 5865.An Brian Somers 5866in early 1998 when multi-link ppp support was added. 5867