1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: src/usr.sbin/ppp/ppp.8.m4,v 1.301.2.1 2002/09/01 02:12:31 brian Exp $ 29.\" $DragonFly: src/usr.sbin/ppp/ppp.8.m4,v 1.12 2008/05/02 02:05:08 swildner Exp $ 30.\" 31.Dd August 6, 2009 32.Dt PPP 8 33.Os 34.Sh NAME 35.Nm ppp 36.Nd Point to Point Protocol (a.k.a. user-ppp) 37.Sh SYNOPSIS 38.Nm 39.Op Fl Va mode 40.Op Fl nat 41.Op Fl quiet 42.Op Fl unit Ns Ar N 43.Op Ar system ... 44.Sh DESCRIPTION 45This is a user process 46.Em PPP 47software package. 48Normally, 49.Em PPP 50is implemented as a part of the kernel (e.g., as managed by 51.Xr pppd 8 ) 52and it's thus somewhat hard to debug and/or modify its behaviour. 53However, in this implementation 54.Em PPP 55is done as a user process with the help of the 56tunnel device driver (tun). 57.Pp 58The 59.Fl nat 60flag does the equivalent of a 61.Dq nat enable yes , 62enabling 63.Nm Ns No 's 64network address translation features. 65This allows 66.Nm 67to act as a NAT or masquerading engine for all machines on an internal 68LAN. 69ifdef({LOCALNAT},{},{Refer to 70.Xr libalias 3 71for details on the technical side of the NAT engine. 72})dnl 73Refer to the 74.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 75section of this manual page for details on how to configure NAT in 76.Nm . 77.Pp 78The 79.Fl quiet 80flag tells 81.Nm 82to be silent at startup rather than displaying the mode and interface 83to standard output. 84.Pp 85The 86.Fl unit 87flag tells 88.Nm 89to only attempt to open 90.Pa /dev/tun Ns Ar N . 91Normally, 92.Nm 93will start with a value of 0 for 94.Ar N , 95and keep trying to open a tunnel device by incrementing the value of 96.Ar N 97by one each time until it succeeds. 98If it fails three times in a row 99because the device file is missing, it gives up. 100.Pp 101The following 102.Va mode Ns No s 103are understood by 104.Nm : 105.Bl -tag -width XXX -offset XXX 106.It Fl auto 107.Nm 108opens the tun interface, configures it then goes into the background. 109The link isn't brought up until outgoing data is detected on the tun 110interface at which point 111.Nm 112attempts to bring up the link. 113Packets received (including the first one) while 114.Nm 115is trying to bring the link up will remain queued for a default of 1162 minutes. 117See the 118.Dq set choked 119command below. 120.Pp 121In 122.Fl auto 123mode, at least one 124.Dq system 125must be given on the command line (see below) and a 126.Dq set ifaddr 127must be done in the system profile that specifies a peer IP address to 128use when configuring the interface. 129Something like 130.Dq 10.0.0.1/0 131is usually appropriate. 132See the 133.Dq pmdemand 134system in 135.Pa /usr/share/examples/ppp/ppp.conf.sample 136for an example. 137.It Fl background 138Here, 139.Nm 140attempts to establish a connection with the peer immediately. 141If it succeeds, 142.Nm 143goes into the background and the parent process returns an exit code 144of 0. 145If it fails, 146.Nm 147exits with a non-zero result. 148.It Fl foreground 149In foreground mode, 150.Nm 151attempts to establish a connection with the peer immediately, but never 152becomes a daemon. 153The link is created in background mode. 154This is useful if you wish to control 155.Nm Ns No 's 156invocation from another process. 157.It Fl direct 158This is used for receiving incoming connections. 159.Nm 160ignores the 161.Dq set device 162line and uses descriptor 0 as the link. 163.Pp 164If callback is configured, 165.Nm 166will use the 167.Dq set device 168information when dialing back. 169.It Fl dedicated 170This option is designed for machines connected with a dedicated 171wire. 172.Nm 173will always keep the device open and will never use any configured 174chat scripts. 175.It Fl ddial 176This mode is equivalent to 177.Fl auto 178mode except that 179.Nm 180will bring the link back up any time it's dropped for any reason. 181.It Fl interactive 182This is a no-op, and gives the same behaviour as if none of the above 183modes have been specified. 184.Nm 185loads any sections specified on the command line then provides an 186interactive prompt. 187.El 188.Pp 189One or more configuration entries or systems 190(as specified in 191.Pa /etc/ppp/ppp.conf ) 192may also be specified on the command line. 193.Nm 194will read the 195.Dq default 196system from 197.Pa /etc/ppp/ppp.conf 198at startup, followed by each of the systems specified on the command line. 199.Sh Major Features 200.Bl -diag 201.It Provides an interactive user interface. 202Using its command mode, the user can 203easily enter commands to establish the connection with the remote end, check 204the status of connection and close the connection. 205All functions can also be optionally password protected for security. 206.It Supports both manual and automatic dialing. 207Interactive mode has a 208.Dq term 209command which enables you to talk to the device directly. 210When you are connected to the remote peer and it starts to talk 211.Em PPP , 212.Nm 213detects it and switches to packet mode automatically. 214Once you have 215determined the proper sequence for connecting with the remote host, you 216can write a chat script to {define} the necessary dialing and login 217procedure for later convenience. 218.It Supports on-demand dialup capability. 219By using 220.Fl auto 221mode, 222.Nm 223will act as a daemon and wait for a packet to be sent over the 224.Em PPP 225link. 226When this happens, the daemon automatically dials and establishes the 227connection. 228In almost the same manner 229.Fl ddial 230mode (direct-dial mode) also automatically dials and establishes the 231connection. 232However, it differs in that it will dial the remote site 233any time it detects the link is down, even if there are no packets to be 234sent. 235This mode is useful for full-time connections where we worry less 236about line charges and more about being connected full time. 237A third 238.Fl dedicated 239mode is also available. 240This mode is targeted at a dedicated link between two machines. 241.Nm 242will never voluntarily quit from dedicated mode - you must send it the 243.Dq quit all 244command via its diagnostic socket. 245A 246.Dv SIGHUP 247will force an LCP renegotiation, and a 248.Dv SIGTERM 249will force it to exit. 250.It Supports client callback. 251.Nm 252can use either the standard LCP callback protocol or the Microsoft 253CallBack Control Protocol 254.Pa ( ftp://ftp.microsoft.com/developr/rfc/cbcp.txt ) . 255.It Supports NAT or packet aliasing. 256Packet aliasing (a.k.a. IP masquerading) allows computers on a 257private, unregistered network to access the Internet. 258The 259.Em PPP 260host acts as a masquerading gateway. 261IP addresses as well as TCP and 262UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 263returning packets. 264.It Supports background PPP connections. 265In background mode, if 266.Nm 267successfully establishes the connection, it will become a daemon. 268Otherwise, it will exit with an error. 269This allows the setup of 270scripts that wish to execute certain commands only if the connection 271is successfully established. 272.It Supports server-side PPP connections. 273In direct mode, 274.Nm 275acts as server which accepts incoming 276.Em PPP 277connections on stdin/stdout. 278.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication." 279With PAP or CHAP, it is possible to skip the Unix style 280.Xr login 1 281procedure, and use the 282.Em PPP 283protocol for authentication instead. 284If the peer requests Microsoft CHAP authentication and 285.Nm 286is compiled with DES support, an appropriate MD4/DES response will be 287made. 288.It Supports RADIUS (rfc 2138 & 2548) authentication. 289An extension to PAP and CHAP, 290.Em \&R Ns No emote 291.Em \&A Ns No ccess 292.Em \&D Ns No ial 293.Em \&I Ns No n 294.Em \&U Ns No ser 295.Em \&S Ns No ervice 296allows authentication information to be stored in a central or 297distributed database along with various per-user framed connection 298characteristics. 299ifdef({LOCALRAD},{},{If 300.Xr libradius 3 301is available at compile time, 302.Nm 303will use it to make 304.Em RADIUS 305requests when configured to do so. 306})dnl 307.It Supports Proxy Arp. 308.Nm 309can be configured to make one or more proxy arp entries on behalf of 310the peer. 311This allows routing from the peer to the LAN without 312configuring each machine on that LAN. 313.It Supports packet filtering. 314User can {define} four kinds of filters: the 315.Em in 316filter for incoming packets, the 317.Em out 318filter for outgoing packets, the 319.Em dial 320filter to {define} a dialing trigger packet and the 321.Em alive 322filter for keeping a connection alive with the trigger packet. 323.It Tunnel driver supports bpf. 324The user can use 325.Xr tcpdump 1 326to check the packet flow over the 327.Em PPP 328link. 329.It Supports PPP over TCP and PPP over UDP. 330If a device name is specified as 331.Em host Ns No : Ns Em port Ns 332.Xo 333.Op / Ns tcp|udp , 334.Xc 335.Nm 336will open a TCP or UDP connection for transporting data rather than using a 337conventional serial device. 338UDP connections force 339.Nm 340into synchronous mode. 341.It Supports PPP over ISDN. 342If 343.Nm 344is given a raw B-channel i4b device to open as a link, it's able to talk 345to the 346.Xr isdnd 8 347daemon to establish an ISDN connection. 348.It Supports PPP over Ethernet (rfc 2516). 349If 350.Nm 351is given a device specification of the format 352.No PPPoE: Ns Ar iface Ns Xo 353.Op \&: Ns Ar provider Ns 354.Xc 355and if 356.Xr netgraph 4 357is available, 358.Nm 359will attempt talk 360.Em PPP 361over Ethernet to 362.Ar provider 363using the 364.Ar iface 365network interface. 366.Pp 367On systems that do not support 368.Xr netgraph 4 , 369an external program such as 370.Xr pppoe 8 371may be used. 372.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 373.Nm 374supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 375Normally, a modem has built-in compression (e.g., v42.bis) and the system 376may receive higher data rates from it as a result of such compression. 377While this is generally a good thing in most other situations, this 378higher speed data imposes a penalty on the system by increasing the 379number of serial interrupts the system has to process in talking to the 380modem and also increases latency. 381Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 382.Em all 383network traffic flowing through the link, thus reducing overheads to a 384minimum. 385.It Supports Microsoft's IPCP extensions (rfc 1877). 386Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 387with clients using the Microsoft 388.Em PPP 389stack (i.e., Win95, WinNT) 390.It Supports Multi-link PPP (rfc 1990) 391It is possible to configure 392.Nm 393to open more than one physical connection to the peer, combining the 394bandwidth of all links for better throughput. 395.It Supports MPPE (draft-ietf-pppext-mppe) 396MPPE is Microsoft Point to Point Encryption scheme. 397It is possible to configure 398.Nm 399to participate in Microsoft's Windows VPN. 400For now, 401.Nm 402can only get encryption keys from CHAP 81 authentication. 403.Nm 404must be compiled with DES for MPPE to operate. 405.It Supports IPV6CP (rfc 2023). 406An IPv6 connection can be made in addition to or instead of the normal 407IPv4 connection. 408.El 409.Sh PERMISSIONS 410.Nm 411is installed as user 412.Dv root 413and group 414.Dv network , 415with permissions 416.Dv 04554 . 417By default, 418.Nm 419will not run if the invoking user id is not zero. 420This may be overridden by using the 421.Dq allow users 422command in 423.Pa /etc/ppp/ppp.conf . 424When running as a normal user, 425.Nm 426switches to user id 0 in order to alter the system routing table, set up 427system lock files and read the ppp configuration files. 428All external commands (executed via the "shell" or "!bg" commands) are executed 429as the user id that invoked 430.Nm . 431Refer to the 432.Sq ID0 433logging facility if you're interested in what exactly is done as user id 434zero. 435.Sh GETTING STARTED 436When you first run 437.Nm 438you may need to deal with some initial configuration details. 439.Bl -bullet 440.It 441Your kernel must {include} a tunnel device (the GENERIC kernel includes 442one by default). 443If it doesn't, or if you require more than one tun 444interface, you'll need to rebuild your kernel with the following line in 445your kernel configuration file: 446.Pp 447.Dl pseudo-device tun N 448.Pp 449where 450.Ar N 451is the maximum number of 452.Em PPP 453connections you wish to support. 454.It 455Make sure that your system has a group named 456.Dq network 457in the 458.Pa /etc/group 459file and that the group contains the names of all users expected to use 460.Nm . 461Refer to the 462.Xr group 5 463manual page for details. 464Each of these users must also be given access using the 465.Dq allow users 466command in 467.Pa /etc/ppp/ppp.conf . 468.It 469Create a log file. 470.Nm 471uses 472.Xr syslog 3 473to log information. 474A common log file name is 475.Pa /var/log/ppp.log . 476To make output go to this file, put the following lines in the 477.Pa /etc/syslog.conf 478file: 479.Bd -literal -offset indent 480!ppp 481*.*<TAB>/var/log/ppp.log 482.Ed 483.Pp 484It is possible to have more than one 485.Em PPP 486log file by creating a link to the 487.Nm 488executable: 489.Pp 490.Dl # cd /usr/sbin 491.Dl # ln ppp ppp0 492.Pp 493and using 494.Bd -literal -offset indent 495!ppp0 496*.*<TAB>/var/log/ppp0.log 497.Ed 498.Pp 499in 500.Pa /etc/syslog.conf . 501Don't forget to send a 502.Dv HUP 503signal to 504.Xr syslogd 8 505after altering 506.Pa /etc/syslog.conf . 507.It 508Although not strictly relevant to 509.Nm Ns No 's 510operation, you should configure your resolver so that it works correctly. 511This can be done by configuring a local DNS 512(using 513.Xr named 8 ) 514or by adding the correct 515.Sq nameserver 516lines to the file 517.Pa /etc/resolv.conf . 518Refer to the 519.Xr resolv.conf 5 520manual page for details. 521.Pp 522Alternatively, if the peer supports it, 523.Nm 524can be configured to ask the peer for the nameserver address(es) and to 525update 526.Pa /etc/resolv.conf 527automatically. 528Refer to the 529.Dq enable dns 530and 531.Dq resolv 532commands below for details. 533.El 534.Sh MANUAL DIALING 535In the following examples, we assume that your machine name is 536.Dv awfulhak . 537when you invoke 538.Nm 539(see 540.Sx PERMISSIONS 541above) with no arguments, you are presented with a prompt: 542.Bd -literal -offset indent 543ppp ON awfulhak> 544.Ed 545.Pp 546The 547.Sq ON 548part of your prompt should always be in upper case. 549If it is in lower case, it means that you must supply a password using the 550.Dq passwd 551command. 552This only ever happens if you connect to a running version of 553.Nm 554and have not authenticated yourself using the correct password. 555.Pp 556You can start by specifying the device name and speed: 557.Bd -literal -offset indent 558ppp ON awfulhak> set device /dev/cuaa0 559ppp ON awfulhak> set speed 38400 560.Ed 561.Pp 562Normally, hardware flow control (CTS/RTS) is used. 563However, under 564certain circumstances (as may happen when you are connected directly 565to certain PPP-capable terminal servers), this may result in 566.Nm 567hanging as soon as it tries to write data to your communications link 568as it is waiting for the CTS (clear to send) signal - which will never 569come. 570Thus, if you have a direct line and can't seem to make a 571connection, try turning CTS/RTS off with 572.Dq set ctsrts off . 573If you need to do this, check the 574.Dq set accmap 575description below too - you'll probably need to 576.Dq set accmap 000a0000 . 577.Pp 578Usually, parity is set to 579.Dq none , 580and this is 581.Nm Ns No 's 582default. 583Parity is a rather archaic error checking mechanism that is no 584longer used because modern modems do their own error checking, and most 585link-layer protocols (that's what 586.Nm 587is) use much more reliable checking mechanisms. 588Parity has a relatively 589huge overhead (a 12.5% increase in traffic) and as a result, it is always 590disabled 591(set to 592.Dq none ) 593when 594.Dv PPP 595is opened. 596However, some ISPs (Internet Service Providers) may use 597specific parity settings at connection time (before 598.Dv PPP 599is opened). 600Notably, Compuserve insist on even parity when logging in: 601.Bd -literal -offset indent 602ppp ON awfulhak> set parity even 603.Ed 604.Pp 605You can now see what your current device settings look like: 606.Bd -literal -offset indent 607ppp ON awfulhak> show physical 608Name: deflink 609 State: closed 610 Device: N/A 611 Link Type: interactive 612 Connect Count: 0 613 Queued Packets: 0 614 Phone Number: N/A 615 616Defaults: 617 Device List: /dev/cuaa0 618 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 619 620Connect time: 0 secs 6210 octets in, 0 octets out 622Overall 0 bytes/sec 623ppp ON awfulhak> 624.Ed 625.Pp 626The term command can now be used to talk directly to the device: 627.Bd -literal -offset indent 628ppp ON awfulhak> term 629at 630OK 631atdt123456 632CONNECT 633login: myispusername 634Password: myisppassword 635Protocol: ppp 636.Ed 637.Pp 638When the peer starts to talk in 639.Em PPP , 640.Nm 641detects this automatically and returns to command mode. 642.Bd -literal -offset indent 643ppp ON awfulhak> # No link has been established 644Ppp ON awfulhak> # We've connected & finished LCP 645PPp ON awfulhak> # We've authenticated 646PPP ON awfulhak> # We've agreed IP numbers 647.Ed 648.Pp 649If it does not, it's probable that the peer is waiting for your end to 650start negotiating. 651To force 652.Nm 653to start sending 654.Em PPP 655configuration packets to the peer, use the 656.Dq ~p 657command to drop out of terminal mode and enter packet mode. 658.Pp 659If you never even receive a login prompt, it is quite likely that the 660peer wants to use PAP or CHAP authentication instead of using Unix-style 661login/password authentication. 662To set things up properly, drop back to 663the prompt and set your authentication name and key, then reconnect: 664.Bd -literal -offset indent 665~. 666ppp ON awfulhak> set authname myispusername 667ppp ON awfulhak> set authkey myisppassword 668ppp ON awfulhak> term 669at 670OK 671atdt123456 672CONNECT 673.Ed 674.Pp 675You may need to tell ppp to initiate negotiations with the peer here too: 676.Bd -literal -offset indent 677~p 678ppp ON awfulhak> # No link has been established 679Ppp ON awfulhak> # We've connected & finished LCP 680PPp ON awfulhak> # We've authenticated 681PPP ON awfulhak> # We've agreed IP numbers 682.Ed 683.Pp 684You are now connected! 685Note that 686.Sq PPP 687in the prompt has changed to capital letters to indicate that you have 688a peer connection. 689If only some of the three Ps go uppercase, wait until 690either everything is uppercase or lowercase. 691If they revert to lowercase, it means that 692.Nm 693couldn't successfully negotiate with the peer. 694A good first step for troubleshooting at this point would be to 695.Bd -literal -offset indent 696ppp ON awfulhak> set log local phase lcp ipcp 697.Ed 698.Pp 699and try again. 700Refer to the 701.Dq set log 702command description below for further details. 703If things fail at this point, 704it is quite important that you turn logging on and try again. 705It is also 706important that you note any prompt changes and report them to anyone trying 707to help you. 708.Pp 709When the link is established, the show command can be used to see how 710things are going: 711.Bd -literal -offset indent 712PPP ON awfulhak> show physical 713* Modem related information is shown here * 714PPP ON awfulhak> show ccp 715* CCP (compression) related information is shown here * 716PPP ON awfulhak> show lcp 717* LCP (line control) related information is shown here * 718PPP ON awfulhak> show ipcp 719* IPCP (IP) related information is shown here * 720PPP ON awfulhak> show ipv6cp 721* IPV6CP (IPv6) related information is shown here * 722PPP ON awfulhak> show link 723* Link (high level) related information is shown here * 724PPP ON awfulhak> show bundle 725* Logical (high level) connection related information is shown here * 726.Ed 727.Pp 728At this point, your machine has a host route to the peer. 729This means 730that you can only make a connection with the host on the other side 731of the link. 732If you want to add a default route entry (telling your 733machine to send all packets without another routing entry to the other 734side of the 735.Em PPP 736link), enter the following command: 737.Bd -literal -offset indent 738PPP ON awfulhak> add default HISADDR 739.Ed 740.Pp 741The string 742.Sq HISADDR 743represents the IP address of the connected peer. 744If the 745.Dq add 746command fails due to an existing route, you can overwrite the existing 747route using 748.Bd -literal -offset indent 749PPP ON awfulhak> add! default HISADDR 750.Ed 751.Pp 752This command can also be executed before actually making the connection. 753If a new IP address is negotiated at connection time, 754.Nm 755will update your default route accordingly. 756.Pp 757You can now use your network applications (ping, telnet, ftp etc.) 758in other windows or terminals on your machine. 759If you wish to reuse the current terminal, you can put 760.Nm 761into the background using your standard shell suspend and background 762commands (usually 763.Dq ^Z 764followed by 765.Dq bg ) . 766.Pp 767Refer to the 768.Sx PPP COMMAND LIST 769section for details on all available commands. 770.Sh AUTOMATIC DIALING 771To use automatic dialing, you must prepare some Dial and Login chat scripts. 772See the example definitions in 773.Pa /usr/share/examples/ppp/ppp.conf.sample 774(the format of 775.Pa /etc/ppp/ppp.conf 776is pretty simple). 777Each line contains one comment, inclusion, label or command: 778.Bl -bullet 779.It 780A line starting with a 781.Pq Dq # 782character is treated as a comment line. 783Leading whitespace are ignored when identifying comment lines. 784.It 785An inclusion is a line beginning with the word 786.Sq {!include} . 787It must have one argument - the file to {include}. 788You may wish to 789.Dq {!include} ~/.ppp.conf 790for compatibility with older versions of 791.Nm . 792.It 793A label name starts in the first column and is followed by 794a colon 795.Pq Dq \&: . 796.It 797A command line must contain a space or tab in the first column. 798.El 799.Pp 800The 801.Pa /etc/ppp/ppp.conf 802file should consist of at least a 803.Dq default 804section. 805This section is always executed. 806It should also contain 807one or more sections, named according to their purpose, for example, 808.Dq MyISP 809would represent your ISP, and 810.Dq ppp-in 811would represent an incoming 812.Nm 813configuration. 814You can now specify the destination label name when you invoke 815.Nm . 816Commands associated with the 817.Dq default 818label are executed, followed by those associated with the destination 819label provided. 820When 821.Nm 822is started with no arguments, the 823.Dq default 824section is still executed. 825The load command can be used to manually load a section from the 826.Pa /etc/ppp/ppp.conf 827file: 828.Bd -literal -offset indent 829ppp ON awfulhak> load MyISP 830.Ed 831.Pp 832Note, no action is taken by 833.Nm 834after a section is loaded, whether it's the result of passing a label on 835the command line or using the 836.Dq load 837command. 838Only the commands specified for that label in the configuration 839file are executed. 840However, when invoking 841.Nm 842with the 843.Fl background , 844.Fl ddial , 845or 846.Fl dedicated 847switches, the link mode tells 848.Nm 849to establish a connection. 850Refer to the 851.Dq set mode 852command below for further details. 853.Pp 854Once the connection is made, the 855.Sq ppp 856portion of the prompt will change to 857.Sq PPP : 858.Bd -literal -offset indent 859# ppp MyISP 860\&... 861ppp ON awfulhak> dial 862Ppp ON awfulhak> 863PPp ON awfulhak> 864PPP ON awfulhak> 865.Ed 866.Pp 867The Ppp prompt indicates that 868.Nm 869has entered the authentication phase. 870The PPp prompt indicates that 871.Nm 872has entered the network phase. 873The PPP prompt indicates that 874.Nm 875has successfully negotiated a network layer protocol and is in 876a usable state. 877.Pp 878If the 879.Pa /etc/ppp/ppp.linkup 880file is available, its contents are executed 881when the 882.Em PPP 883connection is established. 884See the provided 885.Dq pmdemand 886example in 887.Pa /usr/share/examples/ppp/ppp.conf.sample 888which runs a script in the background after the connection is established 889(refer to the 890.Dq shell 891and 892.Dq bg 893commands below for a description of possible substitution strings). 894Similarly, when a connection is closed, the contents of the 895.Pa /etc/ppp/ppp.linkdown 896file are executed. 897Both of these files have the same format as 898.Pa /etc/ppp/ppp.conf . 899.Pp 900In previous versions of 901.Nm , 902it was necessary to re-add routes such as the default route in the 903.Pa ppp.linkup 904file. 905.Nm 906supports 907.Sq sticky routes , 908where all routes that contain the 909.Dv HISADDR , 910.Dv MYADDR , 911.Dv HISADDR6 912or 913.Dv MYADDR6 914literals will automatically be updated when the values of these variables 915change. 916.Sh BACKGROUND DIALING 917If you want to establish a connection using 918.Nm 919non-interactively (such as from a 920.Xr crontab 5 921entry or an 922.Xr at 1 923job) you should use the 924.Fl background 925option. 926When 927.Fl background 928is specified, 929.Nm 930attempts to establish the connection immediately. 931If multiple phone 932numbers are specified, each phone number will be tried once. 933If the attempt fails, 934.Nm 935exits immediately with a non-zero exit code. 936If it succeeds, then 937.Nm 938becomes a daemon, and returns an exit status of zero to its caller. 939The daemon exits automatically if the connection is dropped by the 940remote system, or it receives a 941.Dv TERM 942signal. 943.Sh DIAL ON DEMAND 944Demand dialing is enabled with the 945.Fl auto 946or 947.Fl ddial 948options. 949You must also specify the destination label in 950.Pa /etc/ppp/ppp.conf 951to use. 952It must contain the 953.Dq set ifaddr 954command to {define} the remote peers IP address. 955(refer to 956.Pa /usr/share/examples/ppp/ppp.conf.sample ) 957.Bd -literal -offset indent 958# ppp -auto pmdemand 959.Ed 960.Pp 961When 962.Fl auto 963or 964.Fl ddial 965is specified, 966.Nm 967runs as a daemon but you can still configure or examine its 968configuration by using the 969.Dq set server 970command in 971.Pa /etc/ppp/ppp.conf , 972(for example, 973.Dq Li "set server +3000 mypasswd" ) 974and connecting to the diagnostic port as follows: 975.Bd -literal -offset indent 976# pppctl 3000 (assuming tun0) 977Password: 978PPP ON awfulhak> show who 979tcp (127.0.0.1:1028) * 980.Ed 981.Pp 982The 983.Dq show who 984command lists users that are currently connected to 985.Nm 986itself. 987If the diagnostic socket is closed or changed to a different 988socket, all connections are immediately dropped. 989.Pp 990In 991.Fl auto 992mode, when an outgoing packet is detected, 993.Nm 994will perform the dialing action (chat script) and try to connect 995with the peer. 996In 997.Fl ddial 998mode, the dialing action is performed any time the line is found 999to be down. 1000If the connect fails, the default behaviour is to wait 30 seconds 1001and then attempt to connect when another outgoing packet is detected. 1002This behaviour can be changed using the 1003.Dq set redial 1004command: 1005.Pp 1006.No set redial Ar secs Ns Xo 1007.Oo + Ns Ar inc Ns 1008.Op - Ns Ar max Ns 1009.Oc Ns Op . Ns Ar next 1010.Op Ar attempts 1011.Xc 1012.Pp 1013.Bl -tag -width attempts -compact 1014.It Ar secs 1015is the number of seconds to wait before attempting 1016to connect again. 1017If the argument is the literal string 1018.Sq Li random , 1019the delay period is a random value between 1 and 30 seconds inclusive. 1020.It Ar inc 1021is the number of seconds that 1022.Ar secs 1023should be incremented each time a new dial attempt is made. 1024The timeout reverts to 1025.Ar secs 1026only after a successful connection is established. 1027The default value for 1028.Ar inc 1029is zero. 1030.It Ar max 1031is the maximum number of times 1032.Nm 1033should increment 1034.Ar secs . 1035The default value for 1036.Ar max 1037is 10. 1038.It Ar next 1039is the number of seconds to wait before attempting 1040to dial the next number in a list of numbers (see the 1041.Dq set phone 1042command). 1043The default is 3 seconds. 1044Again, if the argument is the literal string 1045.Sq Li random , 1046the delay period is a random value between 1 and 30 seconds. 1047.It Ar attempts 1048is the maximum number of times to try to connect for each outgoing packet 1049that triggers a dial. 1050The previous value is unchanged if this parameter is omitted. 1051If a value of zero is specified for 1052.Ar attempts , 1053.Nm 1054will keep trying until a connection is made. 1055.El 1056.Pp 1057So, for example: 1058.Bd -literal -offset indent 1059set redial 10.3 4 1060.Ed 1061.Pp 1062will attempt to connect 4 times for each outgoing packet that causes 1063a dial attempt with a 3 second delay between each number and a 10 second 1064delay after all numbers have been tried. 1065If multiple phone numbers 1066are specified, the total number of attempts is still 4 (it does not 1067attempt each number 4 times). 1068.Pp 1069Alternatively, 1070.Bd -literal -offset indent 1071set redial 10+10-5.3 20 1072.Ed 1073.Pp 1074tells 1075.Nm 1076to attempt to connect 20 times. 1077After the first attempt, 1078.Nm 1079pauses for 10 seconds. 1080After the next attempt it pauses for 20 seconds 1081and so on until after the sixth attempt it pauses for 1 minute. 1082The next 14 pauses will also have a duration of one minute. 1083If 1084.Nm 1085connects, disconnects and fails to connect again, the timeout starts again 1086at 10 seconds. 1087.Pp 1088Modifying the dial delay is very useful when running 1089.Nm 1090in 1091.Fl auto 1092mode on both ends of the link. 1093If each end has the same timeout, 1094both ends wind up calling each other at the same time if the link 1095drops and both ends have packets queued. 1096At some locations, the serial link may not be reliable, and carrier 1097may be lost at inappropriate times. 1098It is possible to have 1099.Nm 1100redial should carrier be unexpectedly lost during a session. 1101.Bd -literal -offset indent 1102set reconnect timeout ntries 1103.Ed 1104.Pp 1105This command tells 1106.Nm 1107to re-establish the connection 1108.Ar ntries 1109times on loss of carrier with a pause of 1110.Ar timeout 1111seconds before each try. 1112For example, 1113.Bd -literal -offset indent 1114set reconnect 3 5 1115.Ed 1116.Pp 1117tells 1118.Nm 1119that on an unexpected loss of carrier, it should wait 1120.Ar 3 1121seconds before attempting to reconnect. 1122This may happen up to 1123.Ar 5 1124times before 1125.Nm 1126gives up. 1127The default value of ntries is zero (no reconnect). 1128Care should be taken with this option. 1129If the local timeout is slightly 1130longer than the remote timeout, the reconnect feature will always be 1131triggered (up to the given number of times) after the remote side 1132times out and hangs up. 1133NOTE: In this context, losing too many LQRs constitutes a loss of 1134carrier and will trigger a reconnect. 1135If the 1136.Fl background 1137flag is specified, all phone numbers are dialed at most once until 1138a connection is made. 1139The next number redial period specified with the 1140.Dq set redial 1141command is honoured, as is the reconnect tries value. 1142If your redial 1143value is less than the number of phone numbers specified, not all 1144the specified numbers will be tried. 1145To terminate the program, type 1146.Bd -literal -offset indent 1147PPP ON awfulhak> close 1148ppp ON awfulhak> quit all 1149.Ed 1150.Pp 1151A simple 1152.Dq quit 1153command will terminate the 1154.Xr pppctl 8 1155or 1156.Xr telnet 1 1157connection but not the 1158.Nm 1159program itself. 1160You must use 1161.Dq quit all 1162to terminate 1163.Nm 1164as well. 1165.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1166To handle an incoming 1167.Em PPP 1168connection request, follow these steps: 1169.Bl -enum 1170.It 1171Make sure the modem and (optionally) 1172.Pa /etc/rc.d/serial 1173is configured correctly. 1174.Bl -bullet -compact 1175.It 1176Use Hardware Handshake (CTS/RTS) for flow control. 1177.It 1178Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1179.El 1180.Pp 1181.It 1182Edit 1183.Pa /etc/ttys 1184to enable a 1185.Xr getty 8 1186on the port where the modem is attached. 1187For example: 1188.Pp 1189.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1190.Pp 1191Don't forget to send a 1192.Dv HUP 1193signal to the 1194.Xr init 8 1195process to start the 1196.Xr getty 8 : 1197.Pp 1198.Dl # kill -HUP 1 1199.Pp 1200It is usually also necessary to train your modem to the same DTR speed 1201as the getty: 1202.Bd -literal -offset indent 1203# ppp 1204ppp ON awfulhak> set device /dev/cuaa1 1205ppp ON awfulhak> set speed 38400 1206ppp ON awfulhak> term 1207deflink: Entering terminal mode on /dev/cuaa1 1208Type `~?' for help 1209at 1210OK 1211at 1212OK 1213atz 1214OK 1215at 1216OK 1217~. 1218ppp ON awfulhak> quit 1219.Ed 1220.It 1221Create a 1222.Pa /usr/local/bin/ppplogin 1223file with the following contents: 1224.Bd -literal -offset indent 1225#! /bin/sh 1226exec /usr/sbin/ppp -direct incoming 1227.Ed 1228.Pp 1229Direct mode 1230.Pq Fl direct 1231lets 1232.Nm 1233work with stdin and stdout. 1234You can also use 1235.Xr pppctl 8 1236to connect to a configured diagnostic port, in the same manner as with 1237client-side 1238.Nm . 1239.Pp 1240Here, the 1241.Ar incoming 1242section must be set up in 1243.Pa /etc/ppp/ppp.conf . 1244.Pp 1245Make sure that the 1246.Ar incoming 1247section contains the 1248.Dq allow users 1249command as appropriate. 1250.It 1251Prepare an account for the incoming user. 1252.Bd -literal 1253ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1254.Ed 1255.Pp 1256Refer to the manual entries for 1257.Xr adduser 8 1258and 1259.Xr vipw 8 1260for details. 1261.It 1262Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1263can be enabled using the 1264.Dq accept dns 1265and 1266.Dq set nbns 1267commands. 1268Refer to their descriptions below. 1269.El 1270.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1271This method differs in that we use 1272.Nm 1273to authenticate the connection rather than 1274.Xr login 1 : 1275.Bl -enum 1276.It 1277Configure your default section in 1278.Pa /etc/gettytab 1279with automatic ppp recognition by specifying the 1280.Dq pp 1281capability: 1282.Bd -literal 1283default:\\ 1284 :pp=/usr/local/bin/ppplogin:\\ 1285 ..... 1286.Ed 1287.It 1288Configure your serial device(s), enable a 1289.Xr getty 8 1290and create 1291.Pa /usr/local/bin/ppplogin 1292as in the first three steps for method 1 above. 1293.It 1294Add either 1295.Dq enable chap 1296or 1297.Dq enable pap 1298(or both) 1299to 1300.Pa /etc/ppp/ppp.conf 1301under the 1302.Sq incoming 1303label (or whatever label 1304.Pa ppplogin 1305uses). 1306.It 1307Create an entry in 1308.Pa /etc/ppp/ppp.secret 1309for each incoming user: 1310.Bd -literal 1311Pfred<TAB>xxxx 1312Pgeorge<TAB>yyyy 1313.Ed 1314.El 1315.Pp 1316Now, as soon as 1317.Xr getty 8 1318detects a ppp connection (by recognising the HDLC frame headers), it runs 1319.Dq /usr/local/bin/ppplogin . 1320.Pp 1321It is 1322.Em VITAL 1323that either PAP or CHAP are enabled as above. 1324If they are not, you are 1325allowing anybody to establish a ppp session with your machine 1326.Em without 1327a password, opening yourself up to all sorts of potential attacks. 1328.Sh AUTHENTICATING INCOMING CONNECTIONS 1329Normally, the receiver of a connection requires that the peer 1330authenticates itself. 1331This may be done using 1332.Xr login 1 , 1333but alternatively, you can use PAP or CHAP. 1334CHAP is the more secure of the two, but some clients may not support it. 1335Once you decide which you wish to use, add the command 1336.Sq enable chap 1337or 1338.Sq enable pap 1339to the relevant section of 1340.Pa ppp.conf . 1341.Pp 1342You must then configure the 1343.Pa /etc/ppp/ppp.secret 1344file. 1345This file contains one line per possible client, each line 1346containing up to five fields: 1347.Pp 1348.Ar name Ar key Oo 1349.Ar hisaddr Op Ar label Op Ar callback-number 1350.Oc 1351.Pp 1352The 1353.Ar name 1354and 1355.Ar key 1356specify the client username and password. 1357If 1358.Ar key 1359is 1360.Dq \&* 1361and PAP is being used, 1362.Nm 1363will look up the password database 1364.Pq Xr passwd 5 1365when authenticating. 1366If the client does not offer a suitable response based on any 1367.Ar name Ns No / Ns Ar key 1368combination in 1369.Pa ppp.secret , 1370authentication fails. 1371.Pp 1372If authentication is successful, 1373.Ar hisaddr 1374(if specified) 1375is used when negotiating IP numbers. 1376See the 1377.Dq set ifaddr 1378command for details. 1379.Pp 1380If authentication is successful and 1381.Ar label 1382is specified, the current system label is changed to match the given 1383.Ar label . 1384This will change the subsequent parsing of the 1385.Pa ppp.linkup 1386and 1387.Pa ppp.linkdown 1388files. 1389.Pp 1390If authentication is successful and 1391.Ar callback-number 1392is specified and 1393.Dq set callback 1394has been used in 1395.Pa ppp.conf , 1396the client will be called back on the given number. 1397If CBCP is being used, 1398.Ar callback-number 1399may also contain a list of numbers or a 1400.Dq \&* , 1401as if passed to the 1402.Dq set cbcp 1403command. 1404The value will be used in 1405.Nm Ns No 's 1406subsequent CBCP phase. 1407.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1408Instead of running 1409.Nm 1410over a serial link, it is possible to 1411use a TCP connection instead by specifying the host, port and protocol as the 1412device: 1413.Pp 1414.Dl set device ui-gate:6669/tcp 1415.Pp 1416Instead of opening a serial device, 1417.Nm 1418will open a TCP connection to the given machine on the given 1419socket. 1420It should be noted however that 1421.Nm 1422doesn't use the telnet protocol and will be unable to negotiate 1423with a telnet server. 1424You should set up a port for receiving this 1425.Em PPP 1426connection on the receiving machine (ui-gate). 1427This is done by first updating 1428.Pa /etc/services 1429to name the service: 1430.Pp 1431.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1432.Pp 1433and updating 1434.Pa /etc/inetd.conf 1435to tell 1436.Xr inetd 8 1437how to deal with incoming connections on that port: 1438.Pp 1439.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1440.Pp 1441Don't forget to send a 1442.Dv HUP 1443signal to 1444.Xr inetd 8 1445after you've updated 1446.Pa /etc/inetd.conf . 1447Here, we use a label named 1448.Dq ppp-in . 1449The entry in 1450.Pa /etc/ppp/ppp.conf 1451on ui-gate (the receiver) should contain the following: 1452.Bd -literal -offset indent 1453ppp-in: 1454 set timeout 0 1455 set ifaddr 10.0.4.1 10.0.4.2 1456.Ed 1457.Pp 1458and the entry in 1459.Pa /etc/ppp/ppp.linkup 1460should contain: 1461.Bd -literal -offset indent 1462ppp-in: 1463 add 10.0.1.0/24 HISADDR 1464.Ed 1465.Pp 1466It is necessary to put the 1467.Dq add 1468command in 1469.Pa ppp.linkup 1470to ensure that the route is only added after 1471.Nm 1472has negotiated and assigned addresses to its interface. 1473.Pp 1474You may also want to enable PAP or CHAP for security. 1475To enable PAP, add the following line: 1476.Bd -literal -offset indent 1477 enable PAP 1478.Ed 1479.Pp 1480You'll also need to create the following entry in 1481.Pa /etc/ppp/ppp.secret : 1482.Bd -literal -offset indent 1483MyAuthName MyAuthPasswd 1484.Ed 1485.Pp 1486If 1487.Ar MyAuthPasswd 1488is a 1489.Dq * , 1490the password is looked up in the 1491.Xr passwd 5 1492database. 1493.Pp 1494The entry in 1495.Pa /etc/ppp/ppp.conf 1496on awfulhak (the initiator) should contain the following: 1497.Bd -literal -offset indent 1498ui-gate: 1499 set escape 0xff 1500 set device ui-gate:ppp-in/tcp 1501 set dial 1502 set timeout 30 1503 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1504 set ifaddr 10.0.4.2 10.0.4.1 1505.Ed 1506.Pp 1507with the route setup in 1508.Pa /etc/ppp/ppp.linkup : 1509.Bd -literal -offset indent 1510ui-gate: 1511 add 10.0.2.0/24 HISADDR 1512.Ed 1513.Pp 1514Again, if you're enabling PAP, you'll also need this in the 1515.Pa /etc/ppp/ppp.conf 1516profile: 1517.Bd -literal -offset indent 1518 set authname MyAuthName 1519 set authkey MyAuthKey 1520.Ed 1521.Pp 1522We're assigning the address of 10.0.4.1 to ui-gate, and the address 152310.0.4.2 to awfulhak. 1524To open the connection, just type 1525.Pp 1526.Dl awfulhak # ppp -background ui-gate 1527.Pp 1528The result will be an additional "route" on awfulhak to the 152910.0.2.0/24 network via the TCP connection, and an additional 1530"route" on ui-gate to the 10.0.1.0/24 network. 1531The networks are effectively bridged - the underlying TCP 1532connection may be across a public network (such as the 1533Internet), and the 1534.Em PPP 1535traffic is conceptually encapsulated 1536(although not packet by packet) inside the TCP stream between 1537the two gateways. 1538.Pp 1539The major disadvantage of this mechanism is that there are two 1540"guaranteed delivery" mechanisms in place - the underlying TCP 1541stream and whatever protocol is used over the 1542.Em PPP 1543link - probably TCP again. 1544If packets are lost, both levels will 1545get in each others way trying to negotiate sending of the missing 1546packet. 1547.Pp 1548To avoid this overhead, it is also possible to do all this using 1549UDP instead of TCP as the transport by simply changing the protocol 1550from "tcp" to "udp". 1551When using UDP as a transport, 1552.Nm 1553will operate in synchronous mode. 1554This is another gain as the incoming 1555data does not have to be rearranged into packets. 1556.Pp 1557Care should be taken when adding a default route through a tunneled 1558setup like this. 1559It is quite common for the default route 1560(added in 1561.Pa /etc/ppp/ppp.linkup ) 1562to end up routing the link's TCP connection through the tunnel, 1563effectively garrotting the connection. 1564To avoid this, make sure you add a static route for the benefit of 1565the link: 1566.Bd -literal -offset indent 1567ui-gate: 1568 set escape 0xff 1569 set device ui-gate:ppp-in/tcp 1570 add ui-gate x.x.x.x 1571 ..... 1572.Ed 1573.Pp 1574where 1575.Dq x.x.x.x 1576is the IP number that your route to 1577.Dq ui-gate 1578would normally use. 1579.Pp 1580When routing your connection across a public network such as the Internet, 1581it is preferable to encrypt the data. 1582This can be done with the help of the MPPE protocol, although currently this 1583means that you will not be able to also compress the traffic as MPPE is 1584implemented as a compression layer (thank Microsoft for this). 1585To enable MPPE encryption, add the following lines to 1586.Pa /etc/ppp/ppp.conf 1587on the server: 1588.Bd -literal -offset indent 1589 enable MSCHAPv2 1590 disable deflate pred1 1591 deny deflate pred1 1592.Ed 1593.Pp 1594ensuring that you've put the requisite entry in 1595.Pa /etc/ppp/ppp.secret 1596(MSCHAPv2 is challenge based, so 1597.Xr passwd 5 1598cannot be used) 1599.Pp 1600MSCHAPv2 and MPPE are accepted by default, so the client end should work 1601without any additional changes (although ensure you have 1602.Dq set authname 1603and 1604.Dq set authkey 1605in your profile). 1606.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1607The 1608.Fl nat 1609command line option enables network address translation (a.k.a. packet 1610aliasing). 1611This allows the 1612.Nm 1613host to act as a masquerading gateway for other computers over 1614a local area network. 1615Outgoing IP packets are NAT'd so that they appear to come from the 1616.Nm 1617host, and incoming packets are de-NAT'd so that they are routed 1618to the correct machine on the local area network. 1619NAT allows computers on private, unregistered subnets to have Internet 1620access, although they are invisible from the outside world. 1621In general, correct 1622.Nm 1623operation should first be verified with network address translation disabled. 1624Then, the 1625.Fl nat 1626option should be switched on, and network applications (web browser, 1627.Xr telnet 1 , 1628.Xr ftp 1 , 1629.Xr ping 8 , 1630.Xr traceroute 8 ) 1631should be checked on the 1632.Nm 1633host. 1634Finally, the same or similar applications should be checked on other 1635computers in the LAN. 1636If network applications work correctly on the 1637.Nm 1638host, but not on other machines in the LAN, then the masquerading 1639software is working properly, but the host is either not forwarding 1640or possibly receiving IP packets. 1641Check that IP forwarding is enabled in 1642.Pa /etc/rc.conf 1643and that other machines have designated the 1644.Nm 1645host as the gateway for the LAN. 1646.Sh PACKET FILTERING 1647This implementation supports packet filtering. 1648There are four kinds of 1649filters: the 1650.Em in 1651filter, the 1652.Em out 1653filter, the 1654.Em dial 1655filter and the 1656.Em alive 1657filter. 1658Here are the basics: 1659.Bl -bullet 1660.It 1661A filter definition has the following syntax: 1662.Pp 1663set filter 1664.Ar name 1665.Ar rule-no 1666.Ar action 1667.Op !\& 1668.Oo 1669.Op host 1670.Ar src_addr Ns Op / Ns Ar width 1671.Op Ar dst_addr Ns Op / Ns Ar width 1672.Oc 1673.Ar [ proto Op src Ar cmp port 1674.Op dst Ar cmp port 1675.Op estab 1676.Op syn 1677.Op finrst 1678.Op timeout Ar secs ] 1679.Bl -enum 1680.It 1681.Ar Name 1682should be one of 1683.Sq in , 1684.Sq out , 1685.Sq dial 1686or 1687.Sq alive . 1688.It 1689.Ar Rule-no 1690is a numeric value between 1691.Sq 0 1692and 1693.Sq 39 1694specifying the rule number. 1695Rules are specified in numeric order according to 1696.Ar rule-no , 1697but only if rule 1698.Sq 0 1699is defined. 1700.It 1701.Ar Action 1702may be specified as 1703.Sq permit 1704or 1705.Sq deny , 1706in which case, if a given packet matches the rule, the associated action 1707is taken immediately. 1708.Ar Action 1709can also be specified as 1710.Sq clear 1711to clear the action associated with that particular rule, or as a new 1712rule number greater than the current rule. 1713In this case, if a given 1714packet matches the current rule, the packet will next be matched against 1715the new rule number (rather than the next rule number). 1716.Pp 1717The 1718.Ar action 1719may optionally be followed with an exclamation mark 1720.Pq Dq !\& , 1721telling 1722.Nm 1723to reverse the sense of the following match. 1724.It 1725.Op Ar src_addr Ns Op / Ns Ar width 1726and 1727.Op Ar dst_addr Ns Op / Ns Ar width 1728are the source and destination IP number specifications. 1729If 1730.Op / Ns Ar width 1731is specified, it gives the number of relevant netmask bits, 1732allowing the specification of an address range. 1733.Pp 1734Either 1735.Ar src_addr 1736or 1737.Ar dst_addr 1738may be given the values 1739.Dv MYADDR , 1740.Dv HISADDR , 1741.Dv MYADDR6 1742or 1743.Dv HISADDR6 1744(refer to the description of the 1745.Dq bg 1746command for a description of these values). 1747When these values are used, 1748the filters will be updated any time the values change. 1749This is similar to the behaviour of the 1750.Dq add 1751command below. 1752.It 1753.Ar Proto 1754may be any protocol from 1755.Xr protocols 5 . 1756.It 1757.Ar Cmp 1758is one of 1759.Sq \< , 1760.Sq \&eq 1761or 1762.Sq \> , 1763meaning less-than, equal and greater-than respectively. 1764.Ar Port 1765can be specified as a numeric port or by service name from 1766.Pa /etc/services . 1767.It 1768The 1769.Sq estab , 1770.Sq syn , 1771and 1772.Sq finrst 1773flags are only allowed when 1774.Ar proto 1775is set to 1776.Sq tcp , 1777and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1778.It 1779The timeout value adjusts the current idle timeout to at least 1780.Ar secs 1781seconds. 1782If a timeout is given in the alive filter as well as in the in/out 1783filter, the in/out value is used. 1784If no timeout is given, the default timeout (set using 1785.Ic set timeout 1786and defaulting to 180 seconds) is used. 1787.El 1788.Pp 1789.It 1790Each filter can hold up to 40 rules, starting from rule 0. 1791The entire rule set is not effective until rule 0 is defined, 1792i.e., the default is to allow everything through. 1793.It 1794If no rule in a defined set of rules matches a packet, that packet will 1795be discarded (blocked). 1796If there are no rules in a given filter, the packet will be permitted. 1797.It 1798It's possible to filter based on the payload of UDP frames where those 1799frames contain a 1800.Em PROTO_IP 1801.Em PPP 1802frame header. 1803See the 1804.Ar filter-decapsulation 1805option below for further details. 1806.It 1807Use 1808.Dq set filter Ar name No -1 1809to flush all rules. 1810.El 1811.Pp 1812See 1813.Pa /usr/share/examples/ppp/ppp.conf.sample . 1814.Sh SETTING THE IDLE TIMER 1815To check/set the idle timer, use the 1816.Dq show bundle 1817and 1818.Dq set timeout 1819commands: 1820.Bd -literal -offset indent 1821ppp ON awfulhak> set timeout 600 1822.Ed 1823.Pp 1824The timeout period is measured in seconds, the default value for which 1825is 180 seconds 1826(or 3 min). 1827To disable the idle timer function, use the command 1828.Bd -literal -offset indent 1829ppp ON awfulhak> set timeout 0 1830.Ed 1831.Pp 1832In 1833.Fl ddial 1834and 1835.Fl dedicated 1836modes, the idle timeout is ignored. 1837In 1838.Fl auto 1839mode, when the idle timeout causes the 1840.Em PPP 1841session to be 1842closed, the 1843.Nm 1844program itself remains running. 1845Another trigger packet will cause it to attempt to re-establish the link. 1846.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1847.Nm 1848supports both Predictor type 1 and deflate compression. 1849By default, 1850.Nm 1851will attempt to use (or be willing to accept) both compression protocols 1852when the peer agrees 1853(or requests them). 1854The deflate protocol is preferred by 1855.Nm . 1856Refer to the 1857.Dq disable 1858and 1859.Dq deny 1860commands if you wish to disable this functionality. 1861.Pp 1862It is possible to use a different compression algorithm in each direction 1863by using only one of 1864.Dq disable deflate 1865and 1866.Dq deny deflate 1867(assuming that the peer supports both algorithms). 1868.Pp 1869By default, when negotiating DEFLATE, 1870.Nm 1871will use a window size of 15. 1872Refer to the 1873.Dq set deflate 1874command if you wish to change this behaviour. 1875.Pp 1876A special algorithm called DEFLATE24 is also available, and is disabled 1877and denied by default. 1878This is exactly the same as DEFLATE except that 1879it uses CCP ID 24 to negotiate. 1880This allows 1881.Nm 1882to successfully negotiate DEFLATE with 1883.Nm pppd 1884version 2.3.*. 1885.Sh CONTROLLING IP ADDRESS 1886For IPv4, 1887.Nm 1888uses IPCP to negotiate IP addresses. 1889Each side of the connection 1890specifies the IP address that it's willing to use, and if the requested 1891IP address is acceptable then 1892.Nm 1893returns an ACK to the requester. 1894Otherwise, 1895.Nm 1896returns NAK to suggest that the peer use a different IP address. 1897When 1898both sides of the connection agree to accept the received request (and 1899send an ACK), IPCP is set to the open state and a network level connection 1900is established. 1901To control this IPCP behaviour, this implementation has the 1902.Dq set ifaddr 1903command for defining the local and remote IP address: 1904.Bd -ragged -offset indent 1905.No set ifaddr Oo Ar src_addr Ns 1906.Op / Ns Ar \&nn 1907.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1908.Oo Ar netmask 1909.Op Ar trigger_addr 1910.Oc 1911.Oc 1912.Oc 1913.Ed 1914.Pp 1915where, 1916.Sq src_addr 1917is the IP address that the local side is willing to use, 1918.Sq dst_addr 1919is the IP address which the remote side should use and 1920.Sq netmask 1921is the netmask that should be used. 1922.Sq Src_addr 1923defaults to the current 1924.Xr hostname 1 , 1925.Sq dst_addr 1926defaults to 0.0.0.0, and 1927.Sq netmask 1928defaults to whatever mask is appropriate for 1929.Sq src_addr . 1930It is only possible to make 1931.Sq netmask 1932smaller than the default. 1933The usual value is 255.255.255.255, as 1934most kernels ignore the netmask of a POINTOPOINT interface. 1935.Pp 1936Some incorrect 1937.Em PPP 1938implementations require that the peer negotiates a specific IP 1939address instead of 1940.Sq src_addr . 1941If this is the case, 1942.Sq trigger_addr 1943may be used to specify this IP number. 1944This will not affect the 1945routing table unless the other side agrees with this proposed number. 1946.Bd -literal -offset indent 1947set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1948.Ed 1949.Pp 1950The above specification means: 1951.Pp 1952.Bl -bullet -compact 1953.It 1954I will first suggest that my IP address should be 0.0.0.0, but I 1955will only accept an address of 192.244.177.38. 1956.It 1957I strongly insist that the peer uses 192.244.177.2 as his own 1958address and won't permit the use of any IP address but 192.244.177.2. 1959When the peer requests another IP address, I will always suggest that 1960it uses 192.244.177.2. 1961.It 1962The routing table entry will have a netmask of 0xffffffff. 1963.El 1964.Pp 1965This is all fine when each side has a pre-determined IP address, however 1966it is often the case that one side is acting as a server which controls 1967all IP addresses and the other side should go along with it. 1968In order to allow more flexible behaviour, the 1969.Dq set ifaddr 1970command allows the user to specify IP addresses more loosely: 1971.Pp 1972.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1973.Pp 1974A number followed by a slash 1975.Pq Dq / 1976represents the number of bits significant in the IP address. 1977The above example means: 1978.Pp 1979.Bl -bullet -compact 1980.It 1981I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1982also accept any IP address between 192.244.177.0 and 192.244.177.255. 1983.It 1984I'd like to make him use 192.244.177.2 as his own address, but I'll also 1985permit him to use any IP address between 192.244.176.0 and 1986192.244.191.255. 1987.It 1988As you may have already noticed, 192.244.177.2 is equivalent to saying 1989192.244.177.2/32. 1990.It 1991As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 1992preferred IP address and will obey the remote peers selection. 1993When using zero, no routing table entries will be made until a connection 1994is established. 1995.It 1996192.244.177.2/0 means that I'll accept/permit any IP address but I'll 1997suggest that 192.244.177.2 be used first. 1998.El 1999.Pp 2000When negotiating IPv6 addresses, no control is given to the user. 2001IPV6CP negotiation is fully automatic. 2002.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 2003The following steps should be taken when connecting to your ISP: 2004.Bl -enum 2005.It 2006Describe your providers phone number(s) in the dial script using the 2007.Dq set phone 2008command. 2009This command allows you to set multiple phone numbers for 2010dialing and redialing separated by either a pipe 2011.Pq Dq \&| 2012or a colon 2013.Pq Dq \&: : 2014.Bd -ragged -offset indent 2015.No set phone Ar telno Ns Xo 2016.Oo \&| Ns Ar backupnumber 2017.Oc Ns ... Ns Oo : Ns Ar nextnumber 2018.Oc Ns ... 2019.Xc 2020.Ed 2021.Pp 2022Numbers after the first in a pipe-separated list are only used if the 2023previous number was used in a failed dial or login script. 2024Numbers 2025separated by a colon are used sequentially, irrespective of what happened 2026as a result of using the previous number. 2027For example: 2028.Bd -literal -offset indent 2029set phone "1234567|2345678:3456789|4567890" 2030.Ed 2031.Pp 2032Here, the 1234567 number is attempted. 2033If the dial or login script fails, 2034the 2345678 number is used next time, but *only* if the dial or login script 2035fails. 2036On the dial after this, the 3456789 number is used. 2037The 4567890 2038number is only used if the dial or login script using the 3456789 fails. 2039If the login script of the 2345678 number fails, the next number is still the 20403456789 number. 2041As many pipes and colons can be used as are necessary 2042(although a given site would usually prefer to use either the pipe or the 2043colon, but not both). 2044The next number redial timeout is used between all numbers. 2045When the end of the list is reached, the normal redial period is 2046used before starting at the beginning again. 2047The selected phone number is substituted for the \\\\T string in the 2048.Dq set dial 2049command (see below). 2050.It 2051Set up your redial requirements using 2052.Dq set redial . 2053For example, if you have a bad telephone line or your provider is 2054usually engaged (not so common these days), you may want to specify 2055the following: 2056.Bd -literal -offset indent 2057set redial 10 4 2058.Ed 2059.Pp 2060This says that up to 4 phone calls should be attempted with a pause of 10 2061seconds before dialing the first number again. 2062.It 2063Describe your login procedure using the 2064.Dq set dial 2065and 2066.Dq set login 2067commands. 2068The 2069.Dq set dial 2070command is used to talk to your modem and establish a link with your 2071ISP, for example: 2072.Bd -literal -offset indent 2073set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2074 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2075.Ed 2076.Pp 2077This modem "chat" string means: 2078.Bl -bullet 2079.It 2080Abort if the string "BUSY" or "NO CARRIER" are received. 2081.It 2082Set the timeout to 4 seconds. 2083.It 2084Expect nothing. 2085.It 2086Send ATZ. 2087.It 2088Expect OK. 2089If that's not received within the 4 second timeout, send ATZ 2090and expect OK. 2091.It 2092Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2093above. 2094.It 2095Set the timeout to 60. 2096.It 2097Wait for the CONNECT string. 2098.El 2099.Pp 2100Once the connection is established, the login script is executed. 2101This script is written in the same style as the dial script, but care should 2102be taken to avoid having your password logged: 2103.Bd -literal -offset indent 2104set authkey MySecret 2105set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2106 word: \\\\P ocol: PPP HELLO" 2107.Ed 2108.Pp 2109This login "chat" string means: 2110.Bl -bullet 2111.It 2112Set the timeout to 15 seconds. 2113.It 2114Expect "login:". 2115If it's not received, send a carriage return and expect 2116"login:" again. 2117.It 2118Send "awfulhak" 2119.It 2120Expect "word:" (the tail end of a "Password:" prompt). 2121.It 2122Send whatever our current 2123.Ar authkey 2124value is set to. 2125.It 2126Expect "ocol:" (the tail end of a "Protocol:" prompt). 2127.It 2128Send "PPP". 2129.It 2130Expect "HELLO". 2131.El 2132.Pp 2133The 2134.Dq set authkey 2135command is logged specially. 2136When 2137.Ar command 2138or 2139.Ar chat 2140logging is enabled, the actual password is not logged; 2141.Sq ******** 2142is logged instead. 2143.Pp 2144Login scripts vary greatly between ISPs. 2145If you're setting one up for the first time, 2146.Em ENABLE CHAT LOGGING 2147so that you can see if your script is behaving as you expect. 2148.It 2149Use 2150.Dq set device 2151and 2152.Dq set speed 2153to specify your serial line and speed, for example: 2154.Bd -literal -offset indent 2155set device /dev/cuaa0 2156set speed 115200 2157.Ed 2158.Pp 2159Cuaa0 is the first serial port on 2160.Dx . 2161If you're running 2162.Nm 2163on 2164.Ox , 2165cua00 is the first. 2166A speed of 115200 should be specified 2167if you have a modem capable of bit rates of 28800 or more. 2168In general, the serial speed should be about four times the modem speed. 2169.It 2170Use the 2171.Dq set ifaddr 2172command to {define} the IP address. 2173.Bl -bullet 2174.It 2175If you know what IP address your provider uses, then use it as the remote 2176address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2177.It 2178If your provider has assigned a particular IP address to you, then use 2179it as your address (src_addr). 2180.It 2181If your provider assigns your address dynamically, choose a suitably 2182unobtrusive and unspecific IP number as your address. 218310.0.0.1/0 would be appropriate. 2184The bit after the / specifies how many bits of the 2185address you consider to be important, so if you wanted to insist on 2186something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2187.It 2188If you find that your ISP accepts the first IP number that you suggest, 2189specify third and forth arguments of 2190.Dq 0.0.0.0 . 2191This will force your ISP to assign a number. 2192(The third argument will 2193be ignored as it is less restrictive than the default mask for your 2194.Sq src_addr ) . 2195.El 2196.Pp 2197An example for a connection where you don't know your IP number or your 2198ISPs IP number would be: 2199.Bd -literal -offset indent 2200set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2201.Ed 2202.Pp 2203.It 2204In most cases, your ISP will also be your default router. 2205If this is the case, add the line 2206.Bd -literal -offset indent 2207add default HISADDR 2208.Ed 2209.Pp 2210to 2211.Pa /etc/ppp/ppp.conf 2212(or to 2213.Pa /etc/ppp/ppp.linkup 2214for setups that don't use 2215.Fl auto 2216mode). 2217.Pp 2218This tells 2219.Nm 2220to add a default route to whatever the peer address is 2221(10.0.0.2 in this example). 2222This route is 2223.Sq sticky , 2224meaning that should the value of 2225.Dv HISADDR 2226change, the route will be updated accordingly. 2227.It 2228If your provider requests that you use PAP/CHAP authentication methods, add 2229the next lines to your 2230.Pa /etc/ppp/ppp.conf 2231file: 2232.Bd -literal -offset indent 2233set authname MyName 2234set authkey MyPassword 2235.Ed 2236.Pp 2237Both are accepted by default, so 2238.Nm 2239will provide whatever your ISP requires. 2240.Pp 2241It should be noted that a login script is rarely (if ever) required 2242when PAP or CHAP are in use. 2243.It 2244Ask your ISP to authenticate your nameserver address(es) with the line 2245.Bd -literal -offset indent 2246enable dns 2247.Ed 2248.Pp 2249Do 2250.Em NOT 2251do this if you are running a local DNS unless you also either use 2252.Dq resolv readonly 2253or have 2254.Dq resolv restore 2255in 2256.Pa /etc/ppp/ppp.linkdown , 2257as 2258.Nm 2259will simply circumvent its use by entering some nameserver lines in 2260.Pa /etc/resolv.conf . 2261.El 2262.Pp 2263Please refer to 2264.Pa /usr/share/examples/ppp/ppp.conf.sample 2265and 2266.Pa /usr/share/examples/ppp/ppp.linkup.sample 2267for some real examples. 2268The pmdemand label should be appropriate for most ISPs. 2269.Sh LOGGING FACILITY 2270.Nm 2271is able to generate the following log info either via 2272.Xr syslog 3 2273or directly to the screen: 2274.Pp 2275.Bl -tag -width XXXXXXXXX -offset XXX -compact 2276.It Li All 2277Enable all logging facilities. 2278This generates a lot of log. 2279The most common use of 'all' is as a basis, where you remove some facilities 2280after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2281.It Li Async 2282Dump async level packet in hex. 2283.It Li CBCP 2284Generate CBCP (CallBack Control Protocol) logs. 2285.It Li CCP 2286Generate a CCP packet trace. 2287.It Li Chat 2288Generate 2289.Sq dial , 2290.Sq login , 2291.Sq logout 2292and 2293.Sq hangup 2294chat script trace logs. 2295.It Li Command 2296Log commands executed either from the command line or any of the configuration 2297files. 2298.It Li Connect 2299Log Chat lines containing the string "CONNECT". 2300.It Li Debug 2301Log debug information. 2302.It Li DNS 2303Log DNS QUERY packets. 2304.It Li Filter 2305Log packets permitted by the dial filter and denied by any filter. 2306.It Li HDLC 2307Dump HDLC packet in hex. 2308.It Li ID0 2309Log all function calls specifically made as user id 0. 2310.It Li IPCP 2311Generate an IPCP packet trace. 2312.It Li LCP 2313Generate an LCP packet trace. 2314.It Li LQM 2315Generate LQR reports. 2316.It Li Phase 2317Phase transition log output. 2318.It Li Physical 2319Dump physical level packet in hex. 2320.It Li Sync 2321Dump sync level packet in hex. 2322.It Li TCP/IP 2323Dump all TCP/IP packets. 2324.It Li Timer 2325Log timer manipulation. 2326.It Li TUN 2327Include the tun device on each log line. 2328.It Li Warning 2329Output to the terminal device. 2330If there is currently no terminal, 2331output is sent to the log file using syslogs 2332.Dv LOG_WARNING . 2333.It Li Error 2334Output to both the terminal device 2335and the log file using syslogs 2336.Dv LOG_ERROR . 2337.It Li Alert 2338Output to the log file using 2339.Dv LOG_ALERT . 2340.El 2341.Pp 2342The 2343.Dq set log 2344command allows you to set the logging output level. 2345Multiple levels can be specified on a single command line. 2346The default is equivalent to 2347.Dq set log Phase . 2348.Pp 2349It is also possible to log directly to the screen. 2350The syntax is the same except that the word 2351.Dq local 2352should immediately follow 2353.Dq set log . 2354The default is 2355.Dq set log local 2356(i.e., only the un-maskable warning, error and alert output). 2357.Pp 2358If The first argument to 2359.Dq set log Op local 2360begins with a 2361.Sq + 2362or a 2363.Sq - 2364character, the current log levels are 2365not cleared, for example: 2366.Bd -literal -offset indent 2367PPP ON awfulhak> set log phase 2368PPP ON awfulhak> show log 2369Log: Phase Warning Error Alert 2370Local: Warning Error Alert 2371PPP ON awfulhak> set log +tcp/ip -warning 2372PPP ON awfulhak> set log local +command 2373PPP ON awfulhak> show log 2374Log: Phase TCP/IP Warning Error Alert 2375Local: Command Warning Error Alert 2376.Ed 2377.Pp 2378Log messages of level Warning, Error and Alert are not controllable 2379using 2380.Dq set log Op local . 2381.Pp 2382The 2383.Ar Warning 2384level is special in that it will not be logged if it can be displayed 2385locally. 2386.Sh SIGNAL HANDLING 2387.Nm 2388deals with the following signals: 2389.Bl -tag -width "USR2" 2390.It INT 2391Receipt of this signal causes the termination of the current connection 2392(if any). 2393This will cause 2394.Nm 2395to exit unless it is in 2396.Fl auto 2397or 2398.Fl ddial 2399mode. 2400.It HUP, TERM & QUIT 2401These signals tell 2402.Nm 2403to exit. 2404.It USR1 2405This signal, tells 2406.Nm 2407to re-open any existing server socket, dropping all existing diagnostic 2408connections. 2409Sockets that couldn't previously be opened will be retried. 2410.It USR2 2411This signal, tells 2412.Nm 2413to close any existing server socket, dropping all existing diagnostic 2414connections. 2415.Dv SIGUSR1 2416can still be used to re-open the socket. 2417.El 2418.Sh MULTI-LINK PPP 2419If you wish to use more than one physical link to connect to a 2420.Em PPP 2421peer, that peer must also understand the 2422.Em MULTI-LINK PPP 2423protocol. 2424Refer to RFC 1990 for specification details. 2425.Pp 2426The peer is identified using a combination of his 2427.Dq endpoint discriminator 2428and his 2429.Dq authentication id . 2430Either or both of these may be specified. 2431It is recommended that 2432at least one is specified, otherwise there is no way of ensuring that 2433all links are actually connected to the same peer program, and some 2434confusing lock-ups may result. 2435Locally, these identification variables are specified using the 2436.Dq set enddisc 2437and 2438.Dq set authname 2439commands. 2440The 2441.Sq authname 2442(and 2443.Sq authkey ) 2444must be agreed in advance with the peer. 2445.Pp 2446Multi-link capabilities are enabled using the 2447.Dq set mrru 2448command (set maximum reconstructed receive unit). 2449Once multi-link is enabled, 2450.Nm 2451will attempt to negotiate a multi-link connection with the peer. 2452.Pp 2453By default, only one 2454.Sq link 2455is available 2456(called 2457.Sq deflink ) . 2458To create more links, the 2459.Dq clone 2460command is used. 2461This command will clone existing links, where all 2462characteristics are the same except: 2463.Bl -enum 2464.It 2465The new link has its own name as specified on the 2466.Dq clone 2467command line. 2468.It 2469The new link is an 2470.Sq interactive 2471link. 2472Its mode may subsequently be changed using the 2473.Dq set mode 2474command. 2475.It 2476The new link is in a 2477.Sq closed 2478state. 2479.El 2480.Pp 2481A summary of all available links can be seen using the 2482.Dq show links 2483command. 2484.Pp 2485Once a new link has been created, command usage varies. 2486All link specific commands must be prefixed with the 2487.Dq link Ar name 2488command, specifying on which link the command is to be applied. 2489When only a single link is available, 2490.Nm 2491is smart enough not to require the 2492.Dq link Ar name 2493prefix. 2494.Pp 2495Some commands can still be used without specifying a link - resulting 2496in an operation at the 2497.Sq bundle 2498level. 2499For example, once two or more links are available, the command 2500.Dq show ccp 2501will show CCP configuration and statistics at the multi-link level, and 2502.Dq link deflink show ccp 2503will show the same information at the 2504.Dq deflink 2505link level. 2506.Pp 2507Armed with this information, the following configuration might be used: 2508.Bd -literal -offset indent 2509mp: 2510 set timeout 0 2511 set log phase chat 2512 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2513 set phone "123456789" 2514 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2515 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2516 set login 2517 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2518 set authname ppp 2519 set authkey ppppassword 2520 2521 set mrru 1500 2522 clone 1,2,3 # Create 3 new links - duplicates of the default 2523 link deflink remove # Delete the default link (called ``deflink'') 2524.Ed 2525.Pp 2526Note how all cloning is done at the end of the configuration. 2527Usually, the link will be configured first, then cloned. 2528If you wish all links 2529to be up all the time, you can add the following line to the end of your 2530configuration. 2531.Bd -literal -offset indent 2532 link 1,2,3 set mode ddial 2533.Ed 2534.Pp 2535If you want the links to dial on demand, this command could be used: 2536.Bd -literal -offset indent 2537 link * set mode auto 2538.Ed 2539.Pp 2540Links may be tied to specific names by removing the 2541.Dq set device 2542line above, and specifying the following after the 2543.Dq clone 2544command: 2545.Bd -literal -offset indent 2546 link 1 set device /dev/cuaa0 2547 link 2 set device /dev/cuaa1 2548 link 3 set device /dev/cuaa2 2549.Ed 2550.Pp 2551Use the 2552.Dq help 2553command to see which commands require context (using the 2554.Dq link 2555command), which have optional 2556context and which should not have any context. 2557.Pp 2558When 2559.Nm 2560has negotiated 2561.Em MULTI-LINK 2562mode with the peer, it creates a local domain socket in the 2563.Pa /var/run 2564directory. 2565This socket is used to pass link information (including 2566the actual link file descriptor) between different 2567.Nm 2568invocations. 2569This facilitates 2570.Nm Ns No 's 2571ability to be run from a 2572.Xr getty 8 2573or directly from 2574.Pa /etc/gettydefs 2575(using the 2576.Sq pp= 2577capability), without needing to have initial control of the serial 2578line. 2579Once 2580.Nm 2581negotiates multi-link mode, it will pass its open link to any 2582already running process. 2583If there is no already running process, 2584.Nm 2585will act as the master, creating the socket and listening for new 2586connections. 2587.Sh PPP COMMAND LIST 2588This section lists the available commands and their effect. 2589They are usable either from an interactive 2590.Nm 2591session, from a configuration file or from a 2592.Xr pppctl 8 2593or 2594.Xr telnet 1 2595session. 2596.Bl -tag -width 2n 2597.It accept|deny|enable|disable Ar option.... 2598These directives tell 2599.Nm 2600how to negotiate the initial connection with the peer. 2601Each 2602.Dq option 2603has a default of either accept or deny and enable or disable. 2604.Dq Accept 2605means that the option will be ACK'd if the peer asks for it. 2606.Dq Deny 2607means that the option will be NAK'd if the peer asks for it. 2608.Dq Enable 2609means that the option will be requested by us. 2610.Dq Disable 2611means that the option will not be requested by us. 2612.Pp 2613.Dq Option 2614may be one of the following: 2615.Bl -tag -width 2n 2616.It acfcomp 2617Default: Enabled and Accepted. 2618ACFComp stands for Address and Control Field Compression. 2619Non LCP packets will usually have an address 2620field of 0xff (the All-Stations address) and a control field of 26210x03 (the Unnumbered Information command). 2622If this option is 2623negotiated, these two bytes are simply not sent, thus minimising 2624traffic. 2625.Pp 2626See 2627.Pa rfc1662 2628for details. 2629.It chap Ns Op \&05 2630Default: Disabled and Accepted. 2631CHAP stands for Challenge Handshake Authentication Protocol. 2632Only one of CHAP and PAP (below) may be negotiated. 2633With CHAP, the authenticator sends a "challenge" message to its peer. 2634The peer uses a one-way hash function to encrypt the 2635challenge and sends the result back. 2636The authenticator does the same, and compares the results. 2637The advantage of this mechanism is that no 2638passwords are sent across the connection. 2639A challenge is made when the connection is first made. 2640Subsequent challenges may occur. 2641If you want to have your peer authenticate itself, you must 2642.Dq enable chap . 2643in 2644.Pa /etc/ppp/ppp.conf , 2645and have an entry in 2646.Pa /etc/ppp/ppp.secret 2647for the peer. 2648.Pp 2649When using CHAP as the client, you need only specify 2650.Dq AuthName 2651and 2652.Dq AuthKey 2653in 2654.Pa /etc/ppp/ppp.conf . 2655CHAP is accepted by default. 2656Some 2657.Em PPP 2658implementations use "MS-CHAP" rather than MD5 when encrypting the 2659challenge. 2660MS-CHAP is a combination of MD4 and DES. 2661If 2662.Nm 2663was built on a machine with DES libraries available, it will respond 2664to MS-CHAP authentication requests, but will never request them. 2665.It deflate 2666Default: Enabled and Accepted. 2667This option decides if deflate 2668compression will be used by the Compression Control Protocol (CCP). 2669This is the same algorithm as used by the 2670.Xr gzip 1 2671program. 2672Note: There is a problem negotiating 2673.Ar deflate 2674capabilities with 2675.Xr pppd 8 2676- a 2677.Em PPP 2678implementation available under many operating systems. 2679.Nm pppd 2680(version 2.3.1) incorrectly attempts to negotiate 2681.Ar deflate 2682compression using type 2683.Em 24 2684as the CCP configuration type rather than type 2685.Em 26 2686as specified in 2687.Pa rfc1979 . 2688Type 2689.Ar 24 2690is actually specified as 2691.Dq PPP Magna-link Variable Resource Compression 2692in 2693.Pa rfc1975 ! 2694.Nm 2695is capable of negotiating with 2696.Nm pppd , 2697but only if 2698.Dq deflate24 2699is 2700.Ar enable Ns No d 2701and 2702.Ar accept Ns No ed . 2703.It deflate24 2704Default: Disabled and Denied. 2705This is a variance of the 2706.Ar deflate 2707option, allowing negotiation with the 2708.Xr pppd 8 2709program. 2710Refer to the 2711.Ar deflate 2712section above for details. 2713It is disabled by default as it violates 2714.Pa rfc1975 . 2715.It dns 2716Default: Disabled and Denied. 2717This option allows DNS negotiation. 2718.Pp 2719If 2720.Dq enable Ns No d, 2721.Nm 2722will request that the peer confirms the entries in 2723.Pa /etc/resolv.conf . 2724If the peer NAKs our request (suggesting new IP numbers), 2725.Pa /etc/resolv.conf 2726is updated and another request is sent to confirm the new entries. 2727.Pp 2728If 2729.Dq accept Ns No ed, 2730.Nm 2731will answer any DNS queries requested by the peer rather than rejecting 2732them. 2733The answer is taken from 2734.Pa /etc/resolv.conf 2735unless the 2736.Dq set dns 2737command is used as an override. 2738.It enddisc 2739Default: Enabled and Accepted. 2740This option allows control over whether we 2741negotiate an endpoint discriminator. 2742We only send our discriminator if 2743.Dq set enddisc 2744is used and 2745.Ar enddisc 2746is enabled. 2747We reject the peers discriminator if 2748.Ar enddisc 2749is denied. 2750.It LANMan|chap80lm 2751Default: Disabled and Accepted. 2752The use of this authentication protocol 2753is discouraged as it partially violates the authentication protocol by 2754implementing two different mechanisms (LANMan & NT) under the guise of 2755a single CHAP type (0x80). 2756.Dq LANMan 2757uses a simple DES encryption mechanism and is the least secure of the 2758CHAP alternatives (although is still more secure than PAP). 2759.Pp 2760Refer to the 2761.Dq MSChap 2762description below for more details. 2763.It lqr 2764Default: Disabled and Accepted. 2765This option decides if Link Quality Requests will be sent or accepted. 2766LQR is a protocol that allows 2767.Nm 2768to determine that the link is down without relying on the modems 2769carrier detect. 2770When LQR is enabled, 2771.Nm 2772sends the 2773.Em QUALPROTO 2774option (see 2775.Dq set lqrperiod 2776below) as part of the LCP request. 2777If the peer agrees, both sides will 2778exchange LQR packets at the agreed frequency, allowing detailed link 2779quality monitoring by enabling LQM logging. 2780If the peer doesn't agree, 2781.Nm 2782will send ECHO LQR requests instead. 2783These packets pass no information of interest, but they 2784.Em MUST 2785be replied to by the peer. 2786.Pp 2787Whether using LQR or ECHO LQR, 2788.Nm 2789will abruptly drop the connection if 5 unacknowledged packets have been 2790sent rather than sending a 6th. 2791A message is logged at the 2792.Em PHASE 2793level, and any appropriate 2794.Dq reconnect 2795values are honoured as if the peer were responsible for dropping the 2796connection. 2797.It mppe 2798Default: Enabled and Accepted. 2799This is Microsoft Point to Point Encryption scheme. 2800MPPE key size can be 280140-, 56- and 128-bits. 2802Refer to 2803.Dq set mppe 2804command. 2805.It MSChapV2|chap81 2806Default: Disabled and Accepted. 2807It is very similar to standard CHAP (type 0x05) 2808except that it issues challenges of a fixed 16 bytes in length and uses a 2809combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2810standard MD5 mechanism. 2811.It MSChap|chap80nt 2812Default: Disabled and Accepted. 2813The use of this authentication protocol 2814is discouraged as it partially violates the authentication protocol by 2815implementing two different mechanisms (LANMan & NT) under the guise of 2816a single CHAP type (0x80). 2817It is very similar to standard CHAP (type 0x05) 2818except that it issues challenges of a fixed 8 bytes in length and uses a 2819combination of MD4 and DES to encrypt the challenge rather than using the 2820standard MD5 mechanism. 2821CHAP type 0x80 for LANMan is also supported - see 2822.Dq enable LANMan 2823for details. 2824.Pp 2825Because both 2826.Dq LANMan 2827and 2828.Dq NT 2829use CHAP type 0x80, when acting as authenticator with both 2830.Dq enable Ns No d , 2831.Nm 2832will rechallenge the peer up to three times if it responds using the wrong 2833one of the two protocols. 2834This gives the peer a chance to attempt using both protocols. 2835.Pp 2836Conversely, when 2837.Nm 2838acts as the authenticatee with both protocols 2839.Dq accept Ns No ed , 2840the protocols are used alternately in response to challenges. 2841.Pp 2842Note: If only LANMan is enabled, 2843.Xr pppd 8 2844(version 2.3.5) misbehaves when acting as authenticatee. 2845It provides both 2846the NT and the LANMan answers, but also suggests that only the NT answer 2847should be used. 2848.It pap 2849Default: Disabled and Accepted. 2850PAP stands for Password Authentication Protocol. 2851Only one of PAP and CHAP (above) may be negotiated. 2852With PAP, the ID and Password are sent repeatedly to the peer until 2853authentication is acknowledged or the connection is terminated. 2854This is a rather poor security mechanism. 2855It is only performed when the connection is first established. 2856If you want to have your peer authenticate itself, you must 2857.Dq enable pap . 2858in 2859.Pa /etc/ppp/ppp.conf , 2860and have an entry in 2861.Pa /etc/ppp/ppp.secret 2862for the peer (although see the 2863.Dq passwdauth 2864and 2865.Dq set radius 2866options below). 2867.Pp 2868When using PAP as the client, you need only specify 2869.Dq AuthName 2870and 2871.Dq AuthKey 2872in 2873.Pa /etc/ppp/ppp.conf . 2874PAP is accepted by default. 2875.It pred1 2876Default: Enabled and Accepted. 2877This option decides if Predictor 1 2878compression will be used by the Compression Control Protocol (CCP). 2879.It protocomp 2880Default: Enabled and Accepted. 2881This option is used to negotiate 2882PFC (Protocol Field Compression), a mechanism where the protocol 2883field number is reduced to one octet rather than two. 2884.It shortseq 2885Default: Enabled and Accepted. 2886This option determines if 2887.Nm 2888will request and accept requests for short 2889(12 bit) 2890sequence numbers when negotiating multi-link mode. 2891This is only applicable if our MRRU is set (thus enabling multi-link). 2892.It vjcomp 2893Default: Enabled and Accepted. 2894This option determines if Van Jacobson header compression will be used. 2895.El 2896.Pp 2897The following options are not actually negotiated with the peer. 2898Therefore, accepting or denying them makes no sense. 2899.Bl -tag -width 2n 2900.It filter-decapsulation 2901Default: Disabled. 2902When this option is enabled, 2903.Nm 2904will examine UDP frames to see if they actually contain a 2905.Em PPP 2906frame as their payload. 2907If this is the case, all filters will operate on the payload rather 2908than the actual packet. 2909.Pp 2910This is useful if you want to send PPPoUDP traffic over a 2911.Em PPP 2912link, but want that link to do smart things with the real data rather than 2913the UDP wrapper. 2914.Pp 2915The UDP frame payload must not be compressed in any way, otherwise 2916.Nm 2917will not be able to interpret it. 2918It's therefore recommended that you 2919.Ic disable vj pred1 deflate 2920and 2921.Ic deny vj pred1 deflate 2922in the configuration for the 2923.Nm 2924invocation with the udp link. 2925.It idcheck 2926Default: Enabled. 2927When 2928.Nm 2929exchanges low-level LCP, CCP and IPCP configuration traffic, the 2930.Em Identifier 2931field of any replies is expected to be the same as that of the request. 2932By default, 2933.Nm 2934drops any reply packets that do not contain the expected identifier 2935field, reporting the fact at the respective log level. 2936If 2937.Ar idcheck 2938is disabled, 2939.Nm 2940will ignore the identifier field. 2941.It iface-alias 2942Default: Enabled if 2943.Fl nat 2944is specified. 2945This option simply tells 2946.Nm 2947to add new interface addresses to the interface rather than replacing them. 2948The option can only be enabled if network address translation is enabled 2949.Pq Dq nat enable yes . 2950.Pp 2951With this option enabled, 2952.Nm 2953will pass traffic for old interface addresses through the NAT 2954ifdef({LOCALNAT},{engine,},{engine 2955(see 2956.Xr libalias 3 ) ,}) 2957resulting in the ability (in 2958.Fl auto 2959mode) to properly connect the process that caused the PPP link to 2960come up in the first place. 2961.Pp 2962Disabling NAT with 2963.Dq nat enable no 2964will also disable 2965.Sq iface-alias . 2966.It ipcp 2967Default: Enabled. 2968This option allows 2969.Nm 2970to attempt to negotiate IP control protocol capabilities and if 2971successful to exchange IP datagrams with the peer. 2972.It ipv6cp 2973Default: Enabled. 2974This option allows 2975.Nm 2976to attempt to negotiate IPv6 control protocol capabilities and if 2977successful to exchange IPv6 datagrams with the peer. 2978.It keep-session 2979Default: Disabled. 2980When 2981.Nm 2982runs as a Multi-link server, a different 2983.Nm 2984instance initially receives each connection. 2985After determining that 2986the link belongs to an already existing bundle (controlled by another 2987.Nm 2988invocation), 2989.Nm 2990will transfer the link to that process. 2991.Pp 2992If the link is a tty device or if this option is enabled, 2993.Nm 2994will not exit, but will change its process name to 2995.Dq session owner 2996and wait for the controlling 2997.Nm 2998to finish with the link and deliver a signal back to the idle process. 2999This prevents the confusion that results from 3000.Nm Ns No 's 3001parent considering the link resource available again. 3002.Pp 3003For tty devices that have entries in 3004.Pa /etc/ttys , 3005this is necessary to prevent another 3006.Xr getty 8 3007from being started, and for program links such as 3008.Xr sshd 8 , 3009it prevents 3010.Xr sshd 8 3011from exiting due to the death of its child. 3012As 3013.Nm 3014cannot determine its parents requirements (except for the tty case), this 3015option must be enabled manually depending on the circumstances. 3016.It loopback 3017Default: Enabled. 3018When 3019.Ar loopback 3020is enabled, 3021.Nm 3022will automatically loop back packets being sent 3023out with a destination address equal to that of the 3024.Em PPP 3025interface. 3026If disabled, 3027.Nm 3028will send the packet, probably resulting in an ICMP redirect from 3029the other end. 3030It is convenient to have this option enabled when 3031the interface is also the default route as it avoids the necessity 3032of a loopback route. 3033.It passwdauth 3034Default: Disabled. 3035Enabling this option will tell the PAP authentication 3036code to use the password database (see 3037.Xr passwd 5 ) 3038to authenticate the caller if they cannot be found in the 3039.Pa /etc/ppp/ppp.secret 3040file. 3041.Pa /etc/ppp/ppp.secret 3042is always checked first. 3043If you wish to use passwords from 3044.Xr passwd 5 , 3045but also to specify an IP number or label for a given client, use 3046.Dq \&* 3047as the client password in 3048.Pa /etc/ppp/ppp.secret . 3049.It proxy 3050Default: Disabled. 3051Enabling this option will tell 3052.Nm 3053to proxy ARP for the peer. 3054This means that 3055.Nm 3056will make an entry in the ARP table using 3057.Dv HISADDR 3058and the 3059.Dv MAC 3060address of the local network in which 3061.Dv HISADDR 3062appears. 3063This allows other machines connected to the LAN to talk to 3064the peer as if the peer itself was connected to the LAN. 3065The proxy entry cannot be made unless 3066.Dv HISADDR 3067is an address from a LAN. 3068.It proxyall 3069Default: Disabled. 3070Enabling this will tell 3071.Nm 3072to add proxy arp entries for every IP address in all class C or 3073smaller subnets routed via the tun interface. 3074.Pp 3075Proxy arp entries are only made for sticky routes that are added 3076using the 3077.Dq add 3078command. 3079No proxy arp entries are made for the interface address itself 3080(as created by the 3081.Dq set ifaddr 3082command). 3083.It sroutes 3084Default: Enabled. 3085When the 3086.Dq add 3087command is used with the 3088.Dv HISADDR , 3089.Dv MYADDR , 3090.Dv HISADDR6 3091or 3092.Dv MYADDR6 3093values, entries are stored in the 3094.Sq sticky route 3095list. 3096Each time these variables change, this list is re-applied to the routing table. 3097.Pp 3098Disabling this option will prevent the re-application of sticky routes, 3099although the 3100.Sq stick route 3101list will still be maintained. 3102.It Op tcp Ns Xo 3103.No mssfixup 3104.Xc 3105Default: Enabled. 3106This option tells 3107.Nm 3108to adjust TCP SYN packets so that the maximum receive segment 3109size is not greater than the amount allowed by the interface MTU. 3110.It throughput 3111Default: Enabled. 3112This option tells 3113.Nm 3114to gather throughput statistics. 3115Input and output is sampled over 3116a rolling 5 second window, and current, best and total figures are retained. 3117This data is output when the relevant 3118.Em PPP 3119layer shuts down, and is also available using the 3120.Dq show 3121command. 3122Throughput statistics are available at the 3123.Dq IPCP 3124and 3125.Dq physical 3126levels. 3127.It utmp 3128Default: Enabled. 3129Normally, when a user is authenticated using PAP or CHAP, and when 3130.Nm 3131is running in 3132.Fl direct 3133mode, an entry is made in the utmp and wtmp files for that user. 3134Disabling this option will tell 3135.Nm 3136not to make any utmp or wtmp entries. 3137This is usually only necessary if 3138you require the user to both login and authenticate themselves. 3139.El 3140.Pp 3141.It add Ns Xo 3142.Op !\& 3143.Ar dest Ns Op / Ns Ar nn 3144.Op Ar mask 3145.Op Ar gateway 3146.Xc 3147.Ar Dest 3148is the destination IP address. 3149The netmask is specified either as a number of bits with 3150.Ar /nn 3151or as an IP number using 3152.Ar mask . 3153.Ar 0 0 3154or simply 3155.Ar 0 3156with no mask refers to the default route. 3157It is also possible to use the literal name 3158.Sq default 3159instead of 3160.Ar 0 . 3161.Ar Gateway 3162is the next hop gateway to get to the given 3163.Ar dest 3164machine/network. 3165Refer to the 3166.Xr route 8 3167command for further details. 3168.Pp 3169It is possible to use the symbolic names 3170.Sq MYADDR , 3171.Sq HISADDR , 3172.Sq MYADDR6 3173or 3174.Sq HISADDR6 3175as the destination, and 3176.Sq HISADDR 3177or 3178.Sq HISADDR6 3179as the 3180.Ar gateway . 3181.Sq MYADDR 3182is replaced with the interface IP address, 3183.Sq HISADDR 3184is replaced with the interface IP destination (peer) address, 3185.Sq MYADDR6 3186is replaced with the interface IPv6 address, and 3187.Sq HISADDR6 3188is replaced with the interface IPv6 destination address, 3189.Pp 3190If the 3191.Ar add!\& 3192command is used 3193(note the trailing 3194.Dq !\& ) , 3195then if the route already exists, it will be updated as with the 3196.Sq route change 3197command (see 3198.Xr route 8 3199for further details). 3200.Pp 3201Routes that contain the 3202.Dq HISADDR , 3203.Dq MYADDR , 3204.Dq HISADDR6 , 3205.Dq MYADDR6 , 3206.Dq DNS0 , 3207or 3208.Dq DNS1 3209constants are considered 3210.Sq sticky . 3211They are stored in a list (use 3212.Dq show ncp 3213to see the list), and each time the value of one of these variables 3214changes, the appropriate routing table entries are updated. 3215This facility may be disabled using 3216.Dq disable sroutes . 3217.It allow Ar command Op Ar args 3218This command controls access to 3219.Nm 3220and its configuration files. 3221It is possible to allow user-level access, 3222depending on the configuration file label and on the mode that 3223.Nm 3224is being run in. 3225For example, you may wish to configure 3226.Nm 3227so that only user 3228.Sq fred 3229may access label 3230.Sq fredlabel 3231in 3232.Fl background 3233mode. 3234.Pp 3235User id 0 is immune to these commands. 3236.Bl -tag -width 2n 3237.It allow user Ns Xo 3238.Op s 3239.Ar logname Ns No ... 3240.Xc 3241By default, only user id 0 is allowed access to 3242.Nm . 3243If this command is used, all of the listed users are allowed access to 3244the section in which the 3245.Dq allow users 3246command is found. 3247The 3248.Sq default 3249section is always checked first (even though it is only ever automatically 3250loaded at startup). 3251.Dq allow users 3252commands are cumulative in a given section, but users allowed in any given 3253section override users allowed in the default section, so it's possible to 3254allow users access to everything except a given label by specifying default 3255users in the 3256.Sq default 3257section, and then specifying a new user list for that label. 3258.Pp 3259If user 3260.Sq * 3261is specified, access is allowed to all users. 3262.It allow mode Ns Xo 3263.Op s 3264.Ar mode Ns No ... 3265.Xc 3266By default, access using any 3267.Nm 3268mode is possible. 3269If this command is used, it restricts the access 3270.Ar modes 3271allowed to load the label under which this command is specified. 3272Again, as with the 3273.Dq allow users 3274command, each 3275.Dq allow modes 3276command overrides any previous settings, and the 3277.Sq default 3278section is always checked first. 3279.Pp 3280Possible modes are: 3281.Sq interactive , 3282.Sq auto , 3283.Sq direct , 3284.Sq dedicated , 3285.Sq ddial , 3286.Sq background 3287and 3288.Sq * . 3289.Pp 3290When running in multi-link mode, a section can be loaded if it allows 3291.Em any 3292of the currently existing line modes. 3293.El 3294.Pp 3295.It nat Ar command Op Ar args 3296This command allows the control of the network address translation (also 3297known as masquerading or IP aliasing) facilities that are built into 3298.Nm . 3299NAT is done on the external interface only, and is unlikely to make sense 3300if used with the 3301.Fl direct 3302flag. 3303.Pp 3304If nat is enabled on your system (it may be omitted at compile time), 3305the following commands are possible: 3306.Bl -tag -width 2n 3307.It nat enable yes|no 3308This command either switches network address translation on or turns it off. 3309The 3310.Fl nat 3311command line flag is synonymous with 3312.Dq nat enable yes . 3313.It nat addr Op Ar addr_local addr_alias 3314This command allows data for 3315.Ar addr_alias 3316to be redirected to 3317.Ar addr_local . 3318It is useful if you own a small number of real IP numbers that 3319you wish to map to specific machines behind your gateway. 3320.It nat deny_incoming yes|no 3321If set to yes, this command will refuse all incoming packets where an 3322aliasing link doesn't already exist. 3323ifdef({LOCALNAT},{},{Refer to the 3324.Sx CONCEPTUAL BACKGROUND 3325section of 3326.Xr libalias 3 3327for a description of what an 3328.Dq aliasing link 3329is. 3330})dnl 3331.Pp 3332It should be noted under what circumstances an aliasing link is 3333ifdef({LOCALNAT},{created.},{created by 3334.Xr libalias 3 .}) 3335It may be necessary to further protect your network from outside 3336connections using the 3337.Dq set filter 3338or 3339.Dq nat target 3340commands. 3341.It nat help|? 3342This command gives a summary of available nat commands. 3343.It nat log yes|no 3344This option causes various NAT statistics and information to 3345be logged to the file 3346.Pa /var/log/alias.log . 3347.It nat port Ar proto Ar targetIP Ns Xo 3348.No : Ns Ar targetPort Ns 3349.Oo 3350.No - Ns Ar targetPort 3351.Oc Ar aliasPort Ns 3352.Oo 3353.No - Ns Ar aliasPort 3354.Oc Oo Ar remoteIP : Ns 3355.Ar remotePort Ns 3356.Oo 3357.No - Ns Ar remotePort 3358.Oc Ns 3359.Oc 3360.Xc 3361This command causes incoming 3362.Ar proto 3363connections to 3364.Ar aliasPort 3365to be redirected to 3366.Ar targetPort 3367on 3368.Ar targetIP . 3369.Ar proto 3370is either 3371.Dq tcp 3372or 3373.Dq udp . 3374.Pp 3375A range of port numbers may be specified as shown above. 3376The ranges must be of the same size. 3377.Pp 3378If 3379.Ar remoteIP 3380is specified, only data coming from that IP number is redirected. 3381.Ar remotePort 3382must either be 3383.Dq 0 3384(indicating any source port) 3385or a range of ports the same size as the other ranges. 3386.Pp 3387This option is useful if you wish to run things like Internet phone on 3388machines behind your gateway, but is limited in that connections to only 3389one interior machine per source machine and target port are possible. 3390.It nat proto Ar proto localIP Oo 3391.Ar publicIP Op Ar remoteIP 3392.Oc 3393This command tells 3394.Nm 3395to redirect packets of protocol type 3396.Ar proto 3397(see 3398.Xr protocols 5 ) 3399to the internal address 3400.Ar localIP . 3401.Pp 3402If 3403.Ar publicIP 3404is specified, only packets destined for that address are matched, 3405otherwise the default alias address is used. 3406.Pp 3407If 3408.Ar remoteIP 3409is specified, only packets matching that source address are matched, 3410.Pp 3411This command is useful for redirecting tunnel endpoints to an internal machine, 3412for example: 3413.Pp 3414.Dl nat proto ipencap 10.0.0.1 3415.It "nat proxy cmd" Ar arg Ns No ... 3416This command tells 3417.Nm 3418to proxy certain connections, redirecting them to a given server. 3419ifdef({LOCALNAT},{},{Refer to the description of 3420.Fn PacketAliasProxyRule 3421in 3422.Xr libalias 3 3423for details of the available commands. 3424})dnl 3425.It nat punch_fw Op Ar base count 3426This command tells 3427.Nm 3428to punch holes in the firewall for FTP or IRC DCC connections. 3429This is done dynamically by installing temporary firewall rules which 3430allow a particular connection (and only that connection) to go through 3431the firewall. 3432The rules are removed once the corresponding connection terminates. 3433.Pp 3434A maximum of 3435.Ar count 3436rules starting from rule number 3437.Ar base 3438will be used for punching firewall holes. 3439The range will be cleared when the 3440.Dq nat punch_fw 3441command is run. 3442.Pp 3443If no arguments are given, firewall punching is disabled. 3444.It nat same_ports yes|no 3445When enabled, this command will tell the network address translation engine to 3446attempt to avoid changing the port number on outgoing packets. 3447This is useful 3448if you want to support protocols such as RPC and LPD which require 3449connections to come from a well known port. 3450.It nat target Op Ar address 3451Set the given target address or clear it if no address is given. 3452The target address is used 3453ifdef({LOCALNAT},{},{by libalias })dnl 3454to specify how to NAT incoming packets by default. 3455If a target address is not set or if 3456.Dq default 3457is given, packets are not altered and are allowed to route to the internal 3458network. 3459.Pp 3460The target address may be set to 3461.Dq MYADDR , 3462in which case 3463ifdef({LOCALNAT},{all packets will be redirected}, 3464{libalias will redirect all packets}) 3465to the interface address. 3466.It nat use_sockets yes|no 3467When enabled, this option tells the network address translation engine to 3468create a socket so that it can guarantee a correct incoming ftp data or 3469IRC connection. 3470.It nat unregistered_only yes|no 3471Only alter outgoing packets with an unregistered source address. 3472According to RFC 1918, unregistered source addresses 3473are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3474.El 3475.Pp 3476These commands are also discussed in the file 3477.Pa README.nat 3478which comes with the source distribution. 3479.Pp 3480.It Op !\& Ns Xo 3481.No bg Ar command 3482.Xc 3483The given 3484.Ar command 3485is executed in the background with the following words replaced: 3486.Bl -tag -width COMPILATIONDATE 3487.It Li AUTHNAME 3488This is replaced with the local 3489.Ar authname 3490value. 3491See the 3492.Dq set authname 3493command below. 3494.It Li COMPILATIONDATE 3495This is replaced with the date on which 3496.Nm 3497was compiled. 3498.It Li DNS0 & DNS1 3499These are replaced with the primary and secondary nameserver IP numbers. 3500If nameservers are negotiated by IPCP, the values of these macros will change. 3501.It Li ENDDISC 3502This is replaced with the local endpoint discriminator value. 3503See the 3504.Dq set enddisc 3505command below. 3506.It Li HISADDR 3507This is replaced with the peers IP number. 3508.It Li HISADDR6 3509This is replaced with the peers IPv6 number. 3510.It Li INTERFACE 3511This is replaced with the name of the interface that's in use. 3512.It Li IPOCTETSIN 3513This is replaced with the number of IP bytes received since the connection 3514was established. 3515.It Li IPOCTETSOUT 3516This is replaced with the number of IP bytes sent since the connection 3517was established. 3518.It Li IPPACKETSIN 3519This is replaced with the number of IP packets received since the connection 3520was established. 3521.It Li IPPACKETSOUT 3522This is replaced with the number of IP packets sent since the connection 3523was established. 3524.It Li IPV6OCTETSIN 3525This is replaced with the number of IPv6 bytes received since the connection 3526was established. 3527.It Li IPV6OCTETSOUT 3528This is replaced with the number of IPv6 bytes sent since the connection 3529was established. 3530.It Li IPV6PACKETSIN 3531This is replaced with the number of IPv6 packets received since the connection 3532was established. 3533.It Li IPV6PACKETSOUT 3534This is replaced with the number of IPv6 packets sent since the connection 3535was established. 3536.It Li LABEL 3537This is replaced with the last label name used. 3538A label may be specified on the 3539.Nm 3540command line, via the 3541.Dq load 3542or 3543.Dq dial 3544commands and in the 3545.Pa ppp.secret 3546file. 3547.It Li MYADDR 3548This is replaced with the IP number assigned to the local interface. 3549.It Li MYADDR6 3550This is replaced with the IPv6 number assigned to the local interface. 3551.It Li OCTETSIN 3552This is replaced with the number of bytes received since the connection 3553was established. 3554.It Li OCTETSOUT 3555This is replaced with the number of bytes sent since the connection 3556was established. 3557.It Li PACKETSIN 3558This is replaced with the number of packets received since the connection 3559was established. 3560.It Li PACKETSOUT 3561This is replaced with the number of packets sent since the connection 3562was established. 3563.It Li PEER_ENDDISC 3564This is replaced with the value of the peers endpoint discriminator. 3565.It Li PROCESSID 3566This is replaced with the current process id. 3567.It Li SOCKNAME 3568This is replaced with the name of the diagnostic socket. 3569.It Li UPTIME 3570This is replaced with the bundle uptime in HH:MM:SS format. 3571.It Li USER 3572This is replaced with the username that has been authenticated with PAP or 3573CHAP. 3574Normally, this variable is assigned only in -direct mode. 3575This value is available irrespective of whether utmp logging is enabled. 3576.It Li VERSION 3577This is replaced with the current version number of 3578.Nm . 3579.El 3580.Pp 3581These substitutions are also done by the 3582.Dq set proctitle , 3583.Dq ident 3584and 3585.Dq log 3586commands. 3587.Pp 3588If you wish to pause 3589.Nm 3590while the command executes, use the 3591.Dq shell 3592command instead. 3593.It clear physical|ipcp|ipv6 Op current|overall|peak... 3594Clear the specified throughput values at either the 3595.Dq physical , 3596.Dq ipcp 3597or 3598.Dq ipv6cp 3599level. 3600If 3601.Dq physical 3602is specified, context must be given (see the 3603.Dq link 3604command below). 3605If no second argument is given, all values are cleared. 3606.It clone Ar name Ns Xo 3607.Op \&, Ns Ar name Ns 3608.No ... 3609.Xc 3610Clone the specified link, creating one or more new links according to the 3611.Ar name 3612argument(s). 3613This command must be used from the 3614.Dq link 3615command below unless you've only got a single link (in which case that 3616link becomes the default). 3617Links may be removed using the 3618.Dq remove 3619command below. 3620.Pp 3621The default link name is 3622.Dq deflink . 3623.It close Op lcp|ccp Ns Op !\& 3624If no arguments are given, the relevant protocol layers will be brought 3625down and the link will be closed. 3626If 3627.Dq lcp 3628is specified, the LCP layer is brought down, but 3629.Nm 3630will not bring the link offline. 3631It is subsequently possible to use 3632.Dq term 3633(see below) 3634to talk to the peer machine if, for example, something like 3635.Dq slirp 3636is being used. 3637If 3638.Dq ccp 3639is specified, only the relevant compression layer is closed. 3640If the 3641.Dq !\& 3642is used, the compression layer will remain in the closed state, otherwise 3643it will re-enter the STOPPED state, waiting for the peer to initiate 3644further CCP negotiation. 3645In any event, this command does not disconnect the user from 3646.Nm 3647or exit 3648.Nm . 3649See the 3650.Dq quit 3651command below. 3652.It delete Ns Xo 3653.Op !\& 3654.Ar dest 3655.Xc 3656This command deletes the route with the given 3657.Ar dest 3658IP address. 3659If 3660.Ar dest 3661is specified as 3662.Sq ALL , 3663all non-direct entries in the routing table for the current interface, 3664and all 3665.Sq sticky route 3666entries are deleted. 3667If 3668.Ar dest 3669is specified as 3670.Sq default , 3671the default route is deleted. 3672.Pp 3673If the 3674.Ar delete!\& 3675command is used 3676(note the trailing 3677.Dq !\& ) , 3678.Nm 3679will not complain if the route does not already exist. 3680.It dial|call Op Ar label Ns Xo 3681.No ... 3682.Xc 3683This command is the equivalent of 3684.Dq load label 3685followed by 3686.Dq open , 3687and is provided for backwards compatibility. 3688.It down Op Ar lcp|ccp 3689Bring the relevant layer down ungracefully, as if the underlying layer 3690had become unavailable. 3691It's not considered polite to use this command on 3692a Finite State Machine that's in the OPEN state. 3693If no arguments are 3694supplied, the entire link is closed (or if no context is given, all links 3695are terminated). 3696If 3697.Sq lcp 3698is specified, the 3699.Em LCP 3700layer is terminated but the device is not brought offline and the link 3701is not closed. 3702If 3703.Sq ccp 3704is specified, only the relevant compression layer(s) are terminated. 3705.It help|? Op Ar command 3706Show a list of available commands. 3707If 3708.Ar command 3709is specified, show the usage string for that command. 3710.It ident Op Ar text Ns No ... 3711Identify the link to the peer using 3712.Ar text . 3713If 3714.Ar text 3715is empty, link identification is disabled. 3716It is possible to use any of the words described for the 3717.Ic bg 3718command above. 3719Refer to the 3720.Ic sendident 3721command for details of when 3722.Nm 3723identifies itself to the peer. 3724.It iface Ar command Op args 3725This command is used to control the interface used by 3726.Nm . 3727.Ar Command 3728may be one of the following: 3729.Bl -tag -width 2n 3730.It iface add Ns Xo 3731.Op !\& 3732.Ar addr Ns Op / Ns Ar bits 3733.Op Ar peer 3734.Xc 3735.It iface add Ns Xo 3736.Op !\& 3737.Ar addr 3738.Ar mask 3739.Ar peer 3740.Xc 3741Add the given 3742.Ar addr mask peer 3743combination to the interface. 3744Instead of specifying 3745.Ar mask , 3746.Ar /bits 3747can be used 3748(with no space between it and 3749.Ar addr ) . 3750If the given address already exists, the command fails unless the 3751.Dq !\& 3752is used - in which case the previous interface address entry is overwritten 3753with the new one, allowing a change of netmask or peer address. 3754.Pp 3755If only 3756.Ar addr 3757is specified, 3758.Ar bits 3759defaults to 3760.Dq 32 3761and 3762.Ar peer 3763defaults to 3764.Dq 255.255.255.255 . 3765This address (the broadcast address) is the only duplicate peer address that 3766.Nm 3767allows. 3768.It iface clear Op INET | INET6 3769If this command is used while 3770.Nm 3771is in the OPENED state or while in 3772.Fl auto 3773mode, all addresses except for the NCP negotiated address are deleted 3774from the interface. 3775If 3776.Nm 3777is not in the OPENED state and is not in 3778.Fl auto 3779mode, all interface addresses are deleted. 3780.Pp 3781If the INET or INET6 arguments are used, only addresses for that address 3782family are cleared. 3783.Pp 3784.It iface delete Ns Xo 3785.Op !\& Ns 3786.No |rm Ns Op !\& 3787.Ar addr 3788.Xc 3789This command deletes the given 3790.Ar addr 3791from the interface. 3792If the 3793.Dq !\& 3794is used, no error is given if the address isn't currently assigned to 3795the interface (and no deletion takes place). 3796.It iface show 3797Shows the current state and current addresses for the interface. 3798It is much the same as running 3799.Dq ifconfig INTERFACE . 3800.It iface help Op Ar sub-command 3801This command, when invoked without 3802.Ar sub-command , 3803will show a list of possible 3804.Dq iface 3805sub-commands and a brief synopsis for each. 3806When invoked with 3807.Ar sub-command , 3808only the synopsis for the given sub-command is shown. 3809.El 3810.It Op data Ns Xo 3811.No link 3812.Ar name Ns Op , Ns Ar name Ns 3813.No ... Ar command Op Ar args 3814.Xc 3815This command may prefix any other command if the user wishes to 3816specify which link the command should affect. 3817This is only applicable after multiple links have been created in Multi-link 3818mode using the 3819.Dq clone 3820command. 3821.Pp 3822.Ar Name 3823specifies the name of an existing link. 3824If 3825.Ar name 3826is a comma separated list, 3827.Ar command 3828is executed on each link. 3829If 3830.Ar name 3831is 3832.Dq * , 3833.Ar command 3834is executed on all links. 3835.It load Op Ar label Ns Xo 3836.No ... 3837.Xc 3838Load the given 3839.Ar label Ns No (s) 3840from the 3841.Pa ppp.conf 3842file. 3843If 3844.Ar label 3845is not given, the 3846.Ar default 3847label is used. 3848.Pp 3849Unless the 3850.Ar label 3851section uses the 3852.Dq set mode , 3853.Dq open 3854or 3855.Dq dial 3856commands, 3857.Nm 3858will not attempt to make an immediate connection. 3859.It log Ar word Ns No ... 3860Send the given word(s) to the log file with the prefix 3861.Dq LOG: . 3862Word substitutions are done as explained under the 3863.Dq !bg 3864command above. 3865.It open Op lcp|ccp|ipcp 3866This is the opposite of the 3867.Dq close 3868command. 3869All closed links are immediately brought up apart from second and subsequent 3870.Ar demand-dial 3871links - these will come up based on the 3872.Dq set autoload 3873command that has been used. 3874.Pp 3875If the 3876.Dq lcp 3877argument is used while the LCP layer is already open, LCP will be 3878renegotiated. 3879This allows various LCP options to be changed, after which 3880.Dq open lcp 3881can be used to put them into effect. 3882After renegotiating LCP, 3883any agreed authentication will also take place. 3884.Pp 3885If the 3886.Dq ccp 3887argument is used, the relevant compression layer is opened. 3888Again, if it is already open, it will be renegotiated. 3889.Pp 3890If the 3891.Dq ipcp 3892argument is used, the link will be brought up as normal, but if 3893IPCP is already open, it will be renegotiated and the network 3894interface will be reconfigured. 3895.Pp 3896It is probably not good practice to re-open the PPP state machines 3897like this as it's possible that the peer will not behave correctly. 3898It 3899.Em is 3900however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3901.It passwd Ar pass 3902Specify the password required for access to the full 3903.Nm 3904command set. 3905This password is required when connecting to the diagnostic port (see the 3906.Dq set server 3907command). 3908.Ar Pass 3909is specified on the 3910.Dq set server 3911command line. 3912The value of 3913.Ar pass 3914is not logged when 3915.Ar command 3916logging is active, instead, the literal string 3917.Sq ******** 3918is logged. 3919.It quit|bye Op all 3920If 3921.Dq quit 3922is executed from the controlling connection or from a command file, 3923ppp will exit after closing all connections. 3924Otherwise, if the user 3925is connected to a diagnostic socket, the connection is simply dropped. 3926.Pp 3927If the 3928.Ar all 3929argument is given, 3930.Nm 3931will exit despite the source of the command after closing all existing 3932connections. 3933.It remove|rm 3934This command removes the given link. 3935It is only really useful in multi-link mode. 3936A link must be in the 3937.Dv CLOSED 3938state before it is removed. 3939.It rename|mv Ar name 3940This command renames the given link to 3941.Ar name . 3942It will fail if 3943.Ar name 3944is already used by another link. 3945.Pp 3946The default link name is 3947.Sq deflink . 3948Renaming it to 3949.Sq modem , 3950.Sq cuaa0 3951or 3952.Sq USR 3953may make the log file more readable. 3954.It resolv Ar command 3955This command controls 3956.Nm Ns No 's 3957manipulation of the 3958.Xr resolv.conf 5 3959file. 3960When 3961.Nm 3962starts up, it loads the contents of this file into memory and retains this 3963image for future use. 3964.Ar command 3965is one of the following: 3966.Bl -tag -width readonly 3967.It Em readonly 3968Treat 3969.Pa /etc/resolv.conf 3970as read only. 3971If 3972.Dq dns 3973is enabled, 3974.Nm 3975will still attempt to negotiate nameservers with the peer, making the results 3976available via the 3977.Dv DNS0 3978and 3979.Dv DNS1 3980macros. 3981This is the opposite of the 3982.Dq resolv writable 3983command. 3984.It Em reload 3985Reload 3986.Pa /etc/resolv.conf 3987into memory. 3988This may be necessary if for example a DHCP client overwrote 3989.Pa /etc/resolv.conf . 3990.It Em restore 3991Replace 3992.Pa /etc/resolv.conf 3993with the version originally read at startup or with the last 3994.Dq resolv reload 3995command. 3996This is sometimes a useful command to put in the 3997.Pa /etc/ppp/ppp.linkdown 3998file. 3999.It Em rewrite 4000Rewrite the 4001.Pa /etc/resolv.conf 4002file. 4003This command will work even if the 4004.Dq resolv readonly 4005command has been used. 4006It may be useful as a command in the 4007.Pa /etc/ppp/ppp.linkup 4008file if you wish to defer updating 4009.Pa /etc/resolv.conf 4010until after other commands have finished. 4011.It Em writable 4012Allow 4013.Nm 4014to update 4015.Pa /etc/resolv.conf 4016if 4017.Dq dns 4018is enabled and 4019.Nm 4020successfully negotiates a DNS. 4021This is the opposite of the 4022.Dq resolv readonly 4023command. 4024.El 4025.It save 4026This option is not (yet) implemented. 4027.It sendident 4028This command tells 4029.Nm 4030to identify itself to the peer. 4031The link must be in LCP state or higher. 4032If no identity has been set (via the 4033.Ic ident 4034command), 4035.Ic sendident 4036will fail. 4037.Pp 4038When an identity has been set, 4039.Nm 4040will automatically identify itself when it sends or receives a configure 4041reject, when negotiation fails or when LCP reaches the opened state. 4042.Pp 4043Received identification packets are logged to the LCP log (see 4044.Ic set log 4045for details) and are never responded to. 4046.It set Ns Xo 4047.Op up 4048.Ar var value 4049.Xc 4050This option allows the setting of any of the following variables: 4051.Bl -tag -width 2n 4052.It set accmap Ar hex-value 4053ACCMap stands for Asynchronous Control Character Map. 4054This is always 4055negotiated with the peer, and defaults to a value of 00000000 in hex. 4056This protocol is required to defeat hardware that depends on passing 4057certain characters from end to end (such as XON/XOFF etc). 4058.Pp 4059For the XON/XOFF scenario, use 4060.Dq set accmap 000a0000 . 4061.It set Op auth Ns Xo 4062.No key Ar value 4063.Xc 4064This sets the authentication key (or password) used in client mode 4065PAP or CHAP negotiation to the given value. 4066It also specifies the 4067password to be used in the dial or login scripts in place of the 4068.Sq \eP 4069sequence, preventing the actual password from being logged. 4070If 4071.Ar command 4072or 4073.Ar chat 4074logging is in effect, 4075.Ar value 4076is logged as 4077.Sq ******** 4078for security reasons. 4079.Pp 4080If the first character of 4081.Ar value 4082is an exclamation mark 4083.Pq Dq !\& , 4084.Nm 4085treats the remainder of the string as a program that must be executed 4086to determine the 4087.Dq authname 4088and 4089.Dq authkey 4090values. 4091.Pp 4092If the 4093.Dq !\& 4094is doubled up 4095(to 4096.Dq !! ) , 4097it is treated as a single literal 4098.Dq !\& , 4099otherwise, ignoring the 4100.Dq !\& , 4101.Ar value 4102is parsed as a program to execute in the same was as the 4103.Dq !bg 4104command above, substituting special names in the same manner. 4105Once executed, 4106.Nm 4107will feed the program three lines of input, each terminated by a newline 4108character: 4109.Bl -bullet 4110.It 4111The host name as sent in the CHAP challenge. 4112.It 4113The challenge string as sent in the CHAP challenge. 4114.It 4115The locally defined 4116.Dq authname . 4117.El 4118.Pp 4119Two lines of output are expected: 4120.Bl -bullet 4121.It 4122The 4123.Dq authname 4124to be sent with the CHAP response. 4125.It 4126The 4127.Dq authkey , 4128which is encrypted with the challenge and request id, the answer being sent 4129in the CHAP response packet. 4130.El 4131.Pp 4132When configuring 4133.Nm 4134in this manner, it's expected that the host challenge is a series of ASCII 4135digits or characters. 4136An encryption device or Secure ID card is usually 4137required to calculate the secret appropriate for the given challenge. 4138.It set authname Ar id 4139This sets the authentication id used in client mode PAP or CHAP negotiation. 4140.Pp 4141If used in 4142.Fl direct 4143mode with CHAP enabled, 4144.Ar id 4145is used in the initial authentication challenge and should normally be set to 4146the local machine name. 4147.It set autoload Xo 4148.Ar min-percent max-percent period 4149.Xc 4150These settings apply only in multi-link mode and default to zero, zero and 4151five respectively. 4152When more than one 4153.Ar demand-dial 4154(also known as 4155.Fl auto ) 4156mode link is available, only the first link is made active when 4157.Nm 4158first reads data from the tun device. 4159The next 4160.Ar demand-dial 4161link will be opened only when the current bundle throughput is at least 4162.Ar max-percent 4163percent of the total bundle bandwidth for 4164.Ar period 4165seconds. 4166When the current bundle throughput decreases to 4167.Ar min-percent 4168percent or less of the total bundle bandwidth for 4169.Ar period 4170seconds, a 4171.Ar demand-dial 4172link will be brought down as long as it's not the last active link. 4173.Pp 4174Bundle throughput is measured as the maximum of inbound and outbound 4175traffic. 4176.Pp 4177The default values cause 4178.Ar demand-dial 4179links to simply come up one at a time. 4180.Pp 4181Certain devices cannot determine their physical bandwidth, so it 4182is sometimes necessary to use the 4183.Dq set bandwidth 4184command (described below) to make 4185.Dq set autoload 4186work correctly. 4187.It set bandwidth Ar value 4188This command sets the connection bandwidth in bits per second. 4189.Ar value 4190must be greater than zero. 4191It is currently only used by the 4192.Dq set autoload 4193command above. 4194.It set callback Ar option Ns No ... 4195If no arguments are given, callback is disabled, otherwise, 4196.Nm 4197will request (or in 4198.Fl direct 4199mode, will accept) one of the given 4200.Ar option Ns No s . 4201In client mode, if an 4202.Ar option 4203is NAK'd 4204.Nm 4205will request a different 4206.Ar option , 4207until no options remain at which point 4208.Nm 4209will terminate negotiations (unless 4210.Dq none 4211is one of the specified 4212.Ar option ) . 4213In server mode, 4214.Nm 4215will accept any of the given protocols - but the client 4216.Em must 4217request one of them. 4218If you wish callback to be optional, you must {include} 4219.Ar none 4220as an option. 4221.Pp 4222The 4223.Ar option Ns No s 4224are as follows (in this order of preference): 4225.Bl -tag -width Ds 4226.It auth 4227The callee is expected to decide the callback number based on 4228authentication. 4229If 4230.Nm 4231is the callee, the number should be specified as the fifth field of 4232the peers entry in 4233.Pa /etc/ppp/ppp.secret . 4234.It cbcp 4235Microsoft's callback control protocol is used. 4236See 4237.Dq set cbcp 4238below. 4239.Pp 4240If you wish to negotiate 4241.Ar cbcp 4242in client mode but also wish to allow the server to request no callback at 4243CBCP negotiation time, you must specify both 4244.Ar cbcp 4245and 4246.Ar none 4247as callback options. 4248.It E.164 *| Ns Xo 4249.Ar number Ns Op , Ns Ar number Ns 4250.No ... 4251.Xc 4252The caller specifies the 4253.Ar number . 4254If 4255.Nm 4256is the callee, 4257.Ar number 4258should be either a comma separated list of allowable numbers or a 4259.Dq \&* , 4260meaning any number is permitted. 4261If 4262.Nm 4263is the caller, only a single number should be specified. 4264.Pp 4265Note, this option is very unsafe when used with a 4266.Dq \&* 4267as a malicious caller can tell 4268.Nm 4269to call any (possibly international) number without first authenticating 4270themselves. 4271.It none 4272If the peer does not wish to do callback at all, 4273.Nm 4274will accept the fact and continue without callback rather than terminating 4275the connection. 4276This is required (in addition to one or more other callback 4277options) if you wish callback to be optional. 4278.El 4279.Pp 4280.It set cbcp Oo 4281.No *| Ns Ar number Ns Oo 4282.No , Ns Ar number Ns ...\& Oc 4283.Op Ar delay Op Ar retry 4284.Oc 4285If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4286is disabled - ie, configuring CBCP in the 4287.Dq set callback 4288command will result in 4289.Nm 4290requesting no callback in the CBCP phase. 4291Otherwise, 4292.Nm 4293attempts to use the given phone 4294.Ar number Ns No (s). 4295.Pp 4296In server mode 4297.Pq Fl direct , 4298.Nm 4299will insist that the client uses one of these numbers, unless 4300.Dq \&* 4301is used in which case the client is expected to specify the number. 4302.Pp 4303In client mode, 4304.Nm 4305will attempt to use one of the given numbers (whichever it finds to 4306be agreeable with the peer), or if 4307.Dq \&* 4308is specified, 4309.Nm 4310will expect the peer to specify the number. 4311.It set cd Oo 4312.No off| Ns Ar seconds Ns Op !\& 4313.Oc 4314Normally, 4315.Nm 4316checks for the existence of carrier depending on the type of device 4317that has been opened: 4318.Bl -tag -width XXX -offset XXX 4319.It Terminal Devices 4320Carrier is checked one second after the login script is complete. 4321If it's not set, 4322.Nm 4323assumes that this is because the device doesn't support carrier (which 4324is true for most 4325.Dq laplink 4326NULL-modem cables), logs the fact and stops checking 4327for carrier. 4328.Pp 4329As ptys don't support the 4330.Dv TIOCMGET 4331ioctl, the tty device will switch all 4332carrier detection off when it detects that the device is a pty. 4333.It ISDN (i4b) Devices 4334Carrier is checked once per second for 6 seconds. 4335If it's not set after 4336the sixth second, the connection attempt is considered to have failed and 4337the device is closed. 4338Carrier is always required for i4b devices. 4339.It PPPoE (netgraph) Devices 4340Carrier is checked once per second for 5 seconds. 4341If it's not set after 4342the fifth second, the connection attempt is considered to have failed and 4343the device is closed. 4344Carrier is always required for PPPoE devices. 4345.El 4346.Pp 4347All other device types don't support carrier. 4348Setting a carrier value will 4349result in a warning when the device is opened. 4350.Pp 4351Some modems take more than one second after connecting to assert the carrier 4352signal. 4353If this delay isn't increased, this will result in 4354.Nm Ns No 's 4355inability to detect when the link is dropped, as 4356.Nm 4357assumes that the device isn't asserting carrier. 4358.Pp 4359The 4360.Dq set cd 4361command overrides the default carrier behaviour. 4362.Ar seconds 4363specifies the maximum number of seconds that 4364.Nm 4365should wait after the dial script has finished before deciding if 4366carrier is available or not. 4367.Pp 4368If 4369.Dq off 4370is specified, 4371.Nm 4372will not check for carrier on the device, otherwise 4373.Nm 4374will not proceed to the login script until either carrier is detected 4375or until 4376.Ar seconds 4377has elapsed, at which point 4378.Nm 4379assumes that the device will not set carrier. 4380.Pp 4381If no arguments are given, carrier settings will go back to their default 4382values. 4383.Pp 4384If 4385.Ar seconds 4386is followed immediately by an exclamation mark 4387.Pq Dq !\& , 4388.Nm 4389will 4390.Em require 4391carrier. 4392If carrier is not detected after 4393.Ar seconds 4394seconds, the link will be disconnected. 4395.It set choked Op Ar timeout 4396This sets the number of seconds that 4397.Nm 4398will keep a choked output queue before dropping all pending output packets. 4399If 4400.Ar timeout 4401is less than or equal to zero or if 4402.Ar timeout 4403isn't specified, it is set to the default value of 4404.Em 120 seconds . 4405.Pp 4406A choked output queue occurs when 4407.Nm 4408has read a certain number of packets from the local network for transmission, 4409but cannot send the data due to link failure (the peer is busy etc.). 4410.Nm 4411will not read packets indefinitely. 4412Instead, it reads up to 4413.Em 30 4414packets (or 4415.Em 30 No + 4416.Em nlinks No * 4417.Em 2 4418packets in multi-link mode), then stops reading the network interface 4419until either 4420.Ar timeout 4421seconds have passed or at least one packet has been sent. 4422.Pp 4423If 4424.Ar timeout 4425seconds pass, all pending output packets are dropped. 4426.It set ctsrts|crtscts on|off 4427This sets hardware flow control. 4428Hardware flow control is 4429.Ar on 4430by default. 4431.It set deflate Ar out-winsize Op Ar in-winsize 4432This sets the DEFLATE algorithms default outgoing and incoming window 4433sizes. 4434Both 4435.Ar out-winsize 4436and 4437.Ar in-winsize 4438must be values between 4439.Em 8 4440and 4441.Em 15 . 4442If 4443.Ar in-winsize 4444is specified, 4445.Nm 4446will insist that this window size is used and will not accept any other 4447values from the peer. 4448.It set dns Op Ar primary Op Ar secondary 4449This command specifies DNS overrides for the 4450.Dq accept dns 4451command. 4452Refer to the 4453.Dq accept 4454command description above for details. 4455This command does not affect the IP numbers requested using 4456.Dq enable dns . 4457.It set device|line Xo 4458.Ar value Ns No ... 4459.Xc 4460This sets the device(s) to which 4461.Nm 4462will talk to the given 4463.Dq value . 4464.Pp 4465All ISDN and serial device names are expected to begin with 4466.Pa /dev/ . 4467ISDN devices are usually called 4468.Pa i4brbchX 4469and serial devices are usually called 4470.Pa cuaXX . 4471.Pp 4472If 4473.Dq value 4474does not begin with 4475.Pa /dev/ , 4476it must either begin with an exclamation mark 4477.Pq Dq !\& , 4478be of the format 4479.No PPPoE: Ns Ar iface Ns Xo 4480.Op \&: Ns Ar provider Ns 4481.Xc 4482(on 4483.Xr netgraph 4 4484enabled systems), or be of the format 4485.Sm off 4486.Ar host : port Op /tcp|udp . 4487.Sm on 4488.Pp 4489If it begins with an exclamation mark, the rest of the device name is 4490treated as a program name, and that program is executed when the device 4491is opened. 4492Standard input, output and error are fed back to 4493.Nm 4494and are read and written as if they were a regular device. 4495.Pp 4496If a 4497.No PPPoE: Ns Ar iface Ns Xo 4498.Op \&: Ns Ar provider Ns 4499.Xc 4500specification is given, 4501.Nm 4502will attempt to create a 4503.Em PPP 4504over Ethernet connection using the given 4505.Ar iface 4506interface by using 4507.Xr netgraph 4 . 4508If 4509.Xr netgraph 4 4510is not available, 4511.Nm 4512will attempt to load it using 4513.Xr kldload 2 . 4514If this fails, an external program must be used such as the 4515.Xr pppoe 8 4516program available under 4517.Ox . 4518The given 4519.Ar provider 4520is passed as the service name in the PPPoE Discovery Initiation (PADI) 4521packet. 4522If no provider is given, an empty value will be used. 4523.Pp 4524When a PPPoE connection is established, 4525.Nm 4526will place the name of the Access Concentrator in the environment variable 4527.Ev ACNAME . 4528.Pp 4529Refer to 4530.Xr netgraph 4 4531and 4532.Xr ng_pppoe 4 4533for further details. 4534.Pp 4535If a 4536.Ar host Ns No : Ns Ar port Ns Oo 4537.No /tcp|udp 4538.Oc 4539specification is given, 4540.Nm 4541will attempt to connect to the given 4542.Ar host 4543on the given 4544.Ar port . 4545If a 4546.Dq /tcp 4547or 4548.Dq /udp 4549suffix is not provided, the default is 4550.Dq /tcp . 4551Refer to the section on 4552.Em PPP OVER TCP and UDP 4553above for further details. 4554.Pp 4555If multiple 4556.Dq values 4557are specified, 4558.Nm 4559will attempt to open each one in turn until it succeeds or runs out of 4560devices. 4561.It set dial Ar chat-script 4562This specifies the chat script that will be used to dial the other 4563side. 4564See also the 4565.Dq set login 4566command below. 4567Refer to 4568.Xr chat 8 4569and to the example configuration files for details of the chat script 4570format. 4571It is possible to specify some special 4572.Sq values 4573in your chat script as follows: 4574.Bl -tag -width 2n 4575.It Li \ec 4576When used as the last character in a 4577.Sq send 4578string, this indicates that a newline should not be appended. 4579.It Li \ed 4580When the chat script encounters this sequence, it delays two seconds. 4581.It Li \ep 4582When the chat script encounters this sequence, it delays for one quarter of 4583a second. 4584.It Li \en 4585This is replaced with a newline character. 4586.It Li \er 4587This is replaced with a carriage return character. 4588.It Li \es 4589This is replaced with a space character. 4590.It Li \et 4591This is replaced with a tab character. 4592.It Li \eT 4593This is replaced by the current phone number (see 4594.Dq set phone 4595below). 4596.It Li \eP 4597This is replaced by the current 4598.Ar authkey 4599value (see 4600.Dq set authkey 4601above). 4602.It Li \eU 4603This is replaced by the current 4604.Ar authname 4605value (see 4606.Dq set authname 4607above). 4608.El 4609.Pp 4610Note that two parsers will examine these escape sequences, so in order to 4611have the 4612.Sq chat parser 4613see the escape character, it is necessary to escape it from the 4614.Sq command parser . 4615This means that in practice you should use two escapes, for example: 4616.Bd -literal -offset indent 4617set dial "... ATDT\\\\T CONNECT" 4618.Ed 4619.Pp 4620It is also possible to execute external commands from the chat script. 4621To do this, the first character of the expect or send string is an 4622exclamation mark 4623.Pq Dq !\& . 4624If a literal exclamation mark is required, double it up to 4625.Dq !!\& 4626and it will be treated as a single literal 4627.Dq !\& . 4628When the command is executed, standard input and standard output are 4629directed to the open device (see the 4630.Dq set device 4631command), and standard error is read by 4632.Nm 4633and substituted as the expect or send string. 4634If 4635.Nm 4636is running in interactive mode, file descriptor 3 is attached to 4637.Pa /dev/tty . 4638.Pp 4639For example (wrapped for readability): 4640.Bd -literal -offset indent 4641set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4642word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4643\\"!/bin/echo in\\" HELLO" 4644.Ed 4645.Pp 4646would result in the following chat sequence (output using the 4647.Sq set log local chat 4648command before dialing): 4649.Bd -literal -offset indent 4650Dial attempt 1 of 1 4651dial OK! 4652Chat: Expecting: 4653Chat: Sending: 4654Chat: Expecting: login:--login: 4655Chat: Wait for (5): login: 4656Chat: Sending: ppp 4657Chat: Expecting: word: 4658Chat: Wait for (5): word: 4659Chat: Sending: ppp 4660Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4661Chat: Exec: sh -c "echo -n label: >&2" 4662Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4663Chat: Exec: /bin/echo in 4664Chat: Sending: 4665Chat: Expecting: HELLO 4666Chat: Wait for (5): HELLO 4667login OK! 4668.Ed 4669.Pp 4670Note (again) the use of the escape character, allowing many levels of 4671nesting. 4672Here, there are four parsers at work. 4673The first parses the original line, reading it as three arguments. 4674The second parses the third argument, reading it as 11 arguments. 4675At this point, it is 4676important that the 4677.Dq \&- 4678signs are escaped, otherwise this parser will see them as constituting 4679an expect-send-expect sequence. 4680When the 4681.Dq !\& 4682character is seen, the execution parser reads the first command as three 4683arguments, and then 4684.Xr sh 1 4685itself expands the argument after the 4686.Fl c . 4687As we wish to send the output back to the modem, in the first example 4688we redirect our output to file descriptor 2 (stderr) so that 4689.Nm 4690itself sends and logs it, and in the second example, we just output to stdout, 4691which is attached directly to the modem. 4692.Pp 4693This, of course means that it is possible to execute an entirely external 4694.Dq chat 4695command rather than using the internal one. 4696See 4697.Xr chat 8 4698for a good alternative. 4699.Pp 4700The external command that is executed is subjected to the same special 4701word expansions as the 4702.Dq !bg 4703command. 4704.It set enddisc Op label|IP|MAC|magic|psn value 4705This command sets our local endpoint discriminator. 4706If set prior to LCP negotiation, and if no 4707.Dq disable enddisc 4708command has been used, 4709.Nm 4710will send the information to the peer using the LCP endpoint discriminator 4711option. 4712The following discriminators may be set: 4713.Bl -tag -width indent 4714.It Li label 4715The current label is used. 4716.It Li IP 4717Our local IP number is used. 4718As LCP is negotiated prior to IPCP, it is 4719possible that the IPCP layer will subsequently change this value. 4720If 4721it does, the endpoint discriminator stays at the old value unless manually 4722reset. 4723.It Li MAC 4724This is similar to the 4725.Ar IP 4726option above, except that the MAC address associated with the local IP 4727number is used. 4728If the local IP number is not resident on any Ethernet 4729interface, the command will fail. 4730.Pp 4731As the local IP number defaults to whatever the machine host name is, 4732.Dq set enddisc mac 4733is usually done prior to any 4734.Dq set ifaddr 4735commands. 4736.It Li magic 4737A 20 digit random number is used. 4738Care should be taken when using magic numbers as restarting 4739.Nm 4740or creating a link using a different 4741.Nm 4742invocation will also use a different magic number and will therefore not 4743be recognised by the peer as belonging to the same bundle. 4744This makes it unsuitable for 4745.Fl direct 4746connections. 4747.It Li psn Ar value 4748The given 4749.Ar value 4750is used. 4751.Ar Value 4752should be set to an absolute public switched network number with the 4753country code first. 4754.El 4755.Pp 4756If no arguments are given, the endpoint discriminator is reset. 4757.It set escape Ar value... 4758This option is similar to the 4759.Dq set accmap 4760option above. 4761It allows the user to specify a set of characters that will be 4762.Sq escaped 4763as they travel across the link. 4764.It set filter dial|alive|in|out Ar rule-no Xo 4765.No permit|deny|clear| Ns Ar rule-no 4766.Op !\& 4767.Oo Op host 4768.Ar src_addr Ns Op / Ns Ar width 4769.Op Ar dst_addr Ns Op / Ns Ar width 4770.Oc [ Ns Ar proto 4771.Op src lt|eq|gt Ar port 4772.Op dst lt|eq|gt Ar port 4773.Op estab 4774.Op syn 4775.Op finrst 4776.Op timeout Ar secs ] 4777.Xc 4778.Nm 4779supports four filter sets. 4780The 4781.Em alive 4782filter specifies packets that keep the connection alive - resetting the 4783idle timer. 4784The 4785.Em dial 4786filter specifies packets that cause 4787.Nm 4788to dial when in 4789.Fl auto 4790mode. 4791The 4792.Em in 4793filter specifies packets that are allowed to travel 4794into the machine and the 4795.Em out 4796filter specifies packets that are allowed out of the machine. 4797.Pp 4798Filtering is done prior to any IP alterations that might be done by the 4799NAT engine on outgoing packets and after any IP alterations that might 4800be done by the NAT engine on incoming packets. 4801By default all empty filter sets allow all packets to pass. 4802Rules are processed in order according to 4803.Ar rule-no 4804(unless skipped by specifying a rule number as the 4805.Ar action ) . 4806Up to 40 rules may be given for each set. 4807If a packet doesn't match 4808any of the rules in a given set, it is discarded. 4809In the case of 4810.Em in 4811and 4812.Em out 4813filters, this means that the packet is dropped. 4814In the case of 4815.Em alive 4816filters it means that the packet will not reset the idle timer (even if 4817the 4818.Ar in Ns No / Ns Ar out 4819filter has a 4820.Dq timeout 4821value) and in the case of 4822.Em dial 4823filters it means that the packet will not trigger a dial. 4824A packet failing to trigger a dial will be dropped rather than queued. 4825Refer to the 4826section on 4827.Sx PACKET FILTERING 4828above for further details. 4829.It set hangup Ar chat-script 4830This specifies the chat script that will be used to reset the device 4831before it is closed. 4832It should not normally be necessary, but can 4833be used for devices that fail to reset themselves properly on close. 4834.It set help|? Op Ar command 4835This command gives a summary of available set commands, or if 4836.Ar command 4837is specified, the command usage is shown. 4838.It set ifaddr Oo Ar myaddr Ns 4839.Op / Ns Ar \&nn 4840.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4841.Oo Ar netmask 4842.Op Ar triggeraddr 4843.Oc Oc 4844.Oc 4845This command specifies the IP addresses that will be used during 4846IPCP negotiation. 4847Addresses are specified using the format 4848.Pp 4849.Dl a.b.c.d/nn 4850.Pp 4851Where 4852.Dq a.b.c.d 4853is the preferred IP, but 4854.Ar nn 4855specifies how many bits of the address we will insist on. 4856If 4857.No / Ns Ar nn 4858is omitted, it defaults to 4859.Dq /32 4860unless the IP address is 0.0.0.0 in which case it defaults to 4861.Dq /0 . 4862.Pp 4863If you wish to assign a dynamic IP number to the peer, 4864.Ar hisaddr 4865may also be specified as a range of IP numbers in the format 4866.Bd -ragged -offset indent 4867.Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo 4868.Oc Ns Oo , Ns Ar \&IP Ns 4869.Op \&- Ns Ar \&IP Ns 4870.Oc Ns ... 4871.Xc 4872.Ed 4873.Pp 4874for example: 4875.Pp 4876.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4877.Pp 4878will only negotiate 4879.Dq 10.0.0.1 4880as the local IP number, but may assign any of the given 10 IP 4881numbers to the peer. 4882If the peer requests one of these numbers, 4883and that number is not already in use, 4884.Nm 4885will grant the peers request. 4886This is useful if the peer wants 4887to re-establish a link using the same IP number as was previously 4888allocated (thus maintaining any existing tcp or udp connections). 4889.Pp 4890If the peer requests an IP number that's either outside 4891of this range or is already in use, 4892.Nm 4893will suggest a random unused IP number from the range. 4894.Pp 4895If 4896.Ar triggeraddr 4897is specified, it is used in place of 4898.Ar myaddr 4899in the initial IPCP negotiation. 4900However, only an address in the 4901.Ar myaddr 4902range will be accepted. 4903This is useful when negotiating with some 4904.Dv PPP 4905implementations that will not assign an IP number unless their peer 4906requests 4907.Dq 0.0.0.0 . 4908.Pp 4909It should be noted that in 4910.Fl auto 4911mode, 4912.Nm 4913will configure the interface immediately upon reading the 4914.Dq set ifaddr 4915line in the config file. 4916In any other mode, these values are just 4917used for IPCP negotiations, and the interface isn't configured 4918until the IPCP layer is up. 4919.Pp 4920Note that the 4921.Ar HISADDR 4922argument may be overridden by the third field in the 4923.Pa ppp.secret 4924file once the client has authenticated itself 4925(if PAP or CHAP are 4926.Dq enabled ) . 4927Refer to the 4928.Sx AUTHENTICATING INCOMING CONNECTIONS 4929section for details. 4930.Pp 4931In all cases, if the interface is already configured, 4932.Nm 4933will try to maintain the interface IP numbers so that any existing 4934bound sockets will remain valid. 4935.It set ifqueue Ar packets 4936Set the maximum number of packets that 4937.Nm 4938will read from the tunnel interface while data cannot be sent to any of 4939the available links. 4940This queue limit is necessary to flow control outgoing data as the tunnel 4941interface is likely to be far faster than the combined links available to 4942.Nm . 4943.Pp 4944If 4945.Ar packets 4946is set to a value less than the number of links, 4947.Nm 4948will read up to that value regardless. 4949This prevents any possible latency problems. 4950.Pp 4951The default value for 4952.Ar packets 4953is 4954.Dq 30 . 4955.It set ccpretry|ccpretries Oo Ar timeout 4956.Op Ar reqtries Op Ar trmtries 4957.Oc 4958.It set chapretry|chapretries Oo Ar timeout 4959.Op Ar reqtries 4960.Oc 4961.It set ipcpretry|ipcpretries Oo Ar timeout 4962.Op Ar reqtries Op Ar trmtries 4963.Oc 4964.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 4965.Op Ar reqtries Op Ar trmtries 4966.Oc 4967.It set lcpretry|lcpretries Oo Ar timeout 4968.Op Ar reqtries Op Ar trmtries 4969.Oc 4970.It set papretry|papretries Oo Ar timeout 4971.Op Ar reqtries 4972.Oc 4973These commands set the number of seconds that 4974.Nm 4975will wait before resending Finite State Machine (FSM) Request packets. 4976The default 4977.Ar timeout 4978for all FSMs is 3 seconds (which should suffice in most cases). 4979.Pp 4980If 4981.Ar reqtries 4982is specified, it tells 4983.Nm 4984how many configuration request attempts it should make while receiving 4985no reply from the peer before giving up. 4986The default is 5 attempts for 4987CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4988.Pp 4989If 4990.Ar trmtries 4991is specified, it tells 4992.Nm 4993how many terminate requests should be sent before giving up waiting for the 4994peers response. 4995The default is 3 attempts. 4996Authentication protocols are 4997not terminated and it is therefore invalid to specify 4998.Ar trmtries 4999for PAP or CHAP. 5000.Pp 5001In order to avoid negotiations with the peer that will never converge, 5002.Nm 5003will only send at most 3 times the configured number of 5004.Ar reqtries 5005in any given negotiation session before giving up and closing that layer. 5006.It set log Xo 5007.Op local 5008.Op +|- Ns 5009.Ar value Ns No ... 5010.Xc 5011This command allows the adjustment of the current log level. 5012Refer to the Logging Facility section for further details. 5013.It set login Ar chat-script 5014This 5015.Ar chat-script 5016complements the dial-script. 5017If both are specified, the login 5018script will be executed after the dial script. 5019Escape sequences available in the dial script are also available here. 5020.It set logout Ar chat-script 5021This specifies the chat script that will be used to logout 5022before the hangup script is called. 5023It should not normally be necessary. 5024.It set lqrperiod Ar frequency 5025This command sets the 5026.Ar frequency 5027in seconds at which 5028.Em LQR 5029or 5030.Em ECHO LQR 5031packets are sent. 5032The default is 30 seconds. 5033You must also use the 5034.Dq enable lqr 5035command if you wish to send LQR requests to the peer. 5036.It set mode Ar interactive|auto|ddial|background 5037This command allows you to change the 5038.Sq mode 5039of the specified link. 5040This is normally only useful in multi-link mode, 5041but may also be used in uni-link mode. 5042.Pp 5043It is not possible to change a link that is 5044.Sq direct 5045or 5046.Sq dedicated . 5047.Pp 5048Note: If you issue the command 5049.Dq set mode auto , 5050and have network address translation enabled, it may be useful to 5051.Dq enable iface-alias 5052afterwards. 5053This will allow 5054.Nm 5055to do the necessary address translations to enable the process that 5056triggers the connection to connect once the link is up despite the 5057peer assigning us a new (dynamic) IP address. 5058.It set mppe Op 40|56|128|* Op stateless|stateful|* 5059This option selects the encryption parameters used when negotiation 5060MPPE. 5061MPPE can be disabled entirely with the 5062.Dq disable mppe 5063command. 5064If no arguments are given, 5065.Nm 5066will attempt to negotiate a stateful link with a 128 bit key, but 5067will agree to whatever the peer requests (including no encryption 5068at all). 5069.Pp 5070If any arguments are given, 5071.Nm 5072will 5073.Em insist 5074on using MPPE and will close the link if it's rejected by the peer (Note; 5075this behaviour can be overridden by a configured RADIUS server). 5076.Pp 5077The first argument specifies the number of bits that 5078.Nm 5079should insist on during negotiations and the second specifies whether 5080.Nm 5081should insist on stateful or stateless mode. 5082In stateless mode, the 5083encryption dictionary is re-initialised with every packet according to 5084an encryption key that is changed with every packet. 5085In stateful mode, 5086the encryption dictionary is re-initialised every 256 packets or after 5087the loss of any data and the key is changed every 256 packets. 5088Stateless mode is less efficient but is better for unreliable transport 5089layers. 5090.It set mrru Op Ar value 5091Setting this option enables Multi-link PPP negotiations, also known as 5092Multi-link Protocol or MP. 5093There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5094If no argument is given, multi-link mode is disabled. 5095.It set mru Xo 5096.Op max Ns Op imum 5097.Op Ar value 5098.Xc 5099The default MRU (Maximum Receive Unit) is 1500. 5100If it is increased, the other side *may* increase its MTU. 5101In theory there is no point in decreasing the MRU to below the default as the 5102.Em PPP 5103protocol says implementations *must* be able to accept packets of at 5104least 1500 octets. 5105.Pp 5106If the 5107.Dq maximum 5108keyword is used, 5109.Nm 5110will refuse to negotiate a higher value. 5111The maximum MRU can be set to 2048 at most. 5112Setting a maximum of less than 1500 violates the 5113.Em PPP 5114rfc, but may sometimes be necessary. 5115For example, 5116.Em PPPoE 5117imposes a maximum of 1492 due to hardware limitations. 5118.Pp 5119If no argument is given, 1500 is assumed. 5120A value must be given when 5121.Dq maximum 5122is specified. 5123.It set mtu Xo 5124.Op max Ns Op imum 5125.Op Ar value 5126.Xc 5127The default MTU is 1500. 5128At negotiation time, 5129.Nm 5130will accept whatever MRU the peer requests (assuming it's 5131not less than 296 bytes or greater than the assigned maximum). 5132If the MTU is set, 5133.Nm 5134will not accept MRU values less than 5135.Ar value . 5136When negotiations are complete, the MTU is used when writing to the 5137interface, even if the peer requested a higher value MRU. 5138This can be useful for 5139limiting your packet size (giving better bandwidth sharing at the expense 5140of more header data). 5141.Pp 5142If the 5143.Dq maximum 5144keyword is used, 5145.Nm 5146will refuse to negotiate a higher value. 5147The maximum MTU can be set to 2048 at most. 5148.Pp 5149If no 5150.Ar value 5151is given, 1500, or whatever the peer asks for is used. 5152A value must be given when 5153.Dq maximum 5154is specified. 5155.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5156This option allows the setting of the Microsoft NetBIOS name server 5157values to be returned at the peers request. 5158If no values are given, 5159.Nm 5160will reject any such requests. 5161.It set openmode active|passive Op Ar delay 5162By default, 5163.Ar openmode 5164is always 5165.Ar active 5166with a one second 5167.Ar delay . 5168That is, 5169.Nm 5170will always initiate LCP/IPCP/CCP negotiation one second after the line 5171comes up. 5172If you want to wait for the peer to initiate negotiations, you 5173can use the value 5174.Ar passive . 5175If you want to initiate negotiations immediately or after more than one 5176second, the appropriate 5177.Ar delay 5178may be specified here in seconds. 5179.It set parity odd|even|none|mark 5180This allows the line parity to be set. 5181The default value is 5182.Ar none . 5183.It set phone Ar telno Ns Xo 5184.Oo \&| Ns Ar backupnumber 5185.Oc Ns ... Ns Oo : Ns Ar nextnumber 5186.Oc Ns ... 5187.Xc 5188This allows the specification of the phone number to be used in 5189place of the \\\\T string in the dial and login chat scripts. 5190Multiple phone numbers may be given separated either by a pipe 5191.Pq Dq \&| 5192or a colon 5193.Pq Dq \&: . 5194.Pp 5195Numbers after the pipe are only dialed if the dial or login 5196script for the previous number failed. 5197.Pp 5198Numbers after the colon are tried sequentially, irrespective of 5199the reason the line was dropped. 5200.Pp 5201If multiple numbers are given, 5202.Nm 5203will dial them according to these rules until a connection is made, retrying 5204the maximum number of times specified by 5205.Dq set redial 5206below. 5207In 5208.Fl background 5209mode, each number is attempted at most once. 5210.It set Op proc Ns Xo 5211.No title Op Ar value 5212.Xc 5213The current process title as displayed by 5214.Xr ps 1 5215is changed according to 5216.Ar value . 5217If 5218.Ar value 5219is not specified, the original process title is restored. 5220All the 5221word replacements done by the shell commands (see the 5222.Dq bg 5223command above) are done here too. 5224.Pp 5225Note, if USER is required in the process title, the 5226.Dq set proctitle 5227command must appear in 5228.Pa ppp.linkup , 5229as it is not known when the commands in 5230.Pa ppp.conf 5231are executed. 5232.It set radius Op Ar config-file 5233This command enables RADIUS support (if it's compiled in). 5234.Ar config-file 5235refers to the radius client configuration file as described in 5236.Xr radius.conf 5 . 5237If PAP, CHAP, MSCHAP or MSCHAPv2 are 5238.Dq enable Ns No d , 5239.Nm 5240behaves as a 5241.Em \&N Ns No etwork 5242.Em \&A Ns No ccess 5243.Em \&S Ns No erver 5244and uses the configured RADIUS server to authenticate rather than 5245authenticating from the 5246.Pa ppp.secret 5247file or from the passwd database. 5248.Pp 5249If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5250.Dq set radius 5251will do nothing. 5252.Pp 5253.Nm 5254uses the following attributes from the RADIUS reply: 5255.Bl -tag -width XXX -offset XXX 5256.It RAD_FRAMED_IP_ADDRESS 5257The peer IP address is set to the given value. 5258.It RAD_FRAMED_IP_NETMASK 5259The tun interface netmask is set to the given value. 5260.It RAD_FRAMED_MTU 5261If the given MTU is less than the peers MRU as agreed during LCP 5262negotiation, *and* it is less that any configured MTU (see the 5263.Dq set mru 5264command), the tun interface MTU is set to the given value. 5265.It RAD_FRAMED_COMPRESSION 5266If the received compression type is 5267.Dq 1 , 5268.Nm 5269will request VJ compression during IPCP negotiations despite any 5270.Dq disable vj 5271configuration command. 5272.It RAD_FILTER_ID 5273If this attribute is supplied, 5274.Nm 5275will attempt to use it as an additional label to load from the 5276.Pa ppp.linkup 5277and 5278.Pa ppp.linkdown 5279files. 5280The load will be attempted before (and in addition to) the normal 5281label search. 5282If the label doesn't exist, no action is taken and 5283.Nm 5284proceeds to the normal load using the current label. 5285.It RAD_FRAMED_ROUTE 5286The received string is expected to be in the format 5287.Ar dest Ns Op / Ns Ar bits 5288.Ar gw 5289.Op Ar metrics . 5290Any specified metrics are ignored. 5291.Dv MYADDR 5292and 5293.Dv HISADDR 5294are understood as valid values for 5295.Ar dest 5296and 5297.Ar gw , 5298.Dq default 5299can be used for 5300.Ar dest 5301to specify the default route, and 5302.Dq 0.0.0.0 5303is understood to be the same as 5304.Dq default 5305for 5306.Ar dest 5307and 5308.Dv HISADDR 5309for 5310.Ar gw . 5311.Pp 5312For example, a returned value of 5313.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5314would result in a routing table entry to the 1.2.3.0/24 network via 5315.Dv HISADDR 5316and a returned value of 5317.Dq 0.0.0.0 0.0.0.0 5318or 5319.Dq default HISADDR 5320would result in a default route to 5321.Dv HISADDR . 5322.Pp 5323All RADIUS routes are applied after any sticky routes are applied, making 5324RADIUS routes override configured routes. 5325This also applies for RADIUS routes that don't {include} the 5326.Dv MYADDR 5327or 5328.Dv HISADDR 5329keywords. 5330.Pp 5331.It RAD_SESSION_TIMEOUT 5332If supplied, the client connection is closed after the given number of 5333seconds. 5334.It RAD_REPLY_MESSAGE 5335If supplied, this message is passed back to the peer as the authentication 5336SUCCESS text. 5337.It RAD_MICROSOFT_MS_CHAP_ERROR 5338If this 5339.Dv RAD_VENDOR_MICROSOFT 5340vendor specific attribute is supplied, it is passed back to the peer as the 5341authentication FAILURE text. 5342.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5343If this 5344.Dv RAD_VENDOR_MICROSOFT 5345vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5346being used, it is passed back to the peer as the authentication SUCCESS text. 5347.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5348If this 5349.Dv RAD_VENDOR_MICROSOFT 5350vendor specific attribute is supplied and has a value of 2 (Required), 5351.Nm 5352will insist that MPPE encryption is used (even if no 5353.Dq set mppe 5354configuration command has been given with arguments). 5355If it is supplied with a value of 1 (Allowed), encryption is made optional 5356(despite any 5357.Dq set mppe 5358configuration commands with arguments). 5359.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5360If this 5361.Dv RAD_VENDOR_MICROSOFT 5362vendor specific attribute is supplied, bits 1 and 2 are examined. 5363If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5364options are set, overriding any given first argument to the 5365.Dq set mppe 5366command. 5367Note, it is not currently possible for the RADIUS server to specify 56 bit 5368encryption. 5369.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5370If this 5371.Dv RAD_VENDOR_MICROSOFT 5372vendor specific attribute is supplied, it's value is used as the master 5373key for decryption of incoming data. When clients are authenticated using 5374MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5375to function. 5376.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5377If this 5378.Dv RAD_VENDOR_MICROSOFT 5379vendor specific attribute is supplied, it's value is used as the master 5380key for encryption of outgoing data. When clients are authenticated using 5381MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5382to function. 5383.El 5384.Pp 5385Values received from the RADIUS server may be viewed using 5386.Dq show bundle . 5387.It set reconnect Ar timeout ntries 5388Should the line drop unexpectedly (due to loss of CD or LQR 5389failure), a connection will be re-established after the given 5390.Ar timeout . 5391The line will be re-connected at most 5392.Ar ntries 5393times. 5394.Ar Ntries 5395defaults to zero. 5396A value of 5397.Ar random 5398for 5399.Ar timeout 5400will result in a variable pause, somewhere between 1 and 30 seconds. 5401.It set recvpipe Op Ar value 5402This sets the routing table RECVPIPE value. 5403The optimum value is just over twice the MTU value. 5404If 5405.Ar value 5406is unspecified or zero, the default kernel controlled value is used. 5407.It set redial Ar secs Ns Xo 5408.Oo + Ns Ar inc Ns 5409.Op - Ns Ar max Ns 5410.Oc Ns Op . Ns Ar next 5411.Op Ar attempts 5412.Xc 5413.Nm 5414can be instructed to attempt to redial 5415.Ar attempts 5416times. 5417If more than one phone number is specified (see 5418.Dq set phone 5419above), a pause of 5420.Ar next 5421is taken before dialing each number. 5422A pause of 5423.Ar secs 5424is taken before starting at the first number again. 5425A literal value of 5426.Dq Li random 5427may be used here in place of 5428.Ar secs 5429and 5430.Ar next , 5431causing a random delay of between 1 and 30 seconds. 5432.Pp 5433If 5434.Ar inc 5435is specified, its value is added onto 5436.Ar secs 5437each time 5438.Nm 5439tries a new number. 5440.Ar secs 5441will only be incremented at most 5442.Ar max 5443times. 5444.Ar max 5445defaults to 10. 5446.Pp 5447Note, the 5448.Ar secs 5449delay will be effective, even after 5450.Ar attempts 5451has been exceeded, so an immediate manual dial may appear to have 5452done nothing. 5453If an immediate dial is required, a 5454.Dq !\& 5455should immediately follow the 5456.Dq open 5457keyword. 5458See the 5459.Dq open 5460description above for further details. 5461.It set sendpipe Op Ar value 5462This sets the routing table SENDPIPE value. 5463The optimum value is just over twice the MTU value. 5464If 5465.Ar value 5466is unspecified or zero, the default kernel controlled value is used. 5467.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5468.Ar LocalName Ns No |none|open|closed 5469.Op password Op Ar mask 5470.Xc 5471This command tells 5472.Nm 5473to listen on the given socket or 5474.Sq diagnostic port 5475for incoming command connections. 5476.Pp 5477The word 5478.Dq none 5479instructs 5480.Nm 5481to close any existing socket and clear the socket configuration. 5482The word 5483.Dq open 5484instructs 5485.Nm 5486to attempt to re-open the port. 5487The word 5488.Dq closed 5489instructs 5490.Nm 5491to close the open port. 5492.Pp 5493If you wish to specify a local domain socket, 5494.Ar LocalName 5495must be specified as an absolute file name, otherwise it is assumed 5496to be the name or number of a TCP port. 5497You may specify the octal umask to be used with a local domain socket. 5498Refer to 5499.Xr umask 2 5500for umask details. 5501Refer to 5502.Xr services 5 5503for details of how to translate TCP port names. 5504.Pp 5505You must also specify the password that must be entered by the client 5506(using the 5507.Dq passwd 5508variable above) when connecting to this socket. 5509If the password is 5510specified as an empty string, no password is required for connecting clients. 5511.Pp 5512When specifying a local domain socket, the first 5513.Dq %d 5514sequence found in the socket name will be replaced with the current 5515interface unit number. 5516This is useful when you wish to use the same 5517profile for more than one connection. 5518.Pp 5519In a similar manner TCP sockets may be prefixed with the 5520.Dq + 5521character, in which case the current interface unit number is added to 5522the port number. 5523.Pp 5524When using 5525.Nm 5526with a server socket, the 5527.Xr pppctl 8 5528command is the preferred mechanism of communications. 5529Currently, 5530.Xr telnet 1 5531can also be used, but link encryption may be implemented in the future, so 5532.Xr telnet 1 5533should be avoided. 5534.Pp 5535Note; 5536.Dv SIGUSR1 5537and 5538.Dv SIGUSR2 5539interact with the diagnostic socket. 5540.It set speed Ar value 5541This sets the speed of the serial device. 5542If speed is specified as 5543.Dq sync , 5544.Nm 5545treats the device as a synchronous device. 5546.Pp 5547Certain device types will know whether they should be specified as 5548synchronous or asynchronous. 5549These devices will override incorrect 5550settings and log a warning to this effect. 5551.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5552If this option is set, 5553.Nm 5554will time out after the given FSM (Finite State Machine) has been in 5555the stopped state for the given number of 5556.Dq seconds . 5557This option may be useful if the peer sends a terminate request, 5558but never actually closes the connection despite our sending a terminate 5559acknowledgement. 5560This is also useful if you wish to 5561.Dq set openmode passive 5562and time out if the peer doesn't send a Configure Request within the 5563given time. 5564Use 5565.Dq set log +lcp +ccp 5566to make 5567.Nm 5568log the appropriate state transitions. 5569.Pp 5570The default value is zero, where 5571.Nm 5572doesn't time out in the stopped state. 5573.Pp 5574This value should not be set to less than the openmode delay (see 5575.Dq set openmode 5576above). 5577.It set timeout Ar idleseconds Op Ar mintimeout 5578This command allows the setting of the idle timer. 5579Refer to the section titled 5580.Sx SETTING THE IDLE TIMER 5581for further details. 5582.Pp 5583If 5584.Ar mintimeout 5585is specified, 5586.Nm 5587will never idle out before the link has been up for at least that number 5588of seconds. 5589.It set urgent Xo 5590.Op tcp|udp|none 5591.Oo Op +|- Ns 5592.Ar port 5593.Oc No ... 5594.Xc 5595This command controls the ports that 5596.Nm 5597prioritizes when transmitting data. 5598The default priority TCP ports 5599are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5600543 (klogin) and 544 (kshell). 5601There are no priority UDP ports by default. 5602See 5603.Xr services 5 5604for details. 5605.Pp 5606If neither 5607.Dq tcp 5608or 5609.Dq udp 5610are specified, 5611.Dq tcp 5612is assumed. 5613.Pp 5614If no 5615.Ar port Ns No s 5616are given, the priority port lists are cleared (although if 5617.Dq tcp 5618or 5619.Dq udp 5620is specified, only that list is cleared). 5621If the first 5622.Ar port 5623argument is prefixed with a plus 5624.Pq Dq \&+ 5625or a minus 5626.Pq Dq \&- , 5627the current list is adjusted, otherwise the list is reassigned. 5628.Ar port Ns No s 5629prefixed with a plus or not prefixed at all are added to the list and 5630.Ar port Ns No s 5631prefixed with a minus are removed from the list. 5632.Pp 5633If 5634.Dq none 5635is specified, all priority port lists are disabled and even 5636.Dv IPTOS_LOWDELAY 5637packets are not prioritised. 5638.It set vj slotcomp on|off 5639This command tells 5640.Nm 5641whether it should attempt to negotiate VJ slot compression. 5642By default, slot compression is turned 5643.Ar on . 5644.It set vj slots Ar nslots 5645This command sets the initial number of slots that 5646.Nm 5647will try to negotiate with the peer when VJ compression is enabled (see the 5648.Sq enable 5649command above). 5650It defaults to a value of 16. 5651.Ar Nslots 5652must be between 5653.Ar 4 5654and 5655.Ar 16 5656inclusive. 5657.El 5658.Pp 5659.It shell|! Op Ar command 5660If 5661.Ar command 5662is not specified a shell is invoked according to the 5663.Dv SHELL 5664environment variable. 5665Otherwise, the given 5666.Ar command 5667is executed. 5668Word replacement is done in the same way as for the 5669.Dq !bg 5670command as described above. 5671.Pp 5672Use of the ! character 5673requires a following space as with any of the other commands. 5674You should note that this command is executed in the foreground; 5675.Nm 5676will not continue running until this process has exited. 5677Use the 5678.Dv bg 5679command if you wish processing to happen in the background. 5680.It show Ar var 5681This command allows the user to examine the following: 5682.Bl -tag -width 2n 5683.It show bundle 5684Show the current bundle settings. 5685.It show ccp 5686Show the current CCP compression statistics. 5687.It show compress 5688Show the current VJ compression statistics. 5689.It show escape 5690Show the current escape characters. 5691.It show filter Op Ar name 5692List the current rules for the given filter. 5693If 5694.Ar name 5695is not specified, all filters are shown. 5696.It show hdlc 5697Show the current HDLC statistics. 5698.It show help|? 5699Give a summary of available show commands. 5700.It show iface 5701Show the current interface information 5702(the same as 5703.Dq iface show ) . 5704.It show ipcp 5705Show the current IPCP statistics. 5706.It show layers 5707Show the protocol layers currently in use. 5708.It show lcp 5709Show the current LCP statistics. 5710.It show Op data Ns Xo 5711.No link 5712.Xc 5713Show high level link information. 5714.It show links 5715Show a list of available logical links. 5716.It show log 5717Show the current log values. 5718.It show mem 5719Show current memory statistics. 5720.It show ncp 5721Show the current NCP statistics. 5722.It show physical 5723Show low level link information. 5724.It show mp 5725Show Multi-link information. 5726.It show proto 5727Show current protocol totals. 5728.It show route 5729Show the current routing tables. 5730.It show stopped 5731Show the current stopped timeouts. 5732.It show timer 5733Show the active alarm timers. 5734.It show version 5735Show the current version number of 5736.Nm . 5737.El 5738.Pp 5739.It term 5740Go into terminal mode. 5741Characters typed at the keyboard are sent to the device. 5742Characters read from the device are displayed on the screen. 5743When a remote 5744.Em PPP 5745peer is detected, 5746.Nm 5747automatically enables Packet Mode and goes back into command mode. 5748.El 5749.Sh MORE DETAILS 5750.Bl -bullet 5751.It 5752Read the example configuration files. 5753They are a good source of information. 5754.It 5755Use 5756.Dq help , 5757.Dq nat \&? , 5758.Dq enable \&? , 5759.Dq set ?\& 5760and 5761.Dq show ?\& 5762to get online information about what's available. 5763.It 5764The following URLs contain useful information: 5765.Bl -bullet -compact 5766.It 5767.Pa http://www.dragonflybsd.org/docs/handbook/handbook-userppp/ 5768.El 5769.El 5770.Sh FILES 5771.Nm 5772refers to four files: 5773.Pa ppp.conf , 5774.Pa ppp.linkup , 5775.Pa ppp.linkdown 5776and 5777.Pa ppp.secret . 5778These files are placed in the 5779.Pa /etc/ppp 5780directory. 5781.Bl -tag -width 2n 5782.It Pa /etc/ppp/ppp.conf 5783System default configuration file. 5784.It Pa /etc/ppp/ppp.secret 5785An authorisation file for each system. 5786.It Pa /etc/ppp/ppp.linkup 5787A file to check when 5788.Nm 5789establishes a network level connection. 5790.It Pa /etc/ppp/ppp.linkdown 5791A file to check when 5792.Nm 5793closes a network level connection. 5794.It Pa /var/log/ppp.log 5795Logging and debugging information file. 5796Note, this name is specified in 5797.Pa /etc/syslog.conf . 5798See 5799.Xr syslog.conf 5 5800for further details. 5801.It Pa /var/spool/lock/LCK..* 5802tty port locking file. 5803Refer to 5804.Xr uucplock 3 5805for further details. 5806.It Pa /var/run/tunN.pid 5807The process id (pid) of the 5808.Nm 5809program connected to the tunN device, where 5810.Sq N 5811is the number of the device. 5812.It Pa /var/run/ttyXX.if 5813The tun interface used by this port. 5814Again, this file is only created in 5815.Fl background , 5816.Fl auto 5817and 5818.Fl ddial 5819modes. 5820.It Pa /etc/services 5821Get port number if port number is using service name. 5822.It Pa /var/run/ppp-authname-class-value 5823In multi-link mode, local domain sockets are created using the peer 5824authentication name 5825.Pq Sq authname , 5826the peer endpoint discriminator class 5827.Pq Sq class 5828and the peer endpoint discriminator value 5829.Pq Sq value . 5830As the endpoint discriminator value may be a binary value, it is turned 5831to HEX to determine the actual file name. 5832.Pp 5833This socket is used to pass links between different instances of 5834.Nm . 5835.El 5836.Sh SEE ALSO 5837.Xr at 1 , 5838.Xr ftp 1 , 5839.Xr gzip 1 , 5840.Xr hostname 1 , 5841.Xr login 1 , 5842.Xr tcpdump 1 , 5843.Xr telnet 1 , 5844.Xr kldload 2 , 5845ifdef({LOCALNAT},{},{.Xr libalias 3 , 5846})dnl 5847ifdef({LOCALRAD},{},{.Xr libradius 3 , 5848})dnl 5849.Xr syslog 3 , 5850.Xr uucplock 3 , 5851.Xr netgraph 4 , 5852.Xr ng_pppoe 4 , 5853.Xr crontab 5 , 5854.Xr group 5 , 5855.Xr passwd 5 , 5856.Xr protocols 5 , 5857.Xr radius.conf 5 , 5858.Xr resolv.conf 5 , 5859.Xr syslog.conf 5 , 5860.Xr adduser 8 , 5861.Xr chat 8 , 5862.Xr getty 8 , 5863.Xr inetd 8 , 5864.Xr init 8 , 5865.Xr isdnd 8 , 5866.Xr named 8 , 5867.Xr ping 8 , 5868.Xr pppctl 8 , 5869.Xr pppd 8 , 5870.Xr pppoe 8 , 5871.Xr route 8 , 5872.Xr sshd 8 , 5873.Xr syslogd 8 , 5874.Xr traceroute 8 , 5875.Xr vipw 8 5876.Sh HISTORY 5877This program was originally written by 5878.An Toshiharu OHNO Aq tony-o@iij.ad.jp , 5879and was submitted to 5880.Fx 2.0.5 5881by 5882.An Atsushi Murai Aq amurai@spec.co.jp . 5883.Pp 5884It was substantially modified during 1997 by 5885.An Brian Somers Aq brian@Awfulhak.org , 5886and was ported to 5887.Ox 5888in November that year 5889(just after the 2.2 release). 5890.Pp 5891Most of the code was rewritten by 5892.An Brian Somers 5893in early 1998 when multi-link ppp support was added. 5894