1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: src/usr.sbin/ppp/ppp.8.m4,v 1.301.2.1 2002/09/01 02:12:31 brian Exp $ 29.\" 30.Dd August 6, 2009 31.Dt PPP 8 32.Os 33.Sh NAME 34.Nm ppp 35.Nd Point to Point Protocol (a.k.a. user-ppp) 36.Sh SYNOPSIS 37.Nm 38.Op Fl Va mode 39.Op Fl nat 40.Op Fl quiet 41.Op Fl unit Ns Ar N 42.Op Ar system ... 43.Sh DESCRIPTION 44This is a user process 45.Em PPP 46software package. 47Normally, 48.Em PPP 49is implemented as a part of the kernel (e.g., as managed by 50.Xr pppd 8 ) 51and it's thus somewhat hard to debug and/or modify its behaviour. 52However, in this implementation 53.Em PPP 54is done as a user process with the help of the 55tunnel device driver (tun). 56.Pp 57The 58.Fl nat 59flag does the equivalent of a 60.Dq nat enable yes , 61enabling 62.Nm Ns No 's 63network address translation features. 64This allows 65.Nm 66to act as a NAT or masquerading engine for all machines on an internal 67LAN. 68ifdef({LOCALNAT},{},{Refer to 69.Xr libalias 3 70for details on the technical side of the NAT engine. 71})dnl 72Refer to the 73.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 74section of this manual page for details on how to configure NAT in 75.Nm . 76.Pp 77The 78.Fl quiet 79flag tells 80.Nm 81to be silent at startup rather than displaying the mode and interface 82to standard output. 83.Pp 84The 85.Fl unit 86flag tells 87.Nm 88to only attempt to open 89.Pa /dev/tun Ns Ar N . 90Normally, 91.Nm 92will start with a value of 0 for 93.Ar N , 94and keep trying to open a tunnel device by incrementing the value of 95.Ar N 96by one each time until it succeeds. 97If it fails three times in a row 98because the device file is missing, it gives up. 99.Pp 100The following 101.Va mode Ns No s 102are understood by 103.Nm : 104.Bl -tag -width XXX -offset XXX 105.It Fl auto 106.Nm 107opens the tun interface, configures it then goes into the background. 108The link isn't brought up until outgoing data is detected on the tun 109interface at which point 110.Nm 111attempts to bring up the link. 112Packets received (including the first one) while 113.Nm 114is trying to bring the link up will remain queued for a default of 1152 minutes. 116See the 117.Dq set choked 118command below. 119.Pp 120In 121.Fl auto 122mode, at least one 123.Dq system 124must be given on the command line (see below) and a 125.Dq set ifaddr 126must be done in the system profile that specifies a peer IP address to 127use when configuring the interface. 128Something like 129.Dq 10.0.0.1/0 130is usually appropriate. 131See the 132.Dq pmdemand 133system in 134.Pa /usr/share/examples/ppp/ppp.conf.sample 135for an example. 136.It Fl background 137Here, 138.Nm 139attempts to establish a connection with the peer immediately. 140If it succeeds, 141.Nm 142goes into the background and the parent process returns an exit code 143of 0. 144If it fails, 145.Nm 146exits with a non-zero result. 147.It Fl foreground 148In foreground mode, 149.Nm 150attempts to establish a connection with the peer immediately, but never 151becomes a daemon. 152The link is created in background mode. 153This is useful if you wish to control 154.Nm Ns No 's 155invocation from another process. 156.It Fl direct 157This is used for receiving incoming connections. 158.Nm 159ignores the 160.Dq set device 161line and uses descriptor 0 as the link. 162.Pp 163If callback is configured, 164.Nm 165will use the 166.Dq set device 167information when dialing back. 168.It Fl dedicated 169This option is designed for machines connected with a dedicated 170wire. 171.Nm 172will always keep the device open and will never use any configured 173chat scripts. 174.It Fl ddial 175This mode is equivalent to 176.Fl auto 177mode except that 178.Nm 179will bring the link back up any time it's dropped for any reason. 180.It Fl interactive 181This is a no-op, and gives the same behaviour as if none of the above 182modes have been specified. 183.Nm 184loads any sections specified on the command line then provides an 185interactive prompt. 186.El 187.Pp 188One or more configuration entries or systems 189(as specified in 190.Pa /etc/ppp/ppp.conf ) 191may also be specified on the command line. 192.Nm 193will read the 194.Dq default 195system from 196.Pa /etc/ppp/ppp.conf 197at startup, followed by each of the systems specified on the command line. 198.Sh Major Features 199.Bl -diag 200.It Provides an interactive user interface. 201Using its command mode, the user can 202easily enter commands to establish the connection with the remote end, check 203the status of connection and close the connection. 204All functions can also be optionally password protected for security. 205.It Supports both manual and automatic dialing. 206Interactive mode has a 207.Dq term 208command which enables you to talk to the device directly. 209When you are connected to the remote peer and it starts to talk 210.Em PPP , 211.Nm 212detects it and switches to packet mode automatically. 213Once you have 214determined the proper sequence for connecting with the remote host, you 215can write a chat script to {define} the necessary dialing and login 216procedure for later convenience. 217.It Supports on-demand dialup capability. 218By using 219.Fl auto 220mode, 221.Nm 222will act as a daemon and wait for a packet to be sent over the 223.Em PPP 224link. 225When this happens, the daemon automatically dials and establishes the 226connection. 227In almost the same manner 228.Fl ddial 229mode (direct-dial mode) also automatically dials and establishes the 230connection. 231However, it differs in that it will dial the remote site 232any time it detects the link is down, even if there are no packets to be 233sent. 234This mode is useful for full-time connections where we worry less 235about line charges and more about being connected full time. 236A third 237.Fl dedicated 238mode is also available. 239This mode is targeted at a dedicated link between two machines. 240.Nm 241will never voluntarily quit from dedicated mode - you must send it the 242.Dq quit all 243command via its diagnostic socket. 244A 245.Dv SIGHUP 246will force an LCP renegotiation, and a 247.Dv SIGTERM 248will force it to exit. 249.It Supports client callback. 250.Nm 251can use either the standard LCP callback protocol or the Microsoft 252CallBack Control Protocol 253.Pa ( ftp://ftp.microsoft.com/developr/rfc/cbcp.txt ) . 254.It Supports NAT or packet aliasing. 255Packet aliasing (a.k.a. IP masquerading) allows computers on a 256private, unregistered network to access the Internet. 257The 258.Em PPP 259host acts as a masquerading gateway. 260IP addresses as well as TCP and 261UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 262returning packets. 263.It Supports background PPP connections. 264In background mode, if 265.Nm 266successfully establishes the connection, it will become a daemon. 267Otherwise, it will exit with an error. 268This allows the setup of 269scripts that wish to execute certain commands only if the connection 270is successfully established. 271.It Supports server-side PPP connections. 272In direct mode, 273.Nm 274acts as server which accepts incoming 275.Em PPP 276connections on stdin/stdout. 277.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication." 278With PAP or CHAP, it is possible to skip the Unix style 279.Xr login 1 280procedure, and use the 281.Em PPP 282protocol for authentication instead. 283If the peer requests Microsoft CHAP authentication and 284.Nm 285is compiled with DES support, an appropriate MD4/DES response will be 286made. 287.It Supports RADIUS (rfc 2138 & 2548) authentication. 288An extension to PAP and CHAP, 289.Em \&R Ns No emote 290.Em \&A Ns No ccess 291.Em \&D Ns No ial 292.Em \&I Ns No n 293.Em \&U Ns No ser 294.Em \&S Ns No ervice 295allows authentication information to be stored in a central or 296distributed database along with various per-user framed connection 297characteristics. 298ifdef({LOCALRAD},{},{If 299.Xr libradius 3 300is available at compile time, 301.Nm 302will use it to make 303.Em RADIUS 304requests when configured to do so. 305})dnl 306.It Supports Proxy Arp. 307.Nm 308can be configured to make one or more proxy arp entries on behalf of 309the peer. 310This allows routing from the peer to the LAN without 311configuring each machine on that LAN. 312.It Supports packet filtering. 313User can {define} four kinds of filters: the 314.Em in 315filter for incoming packets, the 316.Em out 317filter for outgoing packets, the 318.Em dial 319filter to {define} a dialing trigger packet and the 320.Em alive 321filter for keeping a connection alive with the trigger packet. 322.It Tunnel driver supports bpf. 323The user can use 324.Xr tcpdump 1 325to check the packet flow over the 326.Em PPP 327link. 328.It Supports PPP over TCP and PPP over UDP. 329If a device name is specified as 330.Em host Ns No : Ns Em port Ns 331.Xo 332.Op / Ns tcp|udp , 333.Xc 334.Nm 335will open a TCP or UDP connection for transporting data rather than using a 336conventional serial device. 337UDP connections force 338.Nm 339into synchronous mode. 340.It Supports PPP over Ethernet (rfc 2516). 341If 342.Nm 343is given a device specification of the format 344.No PPPoE: Ns Ar iface Ns Xo 345.Op \&: Ns Ar provider Ns 346.Xc 347and if 348.Xr netgraph 4 349is available, 350.Nm 351will attempt talk 352.Em PPP 353over Ethernet to 354.Ar provider 355using the 356.Ar iface 357network interface. 358.Pp 359On systems that do not support 360.Xr netgraph 4 , 361an external program such as 362.Xr pppoe 8 363may be used. 364.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 365.Nm 366supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 367Normally, a modem has built-in compression (e.g., v42.bis) and the system 368may receive higher data rates from it as a result of such compression. 369While this is generally a good thing in most other situations, this 370higher speed data imposes a penalty on the system by increasing the 371number of serial interrupts the system has to process in talking to the 372modem and also increases latency. 373Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 374.Em all 375network traffic flowing through the link, thus reducing overheads to a 376minimum. 377.It Supports Microsoft's IPCP extensions (rfc 1877). 378Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 379with clients using the Microsoft 380.Em PPP 381stack (i.e., Win95, WinNT) 382.It Supports Multi-link PPP (rfc 1990) 383It is possible to configure 384.Nm 385to open more than one physical connection to the peer, combining the 386bandwidth of all links for better throughput. 387.It Supports MPPE (draft-ietf-pppext-mppe) 388MPPE is Microsoft Point to Point Encryption scheme. 389It is possible to configure 390.Nm 391to participate in Microsoft's Windows VPN. 392For now, 393.Nm 394can only get encryption keys from CHAP 81 authentication. 395.Nm 396must be compiled with DES for MPPE to operate. 397.It Supports IPV6CP (rfc 2023). 398An IPv6 connection can be made in addition to or instead of the normal 399IPv4 connection. 400.El 401.Sh PERMISSIONS 402.Nm 403is installed as user 404.Dv root 405and group 406.Dv network , 407with permissions 408.Dv 04554 . 409By default, 410.Nm 411will not run if the invoking user id is not zero. 412This may be overridden by using the 413.Dq allow users 414command in 415.Pa /etc/ppp/ppp.conf . 416When running as a normal user, 417.Nm 418switches to user id 0 in order to alter the system routing table, set up 419system lock files and read the ppp configuration files. 420All external commands (executed via the "shell" or "!bg" commands) are executed 421as the user id that invoked 422.Nm . 423Refer to the 424.Sq ID0 425logging facility if you're interested in what exactly is done as user id 426zero. 427.Sh GETTING STARTED 428When you first run 429.Nm 430you may need to deal with some initial configuration details. 431.Bl -bullet 432.It 433Your kernel must {include} a tunnel device (the GENERIC kernel includes 434one by default). 435If it doesn't, or if you require more than one tun 436interface, you'll need to rebuild your kernel with the following line in 437your kernel configuration file: 438.Pp 439.Dl pseudo-device tun N 440.Pp 441where 442.Ar N 443is the maximum number of 444.Em PPP 445connections you wish to support. 446.It 447Make sure that your system has a group named 448.Dq network 449in the 450.Pa /etc/group 451file and that the group contains the names of all users expected to use 452.Nm . 453Refer to the 454.Xr group 5 455manual page for details. 456Each of these users must also be given access using the 457.Dq allow users 458command in 459.Pa /etc/ppp/ppp.conf . 460.It 461Create a log file. 462.Nm 463uses 464.Xr syslog 3 465to log information. 466A common log file name is 467.Pa /var/log/ppp.log . 468To make output go to this file, put the following lines in the 469.Pa /etc/syslog.conf 470file: 471.Bd -literal -offset indent 472!ppp 473*.*<TAB>/var/log/ppp.log 474.Ed 475.Pp 476It is possible to have more than one 477.Em PPP 478log file by creating a link to the 479.Nm 480executable: 481.Pp 482.Dl # cd /usr/sbin 483.Dl # ln ppp ppp0 484.Pp 485and using 486.Bd -literal -offset indent 487!ppp0 488*.*<TAB>/var/log/ppp0.log 489.Ed 490.Pp 491in 492.Pa /etc/syslog.conf . 493Don't forget to send a 494.Dv HUP 495signal to 496.Xr syslogd 8 497after altering 498.Pa /etc/syslog.conf . 499.It 500Although not strictly relevant to 501.Nm Ns No 's 502operation, you should configure your resolver so that it works correctly. 503This can be done by configuring a local DNS 504(using 505.Xr named 8 ) 506or by adding the correct 507.Sq nameserver 508lines to the file 509.Pa /etc/resolv.conf . 510Refer to the 511.Xr resolv.conf 5 512manual page for details. 513.Pp 514Alternatively, if the peer supports it, 515.Nm 516can be configured to ask the peer for the nameserver address(es) and to 517update 518.Pa /etc/resolv.conf 519automatically. 520Refer to the 521.Dq enable dns 522and 523.Dq resolv 524commands below for details. 525.El 526.Sh MANUAL DIALING 527In the following examples, we assume that your machine name is 528.Dv awfulhak . 529when you invoke 530.Nm 531(see 532.Sx PERMISSIONS 533above) with no arguments, you are presented with a prompt: 534.Bd -literal -offset indent 535ppp ON awfulhak> 536.Ed 537.Pp 538The 539.Sq ON 540part of your prompt should always be in upper case. 541If it is in lower case, it means that you must supply a password using the 542.Dq passwd 543command. 544This only ever happens if you connect to a running version of 545.Nm 546and have not authenticated yourself using the correct password. 547.Pp 548You can start by specifying the device name and speed: 549.Bd -literal -offset indent 550ppp ON awfulhak> set device /dev/cuaa0 551ppp ON awfulhak> set speed 38400 552.Ed 553.Pp 554Normally, hardware flow control (CTS/RTS) is used. 555However, under 556certain circumstances (as may happen when you are connected directly 557to certain PPP-capable terminal servers), this may result in 558.Nm 559hanging as soon as it tries to write data to your communications link 560as it is waiting for the CTS (clear to send) signal - which will never 561come. 562Thus, if you have a direct line and can't seem to make a 563connection, try turning CTS/RTS off with 564.Dq set ctsrts off . 565If you need to do this, check the 566.Dq set accmap 567description below too - you'll probably need to 568.Dq set accmap 000a0000 . 569.Pp 570Usually, parity is set to 571.Dq none , 572and this is 573.Nm Ns No 's 574default. 575Parity is a rather archaic error checking mechanism that is no 576longer used because modern modems do their own error checking, and most 577link-layer protocols (that's what 578.Nm 579is) use much more reliable checking mechanisms. 580Parity has a relatively 581huge overhead (a 12.5% increase in traffic) and as a result, it is always 582disabled 583(set to 584.Dq none ) 585when 586.Dv PPP 587is opened. 588However, some ISPs (Internet Service Providers) may use 589specific parity settings at connection time (before 590.Dv PPP 591is opened). 592Notably, Compuserve insist on even parity when logging in: 593.Bd -literal -offset indent 594ppp ON awfulhak> set parity even 595.Ed 596.Pp 597You can now see what your current device settings look like: 598.Bd -literal -offset indent 599ppp ON awfulhak> show physical 600Name: deflink 601 State: closed 602 Device: N/A 603 Link Type: interactive 604 Connect Count: 0 605 Queued Packets: 0 606 Phone Number: N/A 607 608Defaults: 609 Device List: /dev/cuaa0 610 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 611 612Connect time: 0 secs 6130 octets in, 0 octets out 614Overall 0 bytes/sec 615ppp ON awfulhak> 616.Ed 617.Pp 618The term command can now be used to talk directly to the device: 619.Bd -literal -offset indent 620ppp ON awfulhak> term 621at 622OK 623atdt123456 624CONNECT 625login: myispusername 626Password: myisppassword 627Protocol: ppp 628.Ed 629.Pp 630When the peer starts to talk in 631.Em PPP , 632.Nm 633detects this automatically and returns to command mode. 634.Bd -literal -offset indent 635ppp ON awfulhak> # No link has been established 636Ppp ON awfulhak> # We've connected & finished LCP 637PPp ON awfulhak> # We've authenticated 638PPP ON awfulhak> # We've agreed IP numbers 639.Ed 640.Pp 641If it does not, it's probable that the peer is waiting for your end to 642start negotiating. 643To force 644.Nm 645to start sending 646.Em PPP 647configuration packets to the peer, use the 648.Dq ~p 649command to drop out of terminal mode and enter packet mode. 650.Pp 651If you never even receive a login prompt, it is quite likely that the 652peer wants to use PAP or CHAP authentication instead of using Unix-style 653login/password authentication. 654To set things up properly, drop back to 655the prompt and set your authentication name and key, then reconnect: 656.Bd -literal -offset indent 657~. 658ppp ON awfulhak> set authname myispusername 659ppp ON awfulhak> set authkey myisppassword 660ppp ON awfulhak> term 661at 662OK 663atdt123456 664CONNECT 665.Ed 666.Pp 667You may need to tell ppp to initiate negotiations with the peer here too: 668.Bd -literal -offset indent 669~p 670ppp ON awfulhak> # No link has been established 671Ppp ON awfulhak> # We've connected & finished LCP 672PPp ON awfulhak> # We've authenticated 673PPP ON awfulhak> # We've agreed IP numbers 674.Ed 675.Pp 676You are now connected! 677Note that 678.Sq PPP 679in the prompt has changed to capital letters to indicate that you have 680a peer connection. 681If only some of the three Ps go uppercase, wait until 682either everything is uppercase or lowercase. 683If they revert to lowercase, it means that 684.Nm 685couldn't successfully negotiate with the peer. 686A good first step for troubleshooting at this point would be to 687.Bd -literal -offset indent 688ppp ON awfulhak> set log local phase lcp ipcp 689.Ed 690.Pp 691and try again. 692Refer to the 693.Dq set log 694command description below for further details. 695If things fail at this point, 696it is quite important that you turn logging on and try again. 697It is also 698important that you note any prompt changes and report them to anyone trying 699to help you. 700.Pp 701When the link is established, the show command can be used to see how 702things are going: 703.Bd -literal -offset indent 704PPP ON awfulhak> show physical 705* Modem related information is shown here * 706PPP ON awfulhak> show ccp 707* CCP (compression) related information is shown here * 708PPP ON awfulhak> show lcp 709* LCP (line control) related information is shown here * 710PPP ON awfulhak> show ipcp 711* IPCP (IP) related information is shown here * 712PPP ON awfulhak> show ipv6cp 713* IPV6CP (IPv6) related information is shown here * 714PPP ON awfulhak> show link 715* Link (high level) related information is shown here * 716PPP ON awfulhak> show bundle 717* Logical (high level) connection related information is shown here * 718.Ed 719.Pp 720At this point, your machine has a host route to the peer. 721This means 722that you can only make a connection with the host on the other side 723of the link. 724If you want to add a default route entry (telling your 725machine to send all packets without another routing entry to the other 726side of the 727.Em PPP 728link), enter the following command: 729.Bd -literal -offset indent 730PPP ON awfulhak> add default HISADDR 731.Ed 732.Pp 733The string 734.Sq HISADDR 735represents the IP address of the connected peer. 736If the 737.Dq add 738command fails due to an existing route, you can overwrite the existing 739route using 740.Bd -literal -offset indent 741PPP ON awfulhak> add! default HISADDR 742.Ed 743.Pp 744This command can also be executed before actually making the connection. 745If a new IP address is negotiated at connection time, 746.Nm 747will update your default route accordingly. 748.Pp 749You can now use your network applications (ping, telnet, ftp etc.) 750in other windows or terminals on your machine. 751If you wish to reuse the current terminal, you can put 752.Nm 753into the background using your standard shell suspend and background 754commands (usually 755.Dq ^Z 756followed by 757.Dq bg ) . 758.Pp 759Refer to the 760.Sx PPP COMMAND LIST 761section for details on all available commands. 762.Sh AUTOMATIC DIALING 763To use automatic dialing, you must prepare some Dial and Login chat scripts. 764See the example definitions in 765.Pa /usr/share/examples/ppp/ppp.conf.sample 766(the format of 767.Pa /etc/ppp/ppp.conf 768is pretty simple). 769Each line contains one comment, inclusion, label or command: 770.Bl -bullet 771.It 772A line starting with a 773.Pq Dq # 774character is treated as a comment line. 775Leading whitespace are ignored when identifying comment lines. 776.It 777An inclusion is a line beginning with the word 778.Sq {!include} . 779It must have one argument - the file to {include}. 780You may wish to 781.Dq {!include} ~/.ppp.conf 782for compatibility with older versions of 783.Nm . 784.It 785A label name starts in the first column and is followed by 786a colon 787.Pq Dq \&: . 788.It 789A command line must contain a space or tab in the first column. 790.El 791.Pp 792The 793.Pa /etc/ppp/ppp.conf 794file should consist of at least a 795.Dq default 796section. 797This section is always executed. 798It should also contain 799one or more sections, named according to their purpose, for example, 800.Dq MyISP 801would represent your ISP, and 802.Dq ppp-in 803would represent an incoming 804.Nm 805configuration. 806You can now specify the destination label name when you invoke 807.Nm . 808Commands associated with the 809.Dq default 810label are executed, followed by those associated with the destination 811label provided. 812When 813.Nm 814is started with no arguments, the 815.Dq default 816section is still executed. 817The load command can be used to manually load a section from the 818.Pa /etc/ppp/ppp.conf 819file: 820.Bd -literal -offset indent 821ppp ON awfulhak> load MyISP 822.Ed 823.Pp 824Note, no action is taken by 825.Nm 826after a section is loaded, whether it's the result of passing a label on 827the command line or using the 828.Dq load 829command. 830Only the commands specified for that label in the configuration 831file are executed. 832However, when invoking 833.Nm 834with the 835.Fl background , 836.Fl ddial , 837or 838.Fl dedicated 839switches, the link mode tells 840.Nm 841to establish a connection. 842Refer to the 843.Dq set mode 844command below for further details. 845.Pp 846Once the connection is made, the 847.Sq ppp 848portion of the prompt will change to 849.Sq PPP : 850.Bd -literal -offset indent 851# ppp MyISP 852\&... 853ppp ON awfulhak> dial 854Ppp ON awfulhak> 855PPp ON awfulhak> 856PPP ON awfulhak> 857.Ed 858.Pp 859The Ppp prompt indicates that 860.Nm 861has entered the authentication phase. 862The PPp prompt indicates that 863.Nm 864has entered the network phase. 865The PPP prompt indicates that 866.Nm 867has successfully negotiated a network layer protocol and is in 868a usable state. 869.Pp 870If the 871.Pa /etc/ppp/ppp.linkup 872file is available, its contents are executed 873when the 874.Em PPP 875connection is established. 876See the provided 877.Dq pmdemand 878example in 879.Pa /usr/share/examples/ppp/ppp.conf.sample 880which runs a script in the background after the connection is established 881(refer to the 882.Dq shell 883and 884.Dq bg 885commands below for a description of possible substitution strings). 886Similarly, when a connection is closed, the contents of the 887.Pa /etc/ppp/ppp.linkdown 888file are executed. 889Both of these files have the same format as 890.Pa /etc/ppp/ppp.conf . 891.Pp 892In previous versions of 893.Nm , 894it was necessary to re-add routes such as the default route in the 895.Pa ppp.linkup 896file. 897.Nm 898supports 899.Sq sticky routes , 900where all routes that contain the 901.Dv HISADDR , 902.Dv MYADDR , 903.Dv HISADDR6 904or 905.Dv MYADDR6 906literals will automatically be updated when the values of these variables 907change. 908.Sh BACKGROUND DIALING 909If you want to establish a connection using 910.Nm 911non-interactively (such as from a 912.Xr crontab 5 913entry or an 914.Xr at 1 915job) you should use the 916.Fl background 917option. 918When 919.Fl background 920is specified, 921.Nm 922attempts to establish the connection immediately. 923If multiple phone 924numbers are specified, each phone number will be tried once. 925If the attempt fails, 926.Nm 927exits immediately with a non-zero exit code. 928If it succeeds, then 929.Nm 930becomes a daemon, and returns an exit status of zero to its caller. 931The daemon exits automatically if the connection is dropped by the 932remote system, or it receives a 933.Dv TERM 934signal. 935.Sh DIAL ON DEMAND 936Demand dialing is enabled with the 937.Fl auto 938or 939.Fl ddial 940options. 941You must also specify the destination label in 942.Pa /etc/ppp/ppp.conf 943to use. 944It must contain the 945.Dq set ifaddr 946command to {define} the remote peers IP address. 947(refer to 948.Pa /usr/share/examples/ppp/ppp.conf.sample ) 949.Bd -literal -offset indent 950# ppp -auto pmdemand 951.Ed 952.Pp 953When 954.Fl auto 955or 956.Fl ddial 957is specified, 958.Nm 959runs as a daemon but you can still configure or examine its 960configuration by using the 961.Dq set server 962command in 963.Pa /etc/ppp/ppp.conf , 964(for example, 965.Dq Li "set server +3000 mypasswd" ) 966and connecting to the diagnostic port as follows: 967.Bd -literal -offset indent 968# pppctl 3000 (assuming tun0) 969Password: 970PPP ON awfulhak> show who 971tcp (127.0.0.1:1028) * 972.Ed 973.Pp 974The 975.Dq show who 976command lists users that are currently connected to 977.Nm 978itself. 979If the diagnostic socket is closed or changed to a different 980socket, all connections are immediately dropped. 981.Pp 982In 983.Fl auto 984mode, when an outgoing packet is detected, 985.Nm 986will perform the dialing action (chat script) and try to connect 987with the peer. 988In 989.Fl ddial 990mode, the dialing action is performed any time the line is found 991to be down. 992If the connect fails, the default behaviour is to wait 30 seconds 993and then attempt to connect when another outgoing packet is detected. 994This behaviour can be changed using the 995.Dq set redial 996command: 997.Pp 998.No set redial Ar secs Ns Xo 999.Oo + Ns Ar inc Ns 1000.Op - Ns Ar max Ns 1001.Oc Ns Op . Ns Ar next 1002.Op Ar attempts 1003.Xc 1004.Pp 1005.Bl -tag -width attempts -compact 1006.It Ar secs 1007is the number of seconds to wait before attempting 1008to connect again. 1009If the argument is the literal string 1010.Sq Li random , 1011the delay period is a random value between 1 and 30 seconds inclusive. 1012.It Ar inc 1013is the number of seconds that 1014.Ar secs 1015should be incremented each time a new dial attempt is made. 1016The timeout reverts to 1017.Ar secs 1018only after a successful connection is established. 1019The default value for 1020.Ar inc 1021is zero. 1022.It Ar max 1023is the maximum number of times 1024.Nm 1025should increment 1026.Ar secs . 1027The default value for 1028.Ar max 1029is 10. 1030.It Ar next 1031is the number of seconds to wait before attempting 1032to dial the next number in a list of numbers (see the 1033.Dq set phone 1034command). 1035The default is 3 seconds. 1036Again, if the argument is the literal string 1037.Sq Li random , 1038the delay period is a random value between 1 and 30 seconds. 1039.It Ar attempts 1040is the maximum number of times to try to connect for each outgoing packet 1041that triggers a dial. 1042The previous value is unchanged if this parameter is omitted. 1043If a value of zero is specified for 1044.Ar attempts , 1045.Nm 1046will keep trying until a connection is made. 1047.El 1048.Pp 1049So, for example: 1050.Bd -literal -offset indent 1051set redial 10.3 4 1052.Ed 1053.Pp 1054will attempt to connect 4 times for each outgoing packet that causes 1055a dial attempt with a 3 second delay between each number and a 10 second 1056delay after all numbers have been tried. 1057If multiple phone numbers 1058are specified, the total number of attempts is still 4 (it does not 1059attempt each number 4 times). 1060.Pp 1061Alternatively, 1062.Bd -literal -offset indent 1063set redial 10+10-5.3 20 1064.Ed 1065.Pp 1066tells 1067.Nm 1068to attempt to connect 20 times. 1069After the first attempt, 1070.Nm 1071pauses for 10 seconds. 1072After the next attempt it pauses for 20 seconds 1073and so on until after the sixth attempt it pauses for 1 minute. 1074The next 14 pauses will also have a duration of one minute. 1075If 1076.Nm 1077connects, disconnects and fails to connect again, the timeout starts again 1078at 10 seconds. 1079.Pp 1080Modifying the dial delay is very useful when running 1081.Nm 1082in 1083.Fl auto 1084mode on both ends of the link. 1085If each end has the same timeout, 1086both ends wind up calling each other at the same time if the link 1087drops and both ends have packets queued. 1088At some locations, the serial link may not be reliable, and carrier 1089may be lost at inappropriate times. 1090It is possible to have 1091.Nm 1092redial should carrier be unexpectedly lost during a session. 1093.Bd -literal -offset indent 1094set reconnect timeout ntries 1095.Ed 1096.Pp 1097This command tells 1098.Nm 1099to re-establish the connection 1100.Ar ntries 1101times on loss of carrier with a pause of 1102.Ar timeout 1103seconds before each try. 1104For example, 1105.Bd -literal -offset indent 1106set reconnect 3 5 1107.Ed 1108.Pp 1109tells 1110.Nm 1111that on an unexpected loss of carrier, it should wait 1112.Ar 3 1113seconds before attempting to reconnect. 1114This may happen up to 1115.Ar 5 1116times before 1117.Nm 1118gives up. 1119The default value of ntries is zero (no reconnect). 1120Care should be taken with this option. 1121If the local timeout is slightly 1122longer than the remote timeout, the reconnect feature will always be 1123triggered (up to the given number of times) after the remote side 1124times out and hangs up. 1125NOTE: In this context, losing too many LQRs constitutes a loss of 1126carrier and will trigger a reconnect. 1127If the 1128.Fl background 1129flag is specified, all phone numbers are dialed at most once until 1130a connection is made. 1131The next number redial period specified with the 1132.Dq set redial 1133command is honoured, as is the reconnect tries value. 1134If your redial 1135value is less than the number of phone numbers specified, not all 1136the specified numbers will be tried. 1137To terminate the program, type 1138.Bd -literal -offset indent 1139PPP ON awfulhak> close 1140ppp ON awfulhak> quit all 1141.Ed 1142.Pp 1143A simple 1144.Dq quit 1145command will terminate the 1146.Xr pppctl 8 1147or 1148.Xr telnet 1 1149connection but not the 1150.Nm 1151program itself. 1152You must use 1153.Dq quit all 1154to terminate 1155.Nm 1156as well. 1157.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1158To handle an incoming 1159.Em PPP 1160connection request, follow these steps: 1161.Bl -enum 1162.It 1163Make sure the modem and (optionally) 1164.Pa /etc/rc.d/serial 1165is configured correctly. 1166.Bl -bullet -compact 1167.It 1168Use Hardware Handshake (CTS/RTS) for flow control. 1169.It 1170Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1171.El 1172.Pp 1173.It 1174Edit 1175.Pa /etc/ttys 1176to enable a 1177.Xr getty 8 1178on the port where the modem is attached. 1179For example: 1180.Pp 1181.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1182.Pp 1183Don't forget to send a 1184.Dv HUP 1185signal to the 1186.Xr init 8 1187process to start the 1188.Xr getty 8 : 1189.Pp 1190.Dl # kill -HUP 1 1191.Pp 1192It is usually also necessary to train your modem to the same DTR speed 1193as the getty: 1194.Bd -literal -offset indent 1195# ppp 1196ppp ON awfulhak> set device /dev/cuaa1 1197ppp ON awfulhak> set speed 38400 1198ppp ON awfulhak> term 1199deflink: Entering terminal mode on /dev/cuaa1 1200Type `~?' for help 1201at 1202OK 1203at 1204OK 1205atz 1206OK 1207at 1208OK 1209~. 1210ppp ON awfulhak> quit 1211.Ed 1212.It 1213Create a 1214.Pa /usr/local/bin/ppplogin 1215file with the following contents: 1216.Bd -literal -offset indent 1217#! /bin/sh 1218exec /usr/sbin/ppp -direct incoming 1219.Ed 1220.Pp 1221Direct mode 1222.Pq Fl direct 1223lets 1224.Nm 1225work with stdin and stdout. 1226You can also use 1227.Xr pppctl 8 1228to connect to a configured diagnostic port, in the same manner as with 1229client-side 1230.Nm . 1231.Pp 1232Here, the 1233.Ar incoming 1234section must be set up in 1235.Pa /etc/ppp/ppp.conf . 1236.Pp 1237Make sure that the 1238.Ar incoming 1239section contains the 1240.Dq allow users 1241command as appropriate. 1242.It 1243Prepare an account for the incoming user. 1244.Bd -literal 1245ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1246.Ed 1247.Pp 1248Refer to the manual entries for 1249.Xr adduser 8 1250and 1251.Xr vipw 8 1252for details. 1253.It 1254Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1255can be enabled using the 1256.Dq accept dns 1257and 1258.Dq set nbns 1259commands. 1260Refer to their descriptions below. 1261.El 1262.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1263This method differs in that we use 1264.Nm 1265to authenticate the connection rather than 1266.Xr login 1 : 1267.Bl -enum 1268.It 1269Configure your default section in 1270.Pa /etc/gettytab 1271with automatic ppp recognition by specifying the 1272.Dq pp 1273capability: 1274.Bd -literal 1275default:\\ 1276 :pp=/usr/local/bin/ppplogin:\\ 1277 ..... 1278.Ed 1279.It 1280Configure your serial device(s), enable a 1281.Xr getty 8 1282and create 1283.Pa /usr/local/bin/ppplogin 1284as in the first three steps for method 1 above. 1285.It 1286Add either 1287.Dq enable chap 1288or 1289.Dq enable pap 1290(or both) 1291to 1292.Pa /etc/ppp/ppp.conf 1293under the 1294.Sq incoming 1295label (or whatever label 1296.Pa ppplogin 1297uses). 1298.It 1299Create an entry in 1300.Pa /etc/ppp/ppp.secret 1301for each incoming user: 1302.Bd -literal 1303Pfred<TAB>xxxx 1304Pgeorge<TAB>yyyy 1305.Ed 1306.El 1307.Pp 1308Now, as soon as 1309.Xr getty 8 1310detects a ppp connection (by recognising the HDLC frame headers), it runs 1311.Dq /usr/local/bin/ppplogin . 1312.Pp 1313It is 1314.Em VITAL 1315that either PAP or CHAP are enabled as above. 1316If they are not, you are 1317allowing anybody to establish a ppp session with your machine 1318.Em without 1319a password, opening yourself up to all sorts of potential attacks. 1320.Sh AUTHENTICATING INCOMING CONNECTIONS 1321Normally, the receiver of a connection requires that the peer 1322authenticates itself. 1323This may be done using 1324.Xr login 1 , 1325but alternatively, you can use PAP or CHAP. 1326CHAP is the more secure of the two, but some clients may not support it. 1327Once you decide which you wish to use, add the command 1328.Sq enable chap 1329or 1330.Sq enable pap 1331to the relevant section of 1332.Pa ppp.conf . 1333.Pp 1334You must then configure the 1335.Pa /etc/ppp/ppp.secret 1336file. 1337This file contains one line per possible client, each line 1338containing up to five fields: 1339.Pp 1340.Ar name Ar key Oo 1341.Ar hisaddr Op Ar label Op Ar callback-number 1342.Oc 1343.Pp 1344The 1345.Ar name 1346and 1347.Ar key 1348specify the client username and password. 1349If 1350.Ar key 1351is 1352.Dq \&* 1353and PAP is being used, 1354.Nm 1355will look up the password database 1356.Pq Xr passwd 5 1357when authenticating. 1358If the client does not offer a suitable response based on any 1359.Ar name Ns No / Ns Ar key 1360combination in 1361.Pa ppp.secret , 1362authentication fails. 1363.Pp 1364If authentication is successful, 1365.Ar hisaddr 1366(if specified) 1367is used when negotiating IP numbers. 1368See the 1369.Dq set ifaddr 1370command for details. 1371.Pp 1372If authentication is successful and 1373.Ar label 1374is specified, the current system label is changed to match the given 1375.Ar label . 1376This will change the subsequent parsing of the 1377.Pa ppp.linkup 1378and 1379.Pa ppp.linkdown 1380files. 1381.Pp 1382If authentication is successful and 1383.Ar callback-number 1384is specified and 1385.Dq set callback 1386has been used in 1387.Pa ppp.conf , 1388the client will be called back on the given number. 1389If CBCP is being used, 1390.Ar callback-number 1391may also contain a list of numbers or a 1392.Dq \&* , 1393as if passed to the 1394.Dq set cbcp 1395command. 1396The value will be used in 1397.Nm Ns No 's 1398subsequent CBCP phase. 1399.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1400Instead of running 1401.Nm 1402over a serial link, it is possible to 1403use a TCP connection instead by specifying the host, port and protocol as the 1404device: 1405.Pp 1406.Dl set device ui-gate:6669/tcp 1407.Pp 1408Instead of opening a serial device, 1409.Nm 1410will open a TCP connection to the given machine on the given 1411socket. 1412It should be noted however that 1413.Nm 1414doesn't use the telnet protocol and will be unable to negotiate 1415with a telnet server. 1416You should set up a port for receiving this 1417.Em PPP 1418connection on the receiving machine (ui-gate). 1419This is done by first updating 1420.Pa /etc/services 1421to name the service: 1422.Pp 1423.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1424.Pp 1425and updating 1426.Pa /etc/inetd.conf 1427to tell 1428.Xr inetd 8 1429how to deal with incoming connections on that port: 1430.Pp 1431.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1432.Pp 1433Don't forget to send a 1434.Dv HUP 1435signal to 1436.Xr inetd 8 1437after you've updated 1438.Pa /etc/inetd.conf . 1439Here, we use a label named 1440.Dq ppp-in . 1441The entry in 1442.Pa /etc/ppp/ppp.conf 1443on ui-gate (the receiver) should contain the following: 1444.Bd -literal -offset indent 1445ppp-in: 1446 set timeout 0 1447 set ifaddr 10.0.4.1 10.0.4.2 1448.Ed 1449.Pp 1450and the entry in 1451.Pa /etc/ppp/ppp.linkup 1452should contain: 1453.Bd -literal -offset indent 1454ppp-in: 1455 add 10.0.1.0/24 HISADDR 1456.Ed 1457.Pp 1458It is necessary to put the 1459.Dq add 1460command in 1461.Pa ppp.linkup 1462to ensure that the route is only added after 1463.Nm 1464has negotiated and assigned addresses to its interface. 1465.Pp 1466You may also want to enable PAP or CHAP for security. 1467To enable PAP, add the following line: 1468.Bd -literal -offset indent 1469 enable PAP 1470.Ed 1471.Pp 1472You'll also need to create the following entry in 1473.Pa /etc/ppp/ppp.secret : 1474.Bd -literal -offset indent 1475MyAuthName MyAuthPasswd 1476.Ed 1477.Pp 1478If 1479.Ar MyAuthPasswd 1480is a 1481.Dq * , 1482the password is looked up in the 1483.Xr passwd 5 1484database. 1485.Pp 1486The entry in 1487.Pa /etc/ppp/ppp.conf 1488on awfulhak (the initiator) should contain the following: 1489.Bd -literal -offset indent 1490ui-gate: 1491 set escape 0xff 1492 set device ui-gate:ppp-in/tcp 1493 set dial 1494 set timeout 30 1495 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1496 set ifaddr 10.0.4.2 10.0.4.1 1497.Ed 1498.Pp 1499with the route setup in 1500.Pa /etc/ppp/ppp.linkup : 1501.Bd -literal -offset indent 1502ui-gate: 1503 add 10.0.2.0/24 HISADDR 1504.Ed 1505.Pp 1506Again, if you're enabling PAP, you'll also need this in the 1507.Pa /etc/ppp/ppp.conf 1508profile: 1509.Bd -literal -offset indent 1510 set authname MyAuthName 1511 set authkey MyAuthKey 1512.Ed 1513.Pp 1514We're assigning the address of 10.0.4.1 to ui-gate, and the address 151510.0.4.2 to awfulhak. 1516To open the connection, just type 1517.Pp 1518.Dl awfulhak # ppp -background ui-gate 1519.Pp 1520The result will be an additional "route" on awfulhak to the 152110.0.2.0/24 network via the TCP connection, and an additional 1522"route" on ui-gate to the 10.0.1.0/24 network. 1523The networks are effectively bridged - the underlying TCP 1524connection may be across a public network (such as the 1525Internet), and the 1526.Em PPP 1527traffic is conceptually encapsulated 1528(although not packet by packet) inside the TCP stream between 1529the two gateways. 1530.Pp 1531The major disadvantage of this mechanism is that there are two 1532"guaranteed delivery" mechanisms in place - the underlying TCP 1533stream and whatever protocol is used over the 1534.Em PPP 1535link - probably TCP again. 1536If packets are lost, both levels will 1537get in each others way trying to negotiate sending of the missing 1538packet. 1539.Pp 1540To avoid this overhead, it is also possible to do all this using 1541UDP instead of TCP as the transport by simply changing the protocol 1542from "tcp" to "udp". 1543When using UDP as a transport, 1544.Nm 1545will operate in synchronous mode. 1546This is another gain as the incoming 1547data does not have to be rearranged into packets. 1548.Pp 1549Care should be taken when adding a default route through a tunneled 1550setup like this. 1551It is quite common for the default route 1552(added in 1553.Pa /etc/ppp/ppp.linkup ) 1554to end up routing the link's TCP connection through the tunnel, 1555effectively garrotting the connection. 1556To avoid this, make sure you add a static route for the benefit of 1557the link: 1558.Bd -literal -offset indent 1559ui-gate: 1560 set escape 0xff 1561 set device ui-gate:ppp-in/tcp 1562 add ui-gate x.x.x.x 1563 ..... 1564.Ed 1565.Pp 1566where 1567.Dq x.x.x.x 1568is the IP number that your route to 1569.Dq ui-gate 1570would normally use. 1571.Pp 1572When routing your connection across a public network such as the Internet, 1573it is preferable to encrypt the data. 1574This can be done with the help of the MPPE protocol, although currently this 1575means that you will not be able to also compress the traffic as MPPE is 1576implemented as a compression layer (thank Microsoft for this). 1577To enable MPPE encryption, add the following lines to 1578.Pa /etc/ppp/ppp.conf 1579on the server: 1580.Bd -literal -offset indent 1581 enable MSCHAPv2 1582 disable deflate pred1 1583 deny deflate pred1 1584.Ed 1585.Pp 1586ensuring that you've put the requisite entry in 1587.Pa /etc/ppp/ppp.secret 1588(MSCHAPv2 is challenge based, so 1589.Xr passwd 5 1590cannot be used) 1591.Pp 1592MSCHAPv2 and MPPE are accepted by default, so the client end should work 1593without any additional changes (although ensure you have 1594.Dq set authname 1595and 1596.Dq set authkey 1597in your profile). 1598.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1599The 1600.Fl nat 1601command line option enables network address translation (a.k.a. packet 1602aliasing). 1603This allows the 1604.Nm 1605host to act as a masquerading gateway for other computers over 1606a local area network. 1607Outgoing IP packets are NAT'd so that they appear to come from the 1608.Nm 1609host, and incoming packets are de-NAT'd so that they are routed 1610to the correct machine on the local area network. 1611NAT allows computers on private, unregistered subnets to have Internet 1612access, although they are invisible from the outside world. 1613In general, correct 1614.Nm 1615operation should first be verified with network address translation disabled. 1616Then, the 1617.Fl nat 1618option should be switched on, and network applications (web browser, 1619.Xr telnet 1 , 1620.Xr ftp 1 , 1621.Xr ping 8 , 1622.Xr traceroute 8 ) 1623should be checked on the 1624.Nm 1625host. 1626Finally, the same or similar applications should be checked on other 1627computers in the LAN. 1628If network applications work correctly on the 1629.Nm 1630host, but not on other machines in the LAN, then the masquerading 1631software is working properly, but the host is either not forwarding 1632or possibly receiving IP packets. 1633Check that IP forwarding is enabled in 1634.Pa /etc/rc.conf 1635and that other machines have designated the 1636.Nm 1637host as the gateway for the LAN. 1638.Sh PACKET FILTERING 1639This implementation supports packet filtering. 1640There are four kinds of 1641filters: the 1642.Em in 1643filter, the 1644.Em out 1645filter, the 1646.Em dial 1647filter and the 1648.Em alive 1649filter. 1650Here are the basics: 1651.Bl -bullet 1652.It 1653A filter definition has the following syntax: 1654.Pp 1655set filter 1656.Ar name 1657.Ar rule-no 1658.Ar action 1659.Op !\& 1660.Oo 1661.Op host 1662.Ar src_addr Ns Op / Ns Ar width 1663.Op Ar dst_addr Ns Op / Ns Ar width 1664.Oc 1665.Ar [ proto Op src Ar cmp port 1666.Op dst Ar cmp port 1667.Op estab 1668.Op syn 1669.Op finrst 1670.Op timeout Ar secs ] 1671.Bl -enum 1672.It 1673.Ar Name 1674should be one of 1675.Sq in , 1676.Sq out , 1677.Sq dial 1678or 1679.Sq alive . 1680.It 1681.Ar Rule-no 1682is a numeric value between 1683.Sq 0 1684and 1685.Sq 39 1686specifying the rule number. 1687Rules are specified in numeric order according to 1688.Ar rule-no , 1689but only if rule 1690.Sq 0 1691is defined. 1692.It 1693.Ar Action 1694may be specified as 1695.Sq permit 1696or 1697.Sq deny , 1698in which case, if a given packet matches the rule, the associated action 1699is taken immediately. 1700.Ar Action 1701can also be specified as 1702.Sq clear 1703to clear the action associated with that particular rule, or as a new 1704rule number greater than the current rule. 1705In this case, if a given 1706packet matches the current rule, the packet will next be matched against 1707the new rule number (rather than the next rule number). 1708.Pp 1709The 1710.Ar action 1711may optionally be followed with an exclamation mark 1712.Pq Dq !\& , 1713telling 1714.Nm 1715to reverse the sense of the following match. 1716.It 1717.Op Ar src_addr Ns Op / Ns Ar width 1718and 1719.Op Ar dst_addr Ns Op / Ns Ar width 1720are the source and destination IP number specifications. 1721If 1722.Op / Ns Ar width 1723is specified, it gives the number of relevant netmask bits, 1724allowing the specification of an address range. 1725.Pp 1726Either 1727.Ar src_addr 1728or 1729.Ar dst_addr 1730may be given the values 1731.Dv MYADDR , 1732.Dv HISADDR , 1733.Dv MYADDR6 1734or 1735.Dv HISADDR6 1736(refer to the description of the 1737.Dq bg 1738command for a description of these values). 1739When these values are used, 1740the filters will be updated any time the values change. 1741This is similar to the behaviour of the 1742.Dq add 1743command below. 1744.It 1745.Ar Proto 1746may be any protocol from 1747.Xr protocols 5 . 1748.It 1749.Ar Cmp 1750is one of 1751.Sq \< , 1752.Sq \&eq 1753or 1754.Sq \> , 1755meaning less-than, equal and greater-than respectively. 1756.Ar Port 1757can be specified as a numeric port or by service name from 1758.Pa /etc/services . 1759.It 1760The 1761.Sq estab , 1762.Sq syn , 1763and 1764.Sq finrst 1765flags are only allowed when 1766.Ar proto 1767is set to 1768.Sq tcp , 1769and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1770.It 1771The timeout value adjusts the current idle timeout to at least 1772.Ar secs 1773seconds. 1774If a timeout is given in the alive filter as well as in the in/out 1775filter, the in/out value is used. 1776If no timeout is given, the default timeout (set using 1777.Ic set timeout 1778and defaulting to 180 seconds) is used. 1779.El 1780.Pp 1781.It 1782Each filter can hold up to 40 rules, starting from rule 0. 1783The entire rule set is not effective until rule 0 is defined, 1784i.e., the default is to allow everything through. 1785.It 1786If no rule in a defined set of rules matches a packet, that packet will 1787be discarded (blocked). 1788If there are no rules in a given filter, the packet will be permitted. 1789.It 1790It's possible to filter based on the payload of UDP frames where those 1791frames contain a 1792.Em PROTO_IP 1793.Em PPP 1794frame header. 1795See the 1796.Ar filter-decapsulation 1797option below for further details. 1798.It 1799Use 1800.Dq set filter Ar name No -1 1801to flush all rules. 1802.El 1803.Pp 1804See 1805.Pa /usr/share/examples/ppp/ppp.conf.sample . 1806.Sh SETTING THE IDLE TIMER 1807To check/set the idle timer, use the 1808.Dq show bundle 1809and 1810.Dq set timeout 1811commands: 1812.Bd -literal -offset indent 1813ppp ON awfulhak> set timeout 600 1814.Ed 1815.Pp 1816The timeout period is measured in seconds, the default value for which 1817is 180 seconds 1818(or 3 min). 1819To disable the idle timer function, use the command 1820.Bd -literal -offset indent 1821ppp ON awfulhak> set timeout 0 1822.Ed 1823.Pp 1824In 1825.Fl ddial 1826and 1827.Fl dedicated 1828modes, the idle timeout is ignored. 1829In 1830.Fl auto 1831mode, when the idle timeout causes the 1832.Em PPP 1833session to be 1834closed, the 1835.Nm 1836program itself remains running. 1837Another trigger packet will cause it to attempt to re-establish the link. 1838.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1839.Nm 1840supports both Predictor type 1 and deflate compression. 1841By default, 1842.Nm 1843will attempt to use (or be willing to accept) both compression protocols 1844when the peer agrees 1845(or requests them). 1846The deflate protocol is preferred by 1847.Nm . 1848Refer to the 1849.Dq disable 1850and 1851.Dq deny 1852commands if you wish to disable this functionality. 1853.Pp 1854It is possible to use a different compression algorithm in each direction 1855by using only one of 1856.Dq disable deflate 1857and 1858.Dq deny deflate 1859(assuming that the peer supports both algorithms). 1860.Pp 1861By default, when negotiating DEFLATE, 1862.Nm 1863will use a window size of 15. 1864Refer to the 1865.Dq set deflate 1866command if you wish to change this behaviour. 1867.Pp 1868A special algorithm called DEFLATE24 is also available, and is disabled 1869and denied by default. 1870This is exactly the same as DEFLATE except that 1871it uses CCP ID 24 to negotiate. 1872This allows 1873.Nm 1874to successfully negotiate DEFLATE with 1875.Nm pppd 1876version 2.3.*. 1877.Sh CONTROLLING IP ADDRESS 1878For IPv4, 1879.Nm 1880uses IPCP to negotiate IP addresses. 1881Each side of the connection 1882specifies the IP address that it's willing to use, and if the requested 1883IP address is acceptable then 1884.Nm 1885returns an ACK to the requester. 1886Otherwise, 1887.Nm 1888returns NAK to suggest that the peer use a different IP address. 1889When 1890both sides of the connection agree to accept the received request (and 1891send an ACK), IPCP is set to the open state and a network level connection 1892is established. 1893To control this IPCP behaviour, this implementation has the 1894.Dq set ifaddr 1895command for defining the local and remote IP address: 1896.Bd -ragged -offset indent 1897.No set ifaddr Oo Ar src_addr Ns 1898.Op / Ns Ar \&nn 1899.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1900.Oo Ar netmask 1901.Op Ar trigger_addr 1902.Oc 1903.Oc 1904.Oc 1905.Ed 1906.Pp 1907where, 1908.Sq src_addr 1909is the IP address that the local side is willing to use, 1910.Sq dst_addr 1911is the IP address which the remote side should use and 1912.Sq netmask 1913is the netmask that should be used. 1914.Sq Src_addr 1915defaults to the current 1916.Xr hostname 1 , 1917.Sq dst_addr 1918defaults to 0.0.0.0, and 1919.Sq netmask 1920defaults to whatever mask is appropriate for 1921.Sq src_addr . 1922It is only possible to make 1923.Sq netmask 1924smaller than the default. 1925The usual value is 255.255.255.255, as 1926most kernels ignore the netmask of a POINTOPOINT interface. 1927.Pp 1928Some incorrect 1929.Em PPP 1930implementations require that the peer negotiates a specific IP 1931address instead of 1932.Sq src_addr . 1933If this is the case, 1934.Sq trigger_addr 1935may be used to specify this IP number. 1936This will not affect the 1937routing table unless the other side agrees with this proposed number. 1938.Bd -literal -offset indent 1939set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1940.Ed 1941.Pp 1942The above specification means: 1943.Pp 1944.Bl -bullet -compact 1945.It 1946I will first suggest that my IP address should be 0.0.0.0, but I 1947will only accept an address of 192.244.177.38. 1948.It 1949I strongly insist that the peer uses 192.244.177.2 as his own 1950address and won't permit the use of any IP address but 192.244.177.2. 1951When the peer requests another IP address, I will always suggest that 1952it uses 192.244.177.2. 1953.It 1954The routing table entry will have a netmask of 0xffffffff. 1955.El 1956.Pp 1957This is all fine when each side has a pre-determined IP address, however 1958it is often the case that one side is acting as a server which controls 1959all IP addresses and the other side should go along with it. 1960In order to allow more flexible behaviour, the 1961.Dq set ifaddr 1962command allows the user to specify IP addresses more loosely: 1963.Pp 1964.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1965.Pp 1966A number followed by a slash 1967.Pq Dq / 1968represents the number of bits significant in the IP address. 1969The above example means: 1970.Pp 1971.Bl -bullet -compact 1972.It 1973I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1974also accept any IP address between 192.244.177.0 and 192.244.177.255. 1975.It 1976I'd like to make him use 192.244.177.2 as his own address, but I'll also 1977permit him to use any IP address between 192.244.176.0 and 1978192.244.191.255. 1979.It 1980As you may have already noticed, 192.244.177.2 is equivalent to saying 1981192.244.177.2/32. 1982.It 1983As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 1984preferred IP address and will obey the remote peers selection. 1985When using zero, no routing table entries will be made until a connection 1986is established. 1987.It 1988192.244.177.2/0 means that I'll accept/permit any IP address but I'll 1989suggest that 192.244.177.2 be used first. 1990.El 1991.Pp 1992When negotiating IPv6 addresses, no control is given to the user. 1993IPV6CP negotiation is fully automatic. 1994.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 1995The following steps should be taken when connecting to your ISP: 1996.Bl -enum 1997.It 1998Describe your providers phone number(s) in the dial script using the 1999.Dq set phone 2000command. 2001This command allows you to set multiple phone numbers for 2002dialing and redialing separated by either a pipe 2003.Pq Dq \&| 2004or a colon 2005.Pq Dq \&: : 2006.Bd -ragged -offset indent 2007.No set phone Ar telno Ns Xo 2008.Oo \&| Ns Ar backupnumber 2009.Oc Ns ... Ns Oo : Ns Ar nextnumber 2010.Oc Ns ... 2011.Xc 2012.Ed 2013.Pp 2014Numbers after the first in a pipe-separated list are only used if the 2015previous number was used in a failed dial or login script. 2016Numbers 2017separated by a colon are used sequentially, irrespective of what happened 2018as a result of using the previous number. 2019For example: 2020.Bd -literal -offset indent 2021set phone "1234567|2345678:3456789|4567890" 2022.Ed 2023.Pp 2024Here, the 1234567 number is attempted. 2025If the dial or login script fails, 2026the 2345678 number is used next time, but *only* if the dial or login script 2027fails. 2028On the dial after this, the 3456789 number is used. 2029The 4567890 2030number is only used if the dial or login script using the 3456789 fails. 2031If the login script of the 2345678 number fails, the next number is still the 20323456789 number. 2033As many pipes and colons can be used as are necessary 2034(although a given site would usually prefer to use either the pipe or the 2035colon, but not both). 2036The next number redial timeout is used between all numbers. 2037When the end of the list is reached, the normal redial period is 2038used before starting at the beginning again. 2039The selected phone number is substituted for the \\\\T string in the 2040.Dq set dial 2041command (see below). 2042.It 2043Set up your redial requirements using 2044.Dq set redial . 2045For example, if you have a bad telephone line or your provider is 2046usually engaged (not so common these days), you may want to specify 2047the following: 2048.Bd -literal -offset indent 2049set redial 10 4 2050.Ed 2051.Pp 2052This says that up to 4 phone calls should be attempted with a pause of 10 2053seconds before dialing the first number again. 2054.It 2055Describe your login procedure using the 2056.Dq set dial 2057and 2058.Dq set login 2059commands. 2060The 2061.Dq set dial 2062command is used to talk to your modem and establish a link with your 2063ISP, for example: 2064.Bd -literal -offset indent 2065set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2066 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2067.Ed 2068.Pp 2069This modem "chat" string means: 2070.Bl -bullet 2071.It 2072Abort if the string "BUSY" or "NO CARRIER" are received. 2073.It 2074Set the timeout to 4 seconds. 2075.It 2076Expect nothing. 2077.It 2078Send ATZ. 2079.It 2080Expect OK. 2081If that's not received within the 4 second timeout, send ATZ 2082and expect OK. 2083.It 2084Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2085above. 2086.It 2087Set the timeout to 60. 2088.It 2089Wait for the CONNECT string. 2090.El 2091.Pp 2092Once the connection is established, the login script is executed. 2093This script is written in the same style as the dial script, but care should 2094be taken to avoid having your password logged: 2095.Bd -literal -offset indent 2096set authkey MySecret 2097set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2098 word: \\\\P ocol: PPP HELLO" 2099.Ed 2100.Pp 2101This login "chat" string means: 2102.Bl -bullet 2103.It 2104Set the timeout to 15 seconds. 2105.It 2106Expect "login:". 2107If it's not received, send a carriage return and expect 2108"login:" again. 2109.It 2110Send "awfulhak" 2111.It 2112Expect "word:" (the tail end of a "Password:" prompt). 2113.It 2114Send whatever our current 2115.Ar authkey 2116value is set to. 2117.It 2118Expect "ocol:" (the tail end of a "Protocol:" prompt). 2119.It 2120Send "PPP". 2121.It 2122Expect "HELLO". 2123.El 2124.Pp 2125The 2126.Dq set authkey 2127command is logged specially. 2128When 2129.Ar command 2130or 2131.Ar chat 2132logging is enabled, the actual password is not logged; 2133.Sq ******** 2134is logged instead. 2135.Pp 2136Login scripts vary greatly between ISPs. 2137If you're setting one up for the first time, 2138.Em ENABLE CHAT LOGGING 2139so that you can see if your script is behaving as you expect. 2140.It 2141Use 2142.Dq set device 2143and 2144.Dq set speed 2145to specify your serial line and speed, for example: 2146.Bd -literal -offset indent 2147set device /dev/cuaa0 2148set speed 115200 2149.Ed 2150.Pp 2151Cuaa0 is the first serial port on 2152.Dx . 2153If you're running 2154.Nm 2155on 2156.Ox , 2157cua00 is the first. 2158A speed of 115200 should be specified 2159if you have a modem capable of bit rates of 28800 or more. 2160In general, the serial speed should be about four times the modem speed. 2161.It 2162Use the 2163.Dq set ifaddr 2164command to {define} the IP address. 2165.Bl -bullet 2166.It 2167If you know what IP address your provider uses, then use it as the remote 2168address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2169.It 2170If your provider has assigned a particular IP address to you, then use 2171it as your address (src_addr). 2172.It 2173If your provider assigns your address dynamically, choose a suitably 2174unobtrusive and unspecific IP number as your address. 217510.0.0.1/0 would be appropriate. 2176The bit after the / specifies how many bits of the 2177address you consider to be important, so if you wanted to insist on 2178something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2179.It 2180If you find that your ISP accepts the first IP number that you suggest, 2181specify third and forth arguments of 2182.Dq 0.0.0.0 . 2183This will force your ISP to assign a number. 2184(The third argument will 2185be ignored as it is less restrictive than the default mask for your 2186.Sq src_addr ) . 2187.El 2188.Pp 2189An example for a connection where you don't know your IP number or your 2190ISPs IP number would be: 2191.Bd -literal -offset indent 2192set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2193.Ed 2194.Pp 2195.It 2196In most cases, your ISP will also be your default router. 2197If this is the case, add the line 2198.Bd -literal -offset indent 2199add default HISADDR 2200.Ed 2201.Pp 2202to 2203.Pa /etc/ppp/ppp.conf 2204(or to 2205.Pa /etc/ppp/ppp.linkup 2206for setups that don't use 2207.Fl auto 2208mode). 2209.Pp 2210This tells 2211.Nm 2212to add a default route to whatever the peer address is 2213(10.0.0.2 in this example). 2214This route is 2215.Sq sticky , 2216meaning that should the value of 2217.Dv HISADDR 2218change, the route will be updated accordingly. 2219.It 2220If your provider requests that you use PAP/CHAP authentication methods, add 2221the next lines to your 2222.Pa /etc/ppp/ppp.conf 2223file: 2224.Bd -literal -offset indent 2225set authname MyName 2226set authkey MyPassword 2227.Ed 2228.Pp 2229Both are accepted by default, so 2230.Nm 2231will provide whatever your ISP requires. 2232.Pp 2233It should be noted that a login script is rarely (if ever) required 2234when PAP or CHAP are in use. 2235.It 2236Ask your ISP to authenticate your nameserver address(es) with the line 2237.Bd -literal -offset indent 2238enable dns 2239.Ed 2240.Pp 2241Do 2242.Em NOT 2243do this if you are running a local DNS unless you also either use 2244.Dq resolv readonly 2245or have 2246.Dq resolv restore 2247in 2248.Pa /etc/ppp/ppp.linkdown , 2249as 2250.Nm 2251will simply circumvent its use by entering some nameserver lines in 2252.Pa /etc/resolv.conf . 2253.El 2254.Pp 2255Please refer to 2256.Pa /usr/share/examples/ppp/ppp.conf.sample 2257and 2258.Pa /usr/share/examples/ppp/ppp.linkup.sample 2259for some real examples. 2260The pmdemand label should be appropriate for most ISPs. 2261.Sh LOGGING FACILITY 2262.Nm 2263is able to generate the following log info either via 2264.Xr syslog 3 2265or directly to the screen: 2266.Pp 2267.Bl -tag -width XXXXXXXXX -offset XXX -compact 2268.It Li All 2269Enable all logging facilities. 2270This generates a lot of log. 2271The most common use of 'all' is as a basis, where you remove some facilities 2272after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2273.It Li Async 2274Dump async level packet in hex. 2275.It Li CBCP 2276Generate CBCP (CallBack Control Protocol) logs. 2277.It Li CCP 2278Generate a CCP packet trace. 2279.It Li Chat 2280Generate 2281.Sq dial , 2282.Sq login , 2283.Sq logout 2284and 2285.Sq hangup 2286chat script trace logs. 2287.It Li Command 2288Log commands executed either from the command line or any of the configuration 2289files. 2290.It Li Connect 2291Log Chat lines containing the string "CONNECT". 2292.It Li Debug 2293Log debug information. 2294.It Li DNS 2295Log DNS QUERY packets. 2296.It Li Filter 2297Log packets permitted by the dial filter and denied by any filter. 2298.It Li HDLC 2299Dump HDLC packet in hex. 2300.It Li ID0 2301Log all function calls specifically made as user id 0. 2302.It Li IPCP 2303Generate an IPCP packet trace. 2304.It Li LCP 2305Generate an LCP packet trace. 2306.It Li LQM 2307Generate LQR reports. 2308.It Li Phase 2309Phase transition log output. 2310.It Li Physical 2311Dump physical level packet in hex. 2312.It Li Sync 2313Dump sync level packet in hex. 2314.It Li TCP/IP 2315Dump all TCP/IP packets. 2316.It Li Timer 2317Log timer manipulation. 2318.It Li TUN 2319Include the tun device on each log line. 2320.It Li Warning 2321Output to the terminal device. 2322If there is currently no terminal, 2323output is sent to the log file using syslogs 2324.Dv LOG_WARNING . 2325.It Li Error 2326Output to both the terminal device 2327and the log file using syslogs 2328.Dv LOG_ERROR . 2329.It Li Alert 2330Output to the log file using 2331.Dv LOG_ALERT . 2332.El 2333.Pp 2334The 2335.Dq set log 2336command allows you to set the logging output level. 2337Multiple levels can be specified on a single command line. 2338The default is equivalent to 2339.Dq set log Phase . 2340.Pp 2341It is also possible to log directly to the screen. 2342The syntax is the same except that the word 2343.Dq local 2344should immediately follow 2345.Dq set log . 2346The default is 2347.Dq set log local 2348(i.e., only the un-maskable warning, error and alert output). 2349.Pp 2350If The first argument to 2351.Dq set log Op local 2352begins with a 2353.Sq + 2354or a 2355.Sq - 2356character, the current log levels are 2357not cleared, for example: 2358.Bd -literal -offset indent 2359PPP ON awfulhak> set log phase 2360PPP ON awfulhak> show log 2361Log: Phase Warning Error Alert 2362Local: Warning Error Alert 2363PPP ON awfulhak> set log +tcp/ip -warning 2364PPP ON awfulhak> set log local +command 2365PPP ON awfulhak> show log 2366Log: Phase TCP/IP Warning Error Alert 2367Local: Command Warning Error Alert 2368.Ed 2369.Pp 2370Log messages of level Warning, Error and Alert are not controllable 2371using 2372.Dq set log Op local . 2373.Pp 2374The 2375.Ar Warning 2376level is special in that it will not be logged if it can be displayed 2377locally. 2378.Sh SIGNAL HANDLING 2379.Nm 2380deals with the following signals: 2381.Bl -tag -width "USR2" 2382.It INT 2383Receipt of this signal causes the termination of the current connection 2384(if any). 2385This will cause 2386.Nm 2387to exit unless it is in 2388.Fl auto 2389or 2390.Fl ddial 2391mode. 2392.It HUP, TERM & QUIT 2393These signals tell 2394.Nm 2395to exit. 2396.It USR1 2397This signal, tells 2398.Nm 2399to re-open any existing server socket, dropping all existing diagnostic 2400connections. 2401Sockets that couldn't previously be opened will be retried. 2402.It USR2 2403This signal, tells 2404.Nm 2405to close any existing server socket, dropping all existing diagnostic 2406connections. 2407.Dv SIGUSR1 2408can still be used to re-open the socket. 2409.El 2410.Sh MULTI-LINK PPP 2411If you wish to use more than one physical link to connect to a 2412.Em PPP 2413peer, that peer must also understand the 2414.Em MULTI-LINK PPP 2415protocol. 2416Refer to RFC 1990 for specification details. 2417.Pp 2418The peer is identified using a combination of his 2419.Dq endpoint discriminator 2420and his 2421.Dq authentication id . 2422Either or both of these may be specified. 2423It is recommended that 2424at least one is specified, otherwise there is no way of ensuring that 2425all links are actually connected to the same peer program, and some 2426confusing lock-ups may result. 2427Locally, these identification variables are specified using the 2428.Dq set enddisc 2429and 2430.Dq set authname 2431commands. 2432The 2433.Sq authname 2434(and 2435.Sq authkey ) 2436must be agreed in advance with the peer. 2437.Pp 2438Multi-link capabilities are enabled using the 2439.Dq set mrru 2440command (set maximum reconstructed receive unit). 2441Once multi-link is enabled, 2442.Nm 2443will attempt to negotiate a multi-link connection with the peer. 2444.Pp 2445By default, only one 2446.Sq link 2447is available 2448(called 2449.Sq deflink ) . 2450To create more links, the 2451.Dq clone 2452command is used. 2453This command will clone existing links, where all 2454characteristics are the same except: 2455.Bl -enum 2456.It 2457The new link has its own name as specified on the 2458.Dq clone 2459command line. 2460.It 2461The new link is an 2462.Sq interactive 2463link. 2464Its mode may subsequently be changed using the 2465.Dq set mode 2466command. 2467.It 2468The new link is in a 2469.Sq closed 2470state. 2471.El 2472.Pp 2473A summary of all available links can be seen using the 2474.Dq show links 2475command. 2476.Pp 2477Once a new link has been created, command usage varies. 2478All link specific commands must be prefixed with the 2479.Dq link Ar name 2480command, specifying on which link the command is to be applied. 2481When only a single link is available, 2482.Nm 2483is smart enough not to require the 2484.Dq link Ar name 2485prefix. 2486.Pp 2487Some commands can still be used without specifying a link - resulting 2488in an operation at the 2489.Sq bundle 2490level. 2491For example, once two or more links are available, the command 2492.Dq show ccp 2493will show CCP configuration and statistics at the multi-link level, and 2494.Dq link deflink show ccp 2495will show the same information at the 2496.Dq deflink 2497link level. 2498.Pp 2499Armed with this information, the following configuration might be used: 2500.Bd -literal -offset indent 2501mp: 2502 set timeout 0 2503 set log phase chat 2504 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2505 set phone "123456789" 2506 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2507 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2508 set login 2509 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2510 set authname ppp 2511 set authkey ppppassword 2512 2513 set mrru 1500 2514 clone 1,2,3 # Create 3 new links - duplicates of the default 2515 link deflink remove # Delete the default link (called ``deflink'') 2516.Ed 2517.Pp 2518Note how all cloning is done at the end of the configuration. 2519Usually, the link will be configured first, then cloned. 2520If you wish all links 2521to be up all the time, you can add the following line to the end of your 2522configuration. 2523.Bd -literal -offset indent 2524 link 1,2,3 set mode ddial 2525.Ed 2526.Pp 2527If you want the links to dial on demand, this command could be used: 2528.Bd -literal -offset indent 2529 link * set mode auto 2530.Ed 2531.Pp 2532Links may be tied to specific names by removing the 2533.Dq set device 2534line above, and specifying the following after the 2535.Dq clone 2536command: 2537.Bd -literal -offset indent 2538 link 1 set device /dev/cuaa0 2539 link 2 set device /dev/cuaa1 2540 link 3 set device /dev/cuaa2 2541.Ed 2542.Pp 2543Use the 2544.Dq help 2545command to see which commands require context (using the 2546.Dq link 2547command), which have optional 2548context and which should not have any context. 2549.Pp 2550When 2551.Nm 2552has negotiated 2553.Em MULTI-LINK 2554mode with the peer, it creates a local domain socket in the 2555.Pa /var/run 2556directory. 2557This socket is used to pass link information (including 2558the actual link file descriptor) between different 2559.Nm 2560invocations. 2561This facilitates 2562.Nm Ns No 's 2563ability to be run from a 2564.Xr getty 8 2565or directly from 2566.Pa /etc/gettydefs 2567(using the 2568.Sq pp= 2569capability), without needing to have initial control of the serial 2570line. 2571Once 2572.Nm 2573negotiates multi-link mode, it will pass its open link to any 2574already running process. 2575If there is no already running process, 2576.Nm 2577will act as the master, creating the socket and listening for new 2578connections. 2579.Sh PPP COMMAND LIST 2580This section lists the available commands and their effect. 2581They are usable either from an interactive 2582.Nm 2583session, from a configuration file or from a 2584.Xr pppctl 8 2585or 2586.Xr telnet 1 2587session. 2588.Bl -tag -width 2n 2589.It accept|deny|enable|disable Ar option.... 2590These directives tell 2591.Nm 2592how to negotiate the initial connection with the peer. 2593Each 2594.Dq option 2595has a default of either accept or deny and enable or disable. 2596.Dq Accept 2597means that the option will be ACK'd if the peer asks for it. 2598.Dq Deny 2599means that the option will be NAK'd if the peer asks for it. 2600.Dq Enable 2601means that the option will be requested by us. 2602.Dq Disable 2603means that the option will not be requested by us. 2604.Pp 2605.Dq Option 2606may be one of the following: 2607.Bl -tag -width 2n 2608.It acfcomp 2609Default: Enabled and Accepted. 2610ACFComp stands for Address and Control Field Compression. 2611Non LCP packets will usually have an address 2612field of 0xff (the All-Stations address) and a control field of 26130x03 (the Unnumbered Information command). 2614If this option is 2615negotiated, these two bytes are simply not sent, thus minimising 2616traffic. 2617.Pp 2618See 2619.Pa rfc1662 2620for details. 2621.It chap Ns Op \&05 2622Default: Disabled and Accepted. 2623CHAP stands for Challenge Handshake Authentication Protocol. 2624Only one of CHAP and PAP (below) may be negotiated. 2625With CHAP, the authenticator sends a "challenge" message to its peer. 2626The peer uses a one-way hash function to encrypt the 2627challenge and sends the result back. 2628The authenticator does the same, and compares the results. 2629The advantage of this mechanism is that no 2630passwords are sent across the connection. 2631A challenge is made when the connection is first made. 2632Subsequent challenges may occur. 2633If you want to have your peer authenticate itself, you must 2634.Dq enable chap . 2635in 2636.Pa /etc/ppp/ppp.conf , 2637and have an entry in 2638.Pa /etc/ppp/ppp.secret 2639for the peer. 2640.Pp 2641When using CHAP as the client, you need only specify 2642.Dq AuthName 2643and 2644.Dq AuthKey 2645in 2646.Pa /etc/ppp/ppp.conf . 2647CHAP is accepted by default. 2648Some 2649.Em PPP 2650implementations use "MS-CHAP" rather than MD5 when encrypting the 2651challenge. 2652MS-CHAP is a combination of MD4 and DES. 2653If 2654.Nm 2655was built on a machine with DES libraries available, it will respond 2656to MS-CHAP authentication requests, but will never request them. 2657.It deflate 2658Default: Enabled and Accepted. 2659This option decides if deflate 2660compression will be used by the Compression Control Protocol (CCP). 2661This is the same algorithm as used by the 2662.Xr gzip 1 2663program. 2664Note: There is a problem negotiating 2665.Ar deflate 2666capabilities with 2667.Xr pppd 8 2668- a 2669.Em PPP 2670implementation available under many operating systems. 2671.Nm pppd 2672(version 2.3.1) incorrectly attempts to negotiate 2673.Ar deflate 2674compression using type 2675.Em 24 2676as the CCP configuration type rather than type 2677.Em 26 2678as specified in 2679.Pa rfc1979 . 2680Type 2681.Ar 24 2682is actually specified as 2683.Dq PPP Magna-link Variable Resource Compression 2684in 2685.Pa rfc1975 ! 2686.Nm 2687is capable of negotiating with 2688.Nm pppd , 2689but only if 2690.Dq deflate24 2691is 2692.Ar enable Ns No d 2693and 2694.Ar accept Ns No ed . 2695.It deflate24 2696Default: Disabled and Denied. 2697This is a variance of the 2698.Ar deflate 2699option, allowing negotiation with the 2700.Xr pppd 8 2701program. 2702Refer to the 2703.Ar deflate 2704section above for details. 2705It is disabled by default as it violates 2706.Pa rfc1975 . 2707.It dns 2708Default: Disabled and Denied. 2709This option allows DNS negotiation. 2710.Pp 2711If 2712.Dq enable Ns No d, 2713.Nm 2714will request that the peer confirms the entries in 2715.Pa /etc/resolv.conf . 2716If the peer NAKs our request (suggesting new IP numbers), 2717.Pa /etc/resolv.conf 2718is updated and another request is sent to confirm the new entries. 2719.Pp 2720If 2721.Dq accept Ns No ed, 2722.Nm 2723will answer any DNS queries requested by the peer rather than rejecting 2724them. 2725The answer is taken from 2726.Pa /etc/resolv.conf 2727unless the 2728.Dq set dns 2729command is used as an override. 2730.It enddisc 2731Default: Enabled and Accepted. 2732This option allows control over whether we 2733negotiate an endpoint discriminator. 2734We only send our discriminator if 2735.Dq set enddisc 2736is used and 2737.Ar enddisc 2738is enabled. 2739We reject the peers discriminator if 2740.Ar enddisc 2741is denied. 2742.It LANMan|chap80lm 2743Default: Disabled and Accepted. 2744The use of this authentication protocol 2745is discouraged as it partially violates the authentication protocol by 2746implementing two different mechanisms (LANMan & NT) under the guise of 2747a single CHAP type (0x80). 2748.Dq LANMan 2749uses a simple DES encryption mechanism and is the least secure of the 2750CHAP alternatives (although is still more secure than PAP). 2751.Pp 2752Refer to the 2753.Dq MSChap 2754description below for more details. 2755.It lqr 2756Default: Disabled and Accepted. 2757This option decides if Link Quality Requests will be sent or accepted. 2758LQR is a protocol that allows 2759.Nm 2760to determine that the link is down without relying on the modems 2761carrier detect. 2762When LQR is enabled, 2763.Nm 2764sends the 2765.Em QUALPROTO 2766option (see 2767.Dq set lqrperiod 2768below) as part of the LCP request. 2769If the peer agrees, both sides will 2770exchange LQR packets at the agreed frequency, allowing detailed link 2771quality monitoring by enabling LQM logging. 2772If the peer doesn't agree, 2773.Nm 2774will send ECHO LQR requests instead. 2775These packets pass no information of interest, but they 2776.Em MUST 2777be replied to by the peer. 2778.Pp 2779Whether using LQR or ECHO LQR, 2780.Nm 2781will abruptly drop the connection if 5 unacknowledged packets have been 2782sent rather than sending a 6th. 2783A message is logged at the 2784.Em PHASE 2785level, and any appropriate 2786.Dq reconnect 2787values are honoured as if the peer were responsible for dropping the 2788connection. 2789.It mppe 2790Default: Enabled and Accepted. 2791This is Microsoft Point to Point Encryption scheme. 2792MPPE key size can be 279340-, 56- and 128-bits. 2794Refer to 2795.Dq set mppe 2796command. 2797.It MSChapV2|chap81 2798Default: Disabled and Accepted. 2799It is very similar to standard CHAP (type 0x05) 2800except that it issues challenges of a fixed 16 bytes in length and uses a 2801combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2802standard MD5 mechanism. 2803.It MSChap|chap80nt 2804Default: Disabled and Accepted. 2805The use of this authentication protocol 2806is discouraged as it partially violates the authentication protocol by 2807implementing two different mechanisms (LANMan & NT) under the guise of 2808a single CHAP type (0x80). 2809It is very similar to standard CHAP (type 0x05) 2810except that it issues challenges of a fixed 8 bytes in length and uses a 2811combination of MD4 and DES to encrypt the challenge rather than using the 2812standard MD5 mechanism. 2813CHAP type 0x80 for LANMan is also supported - see 2814.Dq enable LANMan 2815for details. 2816.Pp 2817Because both 2818.Dq LANMan 2819and 2820.Dq NT 2821use CHAP type 0x80, when acting as authenticator with both 2822.Dq enable Ns No d , 2823.Nm 2824will rechallenge the peer up to three times if it responds using the wrong 2825one of the two protocols. 2826This gives the peer a chance to attempt using both protocols. 2827.Pp 2828Conversely, when 2829.Nm 2830acts as the authenticatee with both protocols 2831.Dq accept Ns No ed , 2832the protocols are used alternately in response to challenges. 2833.Pp 2834Note: If only LANMan is enabled, 2835.Xr pppd 8 2836(version 2.3.5) misbehaves when acting as authenticatee. 2837It provides both 2838the NT and the LANMan answers, but also suggests that only the NT answer 2839should be used. 2840.It pap 2841Default: Disabled and Accepted. 2842PAP stands for Password Authentication Protocol. 2843Only one of PAP and CHAP (above) may be negotiated. 2844With PAP, the ID and Password are sent repeatedly to the peer until 2845authentication is acknowledged or the connection is terminated. 2846This is a rather poor security mechanism. 2847It is only performed when the connection is first established. 2848If you want to have your peer authenticate itself, you must 2849.Dq enable pap . 2850in 2851.Pa /etc/ppp/ppp.conf , 2852and have an entry in 2853.Pa /etc/ppp/ppp.secret 2854for the peer (although see the 2855.Dq passwdauth 2856and 2857.Dq set radius 2858options below). 2859.Pp 2860When using PAP as the client, you need only specify 2861.Dq AuthName 2862and 2863.Dq AuthKey 2864in 2865.Pa /etc/ppp/ppp.conf . 2866PAP is accepted by default. 2867.It pred1 2868Default: Enabled and Accepted. 2869This option decides if Predictor 1 2870compression will be used by the Compression Control Protocol (CCP). 2871.It protocomp 2872Default: Enabled and Accepted. 2873This option is used to negotiate 2874PFC (Protocol Field Compression), a mechanism where the protocol 2875field number is reduced to one octet rather than two. 2876.It shortseq 2877Default: Enabled and Accepted. 2878This option determines if 2879.Nm 2880will request and accept requests for short 2881(12 bit) 2882sequence numbers when negotiating multi-link mode. 2883This is only applicable if our MRRU is set (thus enabling multi-link). 2884.It vjcomp 2885Default: Enabled and Accepted. 2886This option determines if Van Jacobson header compression will be used. 2887.El 2888.Pp 2889The following options are not actually negotiated with the peer. 2890Therefore, accepting or denying them makes no sense. 2891.Bl -tag -width 2n 2892.It filter-decapsulation 2893Default: Disabled. 2894When this option is enabled, 2895.Nm 2896will examine UDP frames to see if they actually contain a 2897.Em PPP 2898frame as their payload. 2899If this is the case, all filters will operate on the payload rather 2900than the actual packet. 2901.Pp 2902This is useful if you want to send PPPoUDP traffic over a 2903.Em PPP 2904link, but want that link to do smart things with the real data rather than 2905the UDP wrapper. 2906.Pp 2907The UDP frame payload must not be compressed in any way, otherwise 2908.Nm 2909will not be able to interpret it. 2910It's therefore recommended that you 2911.Ic disable vj pred1 deflate 2912and 2913.Ic deny vj pred1 deflate 2914in the configuration for the 2915.Nm 2916invocation with the udp link. 2917.It idcheck 2918Default: Enabled. 2919When 2920.Nm 2921exchanges low-level LCP, CCP and IPCP configuration traffic, the 2922.Em Identifier 2923field of any replies is expected to be the same as that of the request. 2924By default, 2925.Nm 2926drops any reply packets that do not contain the expected identifier 2927field, reporting the fact at the respective log level. 2928If 2929.Ar idcheck 2930is disabled, 2931.Nm 2932will ignore the identifier field. 2933.It iface-alias 2934Default: Enabled if 2935.Fl nat 2936is specified. 2937This option simply tells 2938.Nm 2939to add new interface addresses to the interface rather than replacing them. 2940The option can only be enabled if network address translation is enabled 2941.Pq Dq nat enable yes . 2942.Pp 2943With this option enabled, 2944.Nm 2945will pass traffic for old interface addresses through the NAT 2946ifdef({LOCALNAT},{engine,},{engine 2947(see 2948.Xr libalias 3 ) ,}) 2949resulting in the ability (in 2950.Fl auto 2951mode) to properly connect the process that caused the PPP link to 2952come up in the first place. 2953.Pp 2954Disabling NAT with 2955.Dq nat enable no 2956will also disable 2957.Sq iface-alias . 2958.It ipcp 2959Default: Enabled. 2960This option allows 2961.Nm 2962to attempt to negotiate IP control protocol capabilities and if 2963successful to exchange IP datagrams with the peer. 2964.It ipv6cp 2965Default: Enabled. 2966This option allows 2967.Nm 2968to attempt to negotiate IPv6 control protocol capabilities and if 2969successful to exchange IPv6 datagrams with the peer. 2970.It keep-session 2971Default: Disabled. 2972When 2973.Nm 2974runs as a Multi-link server, a different 2975.Nm 2976instance initially receives each connection. 2977After determining that 2978the link belongs to an already existing bundle (controlled by another 2979.Nm 2980invocation), 2981.Nm 2982will transfer the link to that process. 2983.Pp 2984If the link is a tty device or if this option is enabled, 2985.Nm 2986will not exit, but will change its process name to 2987.Dq session owner 2988and wait for the controlling 2989.Nm 2990to finish with the link and deliver a signal back to the idle process. 2991This prevents the confusion that results from 2992.Nm Ns No 's 2993parent considering the link resource available again. 2994.Pp 2995For tty devices that have entries in 2996.Pa /etc/ttys , 2997this is necessary to prevent another 2998.Xr getty 8 2999from being started, and for program links such as 3000.Xr sshd 8 , 3001it prevents 3002.Xr sshd 8 3003from exiting due to the death of its child. 3004As 3005.Nm 3006cannot determine its parents requirements (except for the tty case), this 3007option must be enabled manually depending on the circumstances. 3008.It loopback 3009Default: Enabled. 3010When 3011.Ar loopback 3012is enabled, 3013.Nm 3014will automatically loop back packets being sent 3015out with a destination address equal to that of the 3016.Em PPP 3017interface. 3018If disabled, 3019.Nm 3020will send the packet, probably resulting in an ICMP redirect from 3021the other end. 3022It is convenient to have this option enabled when 3023the interface is also the default route as it avoids the necessity 3024of a loopback route. 3025.It passwdauth 3026Default: Disabled. 3027Enabling this option will tell the PAP authentication 3028code to use the password database (see 3029.Xr passwd 5 ) 3030to authenticate the caller if they cannot be found in the 3031.Pa /etc/ppp/ppp.secret 3032file. 3033.Pa /etc/ppp/ppp.secret 3034is always checked first. 3035If you wish to use passwords from 3036.Xr passwd 5 , 3037but also to specify an IP number or label for a given client, use 3038.Dq \&* 3039as the client password in 3040.Pa /etc/ppp/ppp.secret . 3041.It proxy 3042Default: Disabled. 3043Enabling this option will tell 3044.Nm 3045to proxy ARP for the peer. 3046This means that 3047.Nm 3048will make an entry in the ARP table using 3049.Dv HISADDR 3050and the 3051.Dv MAC 3052address of the local network in which 3053.Dv HISADDR 3054appears. 3055This allows other machines connected to the LAN to talk to 3056the peer as if the peer itself was connected to the LAN. 3057The proxy entry cannot be made unless 3058.Dv HISADDR 3059is an address from a LAN. 3060.It proxyall 3061Default: Disabled. 3062Enabling this will tell 3063.Nm 3064to add proxy arp entries for every IP address in all class C or 3065smaller subnets routed via the tun interface. 3066.Pp 3067Proxy arp entries are only made for sticky routes that are added 3068using the 3069.Dq add 3070command. 3071No proxy arp entries are made for the interface address itself 3072(as created by the 3073.Dq set ifaddr 3074command). 3075.It sroutes 3076Default: Enabled. 3077When the 3078.Dq add 3079command is used with the 3080.Dv HISADDR , 3081.Dv MYADDR , 3082.Dv HISADDR6 3083or 3084.Dv MYADDR6 3085values, entries are stored in the 3086.Sq sticky route 3087list. 3088Each time these variables change, this list is re-applied to the routing table. 3089.Pp 3090Disabling this option will prevent the re-application of sticky routes, 3091although the 3092.Sq stick route 3093list will still be maintained. 3094.It Op tcp Ns Xo 3095.No mssfixup 3096.Xc 3097Default: Enabled. 3098This option tells 3099.Nm 3100to adjust TCP SYN packets so that the maximum receive segment 3101size is not greater than the amount allowed by the interface MTU. 3102.It throughput 3103Default: Enabled. 3104This option tells 3105.Nm 3106to gather throughput statistics. 3107Input and output is sampled over 3108a rolling 5 second window, and current, best and total figures are retained. 3109This data is output when the relevant 3110.Em PPP 3111layer shuts down, and is also available using the 3112.Dq show 3113command. 3114Throughput statistics are available at the 3115.Dq IPCP 3116and 3117.Dq physical 3118levels. 3119.It utmp 3120Default: Enabled. 3121Normally, when a user is authenticated using PAP or CHAP, and when 3122.Nm 3123is running in 3124.Fl direct 3125mode, an entry is made in the utmp and wtmp files for that user. 3126Disabling this option will tell 3127.Nm 3128not to make any utmp or wtmp entries. 3129This is usually only necessary if 3130you require the user to both login and authenticate themselves. 3131.El 3132.Pp 3133.It add Ns Xo 3134.Op !\& 3135.Ar dest Ns Op / Ns Ar nn 3136.Op Ar mask 3137.Op Ar gateway 3138.Xc 3139.Ar Dest 3140is the destination IP address. 3141The netmask is specified either as a number of bits with 3142.Ar /nn 3143or as an IP number using 3144.Ar mask . 3145.Ar 0 0 3146or simply 3147.Ar 0 3148with no mask refers to the default route. 3149It is also possible to use the literal name 3150.Sq default 3151instead of 3152.Ar 0 . 3153.Ar Gateway 3154is the next hop gateway to get to the given 3155.Ar dest 3156machine/network. 3157Refer to the 3158.Xr route 8 3159command for further details. 3160.Pp 3161It is possible to use the symbolic names 3162.Sq MYADDR , 3163.Sq HISADDR , 3164.Sq MYADDR6 3165or 3166.Sq HISADDR6 3167as the destination, and 3168.Sq HISADDR 3169or 3170.Sq HISADDR6 3171as the 3172.Ar gateway . 3173.Sq MYADDR 3174is replaced with the interface IP address, 3175.Sq HISADDR 3176is replaced with the interface IP destination (peer) address, 3177.Sq MYADDR6 3178is replaced with the interface IPv6 address, and 3179.Sq HISADDR6 3180is replaced with the interface IPv6 destination address, 3181.Pp 3182If the 3183.Ar add!\& 3184command is used 3185(note the trailing 3186.Dq !\& ) , 3187then if the route already exists, it will be updated as with the 3188.Sq route change 3189command (see 3190.Xr route 8 3191for further details). 3192.Pp 3193Routes that contain the 3194.Dq HISADDR , 3195.Dq MYADDR , 3196.Dq HISADDR6 , 3197.Dq MYADDR6 , 3198.Dq DNS0 , 3199or 3200.Dq DNS1 3201constants are considered 3202.Sq sticky . 3203They are stored in a list (use 3204.Dq show ncp 3205to see the list), and each time the value of one of these variables 3206changes, the appropriate routing table entries are updated. 3207This facility may be disabled using 3208.Dq disable sroutes . 3209.It allow Ar command Op Ar args 3210This command controls access to 3211.Nm 3212and its configuration files. 3213It is possible to allow user-level access, 3214depending on the configuration file label and on the mode that 3215.Nm 3216is being run in. 3217For example, you may wish to configure 3218.Nm 3219so that only user 3220.Sq fred 3221may access label 3222.Sq fredlabel 3223in 3224.Fl background 3225mode. 3226.Pp 3227User id 0 is immune to these commands. 3228.Bl -tag -width 2n 3229.It allow user Ns Xo 3230.Op s 3231.Ar logname Ns No ... 3232.Xc 3233By default, only user id 0 is allowed access to 3234.Nm . 3235If this command is used, all of the listed users are allowed access to 3236the section in which the 3237.Dq allow users 3238command is found. 3239The 3240.Sq default 3241section is always checked first (even though it is only ever automatically 3242loaded at startup). 3243.Dq allow users 3244commands are cumulative in a given section, but users allowed in any given 3245section override users allowed in the default section, so it's possible to 3246allow users access to everything except a given label by specifying default 3247users in the 3248.Sq default 3249section, and then specifying a new user list for that label. 3250.Pp 3251If user 3252.Sq * 3253is specified, access is allowed to all users. 3254.It allow mode Ns Xo 3255.Op s 3256.Ar mode Ns No ... 3257.Xc 3258By default, access using any 3259.Nm 3260mode is possible. 3261If this command is used, it restricts the access 3262.Ar modes 3263allowed to load the label under which this command is specified. 3264Again, as with the 3265.Dq allow users 3266command, each 3267.Dq allow modes 3268command overrides any previous settings, and the 3269.Sq default 3270section is always checked first. 3271.Pp 3272Possible modes are: 3273.Sq interactive , 3274.Sq auto , 3275.Sq direct , 3276.Sq dedicated , 3277.Sq ddial , 3278.Sq background 3279and 3280.Sq * . 3281.Pp 3282When running in multi-link mode, a section can be loaded if it allows 3283.Em any 3284of the currently existing line modes. 3285.El 3286.Pp 3287.It nat Ar command Op Ar args 3288This command allows the control of the network address translation (also 3289known as masquerading or IP aliasing) facilities that are built into 3290.Nm . 3291NAT is done on the external interface only, and is unlikely to make sense 3292if used with the 3293.Fl direct 3294flag. 3295.Pp 3296If nat is enabled on your system (it may be omitted at compile time), 3297the following commands are possible: 3298.Bl -tag -width 2n 3299.It nat enable yes|no 3300This command either switches network address translation on or turns it off. 3301The 3302.Fl nat 3303command line flag is synonymous with 3304.Dq nat enable yes . 3305.It nat addr Op Ar addr_local addr_alias 3306This command allows data for 3307.Ar addr_alias 3308to be redirected to 3309.Ar addr_local . 3310It is useful if you own a small number of real IP numbers that 3311you wish to map to specific machines behind your gateway. 3312.It nat deny_incoming yes|no 3313If set to yes, this command will refuse all incoming packets where an 3314aliasing link doesn't already exist. 3315ifdef({LOCALNAT},{},{Refer to the 3316.Sx CONCEPTUAL BACKGROUND 3317section of 3318.Xr libalias 3 3319for a description of what an 3320.Dq aliasing link 3321is. 3322})dnl 3323.Pp 3324It should be noted under what circumstances an aliasing link is 3325ifdef({LOCALNAT},{created.},{created by 3326.Xr libalias 3 .}) 3327It may be necessary to further protect your network from outside 3328connections using the 3329.Dq set filter 3330or 3331.Dq nat target 3332commands. 3333.It nat help|? 3334This command gives a summary of available nat commands. 3335.It nat log yes|no 3336This option causes various NAT statistics and information to 3337be logged to the file 3338.Pa /var/log/alias.log . 3339.It nat port Ar proto Ar targetIP Ns Xo 3340.No : Ns Ar targetPort Ns 3341.Oo 3342.No - Ns Ar targetPort 3343.Oc Ar aliasPort Ns 3344.Oo 3345.No - Ns Ar aliasPort 3346.Oc Oo Ar remoteIP : Ns 3347.Ar remotePort Ns 3348.Oo 3349.No - Ns Ar remotePort 3350.Oc Ns 3351.Oc 3352.Xc 3353This command causes incoming 3354.Ar proto 3355connections to 3356.Ar aliasPort 3357to be redirected to 3358.Ar targetPort 3359on 3360.Ar targetIP . 3361.Ar proto 3362is either 3363.Dq tcp 3364or 3365.Dq udp . 3366.Pp 3367A range of port numbers may be specified as shown above. 3368The ranges must be of the same size. 3369.Pp 3370If 3371.Ar remoteIP 3372is specified, only data coming from that IP number is redirected. 3373.Ar remotePort 3374must either be 3375.Dq 0 3376(indicating any source port) 3377or a range of ports the same size as the other ranges. 3378.Pp 3379This option is useful if you wish to run things like Internet phone on 3380machines behind your gateway, but is limited in that connections to only 3381one interior machine per source machine and target port are possible. 3382.It nat proto Ar proto localIP Oo 3383.Ar publicIP Op Ar remoteIP 3384.Oc 3385This command tells 3386.Nm 3387to redirect packets of protocol type 3388.Ar proto 3389(see 3390.Xr protocols 5 ) 3391to the internal address 3392.Ar localIP . 3393.Pp 3394If 3395.Ar publicIP 3396is specified, only packets destined for that address are matched, 3397otherwise the default alias address is used. 3398.Pp 3399If 3400.Ar remoteIP 3401is specified, only packets matching that source address are matched, 3402.Pp 3403This command is useful for redirecting tunnel endpoints to an internal machine, 3404for example: 3405.Pp 3406.Dl nat proto ipencap 10.0.0.1 3407.It "nat proxy cmd" Ar arg Ns No ... 3408This command tells 3409.Nm 3410to proxy certain connections, redirecting them to a given server. 3411ifdef({LOCALNAT},{},{Refer to the description of 3412.Fn PacketAliasProxyRule 3413in 3414.Xr libalias 3 3415for details of the available commands. 3416})dnl 3417.It nat punch_fw Op Ar base count 3418This command tells 3419.Nm 3420to punch holes in the firewall for FTP or IRC DCC connections. 3421This is done dynamically by installing temporary firewall rules which 3422allow a particular connection (and only that connection) to go through 3423the firewall. 3424The rules are removed once the corresponding connection terminates. 3425.Pp 3426A maximum of 3427.Ar count 3428rules starting from rule number 3429.Ar base 3430will be used for punching firewall holes. 3431The range will be cleared when the 3432.Dq nat punch_fw 3433command is run. 3434.Pp 3435If no arguments are given, firewall punching is disabled. 3436.It nat same_ports yes|no 3437When enabled, this command will tell the network address translation engine to 3438attempt to avoid changing the port number on outgoing packets. 3439This is useful 3440if you want to support protocols such as RPC and LPD which require 3441connections to come from a well known port. 3442.It nat target Op Ar address 3443Set the given target address or clear it if no address is given. 3444The target address is used 3445ifdef({LOCALNAT},{},{by libalias })dnl 3446to specify how to NAT incoming packets by default. 3447If a target address is not set or if 3448.Dq default 3449is given, packets are not altered and are allowed to route to the internal 3450network. 3451.Pp 3452The target address may be set to 3453.Dq MYADDR , 3454in which case 3455ifdef({LOCALNAT},{all packets will be redirected}, 3456{libalias will redirect all packets}) 3457to the interface address. 3458.It nat use_sockets yes|no 3459When enabled, this option tells the network address translation engine to 3460create a socket so that it can guarantee a correct incoming ftp data or 3461IRC connection. 3462.It nat unregistered_only yes|no 3463Only alter outgoing packets with an unregistered source address. 3464According to RFC 1918, unregistered source addresses 3465are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3466.El 3467.Pp 3468These commands are also discussed in the file 3469.Pa README.nat 3470which comes with the source distribution. 3471.Pp 3472.It Op !\& Ns Xo 3473.No bg Ar command 3474.Xc 3475The given 3476.Ar command 3477is executed in the background with the following words replaced: 3478.Bl -tag -width COMPILATIONDATE 3479.It Li AUTHNAME 3480This is replaced with the local 3481.Ar authname 3482value. 3483See the 3484.Dq set authname 3485command below. 3486.It Li COMPILATIONDATE 3487This is replaced with the date on which 3488.Nm 3489was compiled. 3490.It Li DNS0 & DNS1 3491These are replaced with the primary and secondary nameserver IP numbers. 3492If nameservers are negotiated by IPCP, the values of these macros will change. 3493.It Li ENDDISC 3494This is replaced with the local endpoint discriminator value. 3495See the 3496.Dq set enddisc 3497command below. 3498.It Li HISADDR 3499This is replaced with the peers IP number. 3500.It Li HISADDR6 3501This is replaced with the peers IPv6 number. 3502.It Li INTERFACE 3503This is replaced with the name of the interface that's in use. 3504.It Li IPOCTETSIN 3505This is replaced with the number of IP bytes received since the connection 3506was established. 3507.It Li IPOCTETSOUT 3508This is replaced with the number of IP bytes sent since the connection 3509was established. 3510.It Li IPPACKETSIN 3511This is replaced with the number of IP packets received since the connection 3512was established. 3513.It Li IPPACKETSOUT 3514This is replaced with the number of IP packets sent since the connection 3515was established. 3516.It Li IPV6OCTETSIN 3517This is replaced with the number of IPv6 bytes received since the connection 3518was established. 3519.It Li IPV6OCTETSOUT 3520This is replaced with the number of IPv6 bytes sent since the connection 3521was established. 3522.It Li IPV6PACKETSIN 3523This is replaced with the number of IPv6 packets received since the connection 3524was established. 3525.It Li IPV6PACKETSOUT 3526This is replaced with the number of IPv6 packets sent since the connection 3527was established. 3528.It Li LABEL 3529This is replaced with the last label name used. 3530A label may be specified on the 3531.Nm 3532command line, via the 3533.Dq load 3534or 3535.Dq dial 3536commands and in the 3537.Pa ppp.secret 3538file. 3539.It Li MYADDR 3540This is replaced with the IP number assigned to the local interface. 3541.It Li MYADDR6 3542This is replaced with the IPv6 number assigned to the local interface. 3543.It Li OCTETSIN 3544This is replaced with the number of bytes received since the connection 3545was established. 3546.It Li OCTETSOUT 3547This is replaced with the number of bytes sent since the connection 3548was established. 3549.It Li PACKETSIN 3550This is replaced with the number of packets received since the connection 3551was established. 3552.It Li PACKETSOUT 3553This is replaced with the number of packets sent since the connection 3554was established. 3555.It Li PEER_ENDDISC 3556This is replaced with the value of the peers endpoint discriminator. 3557.It Li PROCESSID 3558This is replaced with the current process id. 3559.It Li SOCKNAME 3560This is replaced with the name of the diagnostic socket. 3561.It Li UPTIME 3562This is replaced with the bundle uptime in HH:MM:SS format. 3563.It Li USER 3564This is replaced with the username that has been authenticated with PAP or 3565CHAP. 3566Normally, this variable is assigned only in -direct mode. 3567This value is available irrespective of whether utmp logging is enabled. 3568.It Li VERSION 3569This is replaced with the current version number of 3570.Nm . 3571.El 3572.Pp 3573These substitutions are also done by the 3574.Dq set proctitle , 3575.Dq ident 3576and 3577.Dq log 3578commands. 3579.Pp 3580If you wish to pause 3581.Nm 3582while the command executes, use the 3583.Dq shell 3584command instead. 3585.It clear physical|ipcp|ipv6 Op current|overall|peak... 3586Clear the specified throughput values at either the 3587.Dq physical , 3588.Dq ipcp 3589or 3590.Dq ipv6cp 3591level. 3592If 3593.Dq physical 3594is specified, context must be given (see the 3595.Dq link 3596command below). 3597If no second argument is given, all values are cleared. 3598.It clone Ar name Ns Xo 3599.Op \&, Ns Ar name Ns 3600.No ... 3601.Xc 3602Clone the specified link, creating one or more new links according to the 3603.Ar name 3604argument(s). 3605This command must be used from the 3606.Dq link 3607command below unless you've only got a single link (in which case that 3608link becomes the default). 3609Links may be removed using the 3610.Dq remove 3611command below. 3612.Pp 3613The default link name is 3614.Dq deflink . 3615.It close Op lcp|ccp Ns Op !\& 3616If no arguments are given, the relevant protocol layers will be brought 3617down and the link will be closed. 3618If 3619.Dq lcp 3620is specified, the LCP layer is brought down, but 3621.Nm 3622will not bring the link offline. 3623It is subsequently possible to use 3624.Dq term 3625(see below) 3626to talk to the peer machine if, for example, something like 3627.Dq slirp 3628is being used. 3629If 3630.Dq ccp 3631is specified, only the relevant compression layer is closed. 3632If the 3633.Dq !\& 3634is used, the compression layer will remain in the closed state, otherwise 3635it will re-enter the STOPPED state, waiting for the peer to initiate 3636further CCP negotiation. 3637In any event, this command does not disconnect the user from 3638.Nm 3639or exit 3640.Nm . 3641See the 3642.Dq quit 3643command below. 3644.It delete Ns Xo 3645.Op !\& 3646.Ar dest 3647.Xc 3648This command deletes the route with the given 3649.Ar dest 3650IP address. 3651If 3652.Ar dest 3653is specified as 3654.Sq ALL , 3655all non-direct entries in the routing table for the current interface, 3656and all 3657.Sq sticky route 3658entries are deleted. 3659If 3660.Ar dest 3661is specified as 3662.Sq default , 3663the default route is deleted. 3664.Pp 3665If the 3666.Ar delete!\& 3667command is used 3668(note the trailing 3669.Dq !\& ) , 3670.Nm 3671will not complain if the route does not already exist. 3672.It dial|call Op Ar label Ns Xo 3673.No ... 3674.Xc 3675This command is the equivalent of 3676.Dq load label 3677followed by 3678.Dq open , 3679and is provided for backwards compatibility. 3680.It down Op Ar lcp|ccp 3681Bring the relevant layer down ungracefully, as if the underlying layer 3682had become unavailable. 3683It's not considered polite to use this command on 3684a Finite State Machine that's in the OPEN state. 3685If no arguments are 3686supplied, the entire link is closed (or if no context is given, all links 3687are terminated). 3688If 3689.Sq lcp 3690is specified, the 3691.Em LCP 3692layer is terminated but the device is not brought offline and the link 3693is not closed. 3694If 3695.Sq ccp 3696is specified, only the relevant compression layer(s) are terminated. 3697.It help|? Op Ar command 3698Show a list of available commands. 3699If 3700.Ar command 3701is specified, show the usage string for that command. 3702.It ident Op Ar text Ns No ... 3703Identify the link to the peer using 3704.Ar text . 3705If 3706.Ar text 3707is empty, link identification is disabled. 3708It is possible to use any of the words described for the 3709.Ic bg 3710command above. 3711Refer to the 3712.Ic sendident 3713command for details of when 3714.Nm 3715identifies itself to the peer. 3716.It iface Ar command Op args 3717This command is used to control the interface used by 3718.Nm . 3719.Ar Command 3720may be one of the following: 3721.Bl -tag -width 2n 3722.It iface add Ns Xo 3723.Op !\& 3724.Ar addr Ns Op / Ns Ar bits 3725.Op Ar peer 3726.Xc 3727.It iface add Ns Xo 3728.Op !\& 3729.Ar addr 3730.Ar mask 3731.Ar peer 3732.Xc 3733Add the given 3734.Ar addr mask peer 3735combination to the interface. 3736Instead of specifying 3737.Ar mask , 3738.Ar /bits 3739can be used 3740(with no space between it and 3741.Ar addr ) . 3742If the given address already exists, the command fails unless the 3743.Dq !\& 3744is used - in which case the previous interface address entry is overwritten 3745with the new one, allowing a change of netmask or peer address. 3746.Pp 3747If only 3748.Ar addr 3749is specified, 3750.Ar bits 3751defaults to 3752.Dq 32 3753and 3754.Ar peer 3755defaults to 3756.Dq 255.255.255.255 . 3757This address (the broadcast address) is the only duplicate peer address that 3758.Nm 3759allows. 3760.It iface clear Op INET | INET6 3761If this command is used while 3762.Nm 3763is in the OPENED state or while in 3764.Fl auto 3765mode, all addresses except for the NCP negotiated address are deleted 3766from the interface. 3767If 3768.Nm 3769is not in the OPENED state and is not in 3770.Fl auto 3771mode, all interface addresses are deleted. 3772.Pp 3773If the INET or INET6 arguments are used, only addresses for that address 3774family are cleared. 3775.Pp 3776.It iface delete Ns Xo 3777.Op !\& Ns 3778.No |rm Ns Op !\& 3779.Ar addr 3780.Xc 3781This command deletes the given 3782.Ar addr 3783from the interface. 3784If the 3785.Dq !\& 3786is used, no error is given if the address isn't currently assigned to 3787the interface (and no deletion takes place). 3788.It iface show 3789Shows the current state and current addresses for the interface. 3790It is much the same as running 3791.Dq ifconfig INTERFACE . 3792.It iface help Op Ar sub-command 3793This command, when invoked without 3794.Ar sub-command , 3795will show a list of possible 3796.Dq iface 3797sub-commands and a brief synopsis for each. 3798When invoked with 3799.Ar sub-command , 3800only the synopsis for the given sub-command is shown. 3801.El 3802.It Op data Ns Xo 3803.No link 3804.Ar name Ns Op , Ns Ar name Ns 3805.No ... Ar command Op Ar args 3806.Xc 3807This command may prefix any other command if the user wishes to 3808specify which link the command should affect. 3809This is only applicable after multiple links have been created in Multi-link 3810mode using the 3811.Dq clone 3812command. 3813.Pp 3814.Ar Name 3815specifies the name of an existing link. 3816If 3817.Ar name 3818is a comma separated list, 3819.Ar command 3820is executed on each link. 3821If 3822.Ar name 3823is 3824.Dq * , 3825.Ar command 3826is executed on all links. 3827.It load Op Ar label Ns Xo 3828.No ... 3829.Xc 3830Load the given 3831.Ar label Ns No (s) 3832from the 3833.Pa ppp.conf 3834file. 3835If 3836.Ar label 3837is not given, the 3838.Ar default 3839label is used. 3840.Pp 3841Unless the 3842.Ar label 3843section uses the 3844.Dq set mode , 3845.Dq open 3846or 3847.Dq dial 3848commands, 3849.Nm 3850will not attempt to make an immediate connection. 3851.It log Ar word Ns No ... 3852Send the given word(s) to the log file with the prefix 3853.Dq LOG: . 3854Word substitutions are done as explained under the 3855.Dq !bg 3856command above. 3857.It open Op lcp|ccp|ipcp 3858This is the opposite of the 3859.Dq close 3860command. 3861All closed links are immediately brought up apart from second and subsequent 3862.Ar demand-dial 3863links - these will come up based on the 3864.Dq set autoload 3865command that has been used. 3866.Pp 3867If the 3868.Dq lcp 3869argument is used while the LCP layer is already open, LCP will be 3870renegotiated. 3871This allows various LCP options to be changed, after which 3872.Dq open lcp 3873can be used to put them into effect. 3874After renegotiating LCP, 3875any agreed authentication will also take place. 3876.Pp 3877If the 3878.Dq ccp 3879argument is used, the relevant compression layer is opened. 3880Again, if it is already open, it will be renegotiated. 3881.Pp 3882If the 3883.Dq ipcp 3884argument is used, the link will be brought up as normal, but if 3885IPCP is already open, it will be renegotiated and the network 3886interface will be reconfigured. 3887.Pp 3888It is probably not good practice to re-open the PPP state machines 3889like this as it's possible that the peer will not behave correctly. 3890It 3891.Em is 3892however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3893.It passwd Ar pass 3894Specify the password required for access to the full 3895.Nm 3896command set. 3897This password is required when connecting to the diagnostic port (see the 3898.Dq set server 3899command). 3900.Ar Pass 3901is specified on the 3902.Dq set server 3903command line. 3904The value of 3905.Ar pass 3906is not logged when 3907.Ar command 3908logging is active, instead, the literal string 3909.Sq ******** 3910is logged. 3911.It quit|bye Op all 3912If 3913.Dq quit 3914is executed from the controlling connection or from a command file, 3915ppp will exit after closing all connections. 3916Otherwise, if the user 3917is connected to a diagnostic socket, the connection is simply dropped. 3918.Pp 3919If the 3920.Ar all 3921argument is given, 3922.Nm 3923will exit despite the source of the command after closing all existing 3924connections. 3925.It remove|rm 3926This command removes the given link. 3927It is only really useful in multi-link mode. 3928A link must be in the 3929.Dv CLOSED 3930state before it is removed. 3931.It rename|mv Ar name 3932This command renames the given link to 3933.Ar name . 3934It will fail if 3935.Ar name 3936is already used by another link. 3937.Pp 3938The default link name is 3939.Sq deflink . 3940Renaming it to 3941.Sq modem , 3942.Sq cuaa0 3943or 3944.Sq USR 3945may make the log file more readable. 3946.It resolv Ar command 3947This command controls 3948.Nm Ns No 's 3949manipulation of the 3950.Xr resolv.conf 5 3951file. 3952When 3953.Nm 3954starts up, it loads the contents of this file into memory and retains this 3955image for future use. 3956.Ar command 3957is one of the following: 3958.Bl -tag -width readonly 3959.It Em readonly 3960Treat 3961.Pa /etc/resolv.conf 3962as read only. 3963If 3964.Dq dns 3965is enabled, 3966.Nm 3967will still attempt to negotiate nameservers with the peer, making the results 3968available via the 3969.Dv DNS0 3970and 3971.Dv DNS1 3972macros. 3973This is the opposite of the 3974.Dq resolv writable 3975command. 3976.It Em reload 3977Reload 3978.Pa /etc/resolv.conf 3979into memory. 3980This may be necessary if for example a DHCP client overwrote 3981.Pa /etc/resolv.conf . 3982.It Em restore 3983Replace 3984.Pa /etc/resolv.conf 3985with the version originally read at startup or with the last 3986.Dq resolv reload 3987command. 3988This is sometimes a useful command to put in the 3989.Pa /etc/ppp/ppp.linkdown 3990file. 3991.It Em rewrite 3992Rewrite the 3993.Pa /etc/resolv.conf 3994file. 3995This command will work even if the 3996.Dq resolv readonly 3997command has been used. 3998It may be useful as a command in the 3999.Pa /etc/ppp/ppp.linkup 4000file if you wish to defer updating 4001.Pa /etc/resolv.conf 4002until after other commands have finished. 4003.It Em writable 4004Allow 4005.Nm 4006to update 4007.Pa /etc/resolv.conf 4008if 4009.Dq dns 4010is enabled and 4011.Nm 4012successfully negotiates a DNS. 4013This is the opposite of the 4014.Dq resolv readonly 4015command. 4016.El 4017.It save 4018This option is not (yet) implemented. 4019.It sendident 4020This command tells 4021.Nm 4022to identify itself to the peer. 4023The link must be in LCP state or higher. 4024If no identity has been set (via the 4025.Ic ident 4026command), 4027.Ic sendident 4028will fail. 4029.Pp 4030When an identity has been set, 4031.Nm 4032will automatically identify itself when it sends or receives a configure 4033reject, when negotiation fails or when LCP reaches the opened state. 4034.Pp 4035Received identification packets are logged to the LCP log (see 4036.Ic set log 4037for details) and are never responded to. 4038.It set Ns Xo 4039.Op up 4040.Ar var value 4041.Xc 4042This option allows the setting of any of the following variables: 4043.Bl -tag -width 2n 4044.It set accmap Ar hex-value 4045ACCMap stands for Asynchronous Control Character Map. 4046This is always 4047negotiated with the peer, and defaults to a value of 00000000 in hex. 4048This protocol is required to defeat hardware that depends on passing 4049certain characters from end to end (such as XON/XOFF etc). 4050.Pp 4051For the XON/XOFF scenario, use 4052.Dq set accmap 000a0000 . 4053.It set Op auth Ns Xo 4054.No key Ar value 4055.Xc 4056This sets the authentication key (or password) used in client mode 4057PAP or CHAP negotiation to the given value. 4058It also specifies the 4059password to be used in the dial or login scripts in place of the 4060.Sq \eP 4061sequence, preventing the actual password from being logged. 4062If 4063.Ar command 4064or 4065.Ar chat 4066logging is in effect, 4067.Ar value 4068is logged as 4069.Sq ******** 4070for security reasons. 4071.Pp 4072If the first character of 4073.Ar value 4074is an exclamation mark 4075.Pq Dq !\& , 4076.Nm 4077treats the remainder of the string as a program that must be executed 4078to determine the 4079.Dq authname 4080and 4081.Dq authkey 4082values. 4083.Pp 4084If the 4085.Dq !\& 4086is doubled up 4087(to 4088.Dq !! ) , 4089it is treated as a single literal 4090.Dq !\& , 4091otherwise, ignoring the 4092.Dq !\& , 4093.Ar value 4094is parsed as a program to execute in the same was as the 4095.Dq !bg 4096command above, substituting special names in the same manner. 4097Once executed, 4098.Nm 4099will feed the program three lines of input, each terminated by a newline 4100character: 4101.Bl -bullet 4102.It 4103The host name as sent in the CHAP challenge. 4104.It 4105The challenge string as sent in the CHAP challenge. 4106.It 4107The locally defined 4108.Dq authname . 4109.El 4110.Pp 4111Two lines of output are expected: 4112.Bl -bullet 4113.It 4114The 4115.Dq authname 4116to be sent with the CHAP response. 4117.It 4118The 4119.Dq authkey , 4120which is encrypted with the challenge and request id, the answer being sent 4121in the CHAP response packet. 4122.El 4123.Pp 4124When configuring 4125.Nm 4126in this manner, it's expected that the host challenge is a series of ASCII 4127digits or characters. 4128An encryption device or Secure ID card is usually 4129required to calculate the secret appropriate for the given challenge. 4130.It set authname Ar id 4131This sets the authentication id used in client mode PAP or CHAP negotiation. 4132.Pp 4133If used in 4134.Fl direct 4135mode with CHAP enabled, 4136.Ar id 4137is used in the initial authentication challenge and should normally be set to 4138the local machine name. 4139.It set autoload Xo 4140.Ar min-percent max-percent period 4141.Xc 4142These settings apply only in multi-link mode and default to zero, zero and 4143five respectively. 4144When more than one 4145.Ar demand-dial 4146(also known as 4147.Fl auto ) 4148mode link is available, only the first link is made active when 4149.Nm 4150first reads data from the tun device. 4151The next 4152.Ar demand-dial 4153link will be opened only when the current bundle throughput is at least 4154.Ar max-percent 4155percent of the total bundle bandwidth for 4156.Ar period 4157seconds. 4158When the current bundle throughput decreases to 4159.Ar min-percent 4160percent or less of the total bundle bandwidth for 4161.Ar period 4162seconds, a 4163.Ar demand-dial 4164link will be brought down as long as it's not the last active link. 4165.Pp 4166Bundle throughput is measured as the maximum of inbound and outbound 4167traffic. 4168.Pp 4169The default values cause 4170.Ar demand-dial 4171links to simply come up one at a time. 4172.Pp 4173Certain devices cannot determine their physical bandwidth, so it 4174is sometimes necessary to use the 4175.Dq set bandwidth 4176command (described below) to make 4177.Dq set autoload 4178work correctly. 4179.It set bandwidth Ar value 4180This command sets the connection bandwidth in bits per second. 4181.Ar value 4182must be greater than zero. 4183It is currently only used by the 4184.Dq set autoload 4185command above. 4186.It set callback Ar option Ns No ... 4187If no arguments are given, callback is disabled, otherwise, 4188.Nm 4189will request (or in 4190.Fl direct 4191mode, will accept) one of the given 4192.Ar option Ns No s . 4193In client mode, if an 4194.Ar option 4195is NAK'd 4196.Nm 4197will request a different 4198.Ar option , 4199until no options remain at which point 4200.Nm 4201will terminate negotiations (unless 4202.Dq none 4203is one of the specified 4204.Ar option ) . 4205In server mode, 4206.Nm 4207will accept any of the given protocols - but the client 4208.Em must 4209request one of them. 4210If you wish callback to be optional, you must {include} 4211.Ar none 4212as an option. 4213.Pp 4214The 4215.Ar option Ns No s 4216are as follows (in this order of preference): 4217.Bl -tag -width Ds 4218.It auth 4219The callee is expected to decide the callback number based on 4220authentication. 4221If 4222.Nm 4223is the callee, the number should be specified as the fifth field of 4224the peers entry in 4225.Pa /etc/ppp/ppp.secret . 4226.It cbcp 4227Microsoft's callback control protocol is used. 4228See 4229.Dq set cbcp 4230below. 4231.Pp 4232If you wish to negotiate 4233.Ar cbcp 4234in client mode but also wish to allow the server to request no callback at 4235CBCP negotiation time, you must specify both 4236.Ar cbcp 4237and 4238.Ar none 4239as callback options. 4240.It E.164 *| Ns Xo 4241.Ar number Ns Op , Ns Ar number Ns 4242.No ... 4243.Xc 4244The caller specifies the 4245.Ar number . 4246If 4247.Nm 4248is the callee, 4249.Ar number 4250should be either a comma separated list of allowable numbers or a 4251.Dq \&* , 4252meaning any number is permitted. 4253If 4254.Nm 4255is the caller, only a single number should be specified. 4256.Pp 4257Note, this option is very unsafe when used with a 4258.Dq \&* 4259as a malicious caller can tell 4260.Nm 4261to call any (possibly international) number without first authenticating 4262themselves. 4263.It none 4264If the peer does not wish to do callback at all, 4265.Nm 4266will accept the fact and continue without callback rather than terminating 4267the connection. 4268This is required (in addition to one or more other callback 4269options) if you wish callback to be optional. 4270.El 4271.Pp 4272.It set cbcp Oo 4273.No *| Ns Ar number Ns Oo 4274.No , Ns Ar number Ns ...\& Oc 4275.Op Ar delay Op Ar retry 4276.Oc 4277If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4278is disabled - ie, configuring CBCP in the 4279.Dq set callback 4280command will result in 4281.Nm 4282requesting no callback in the CBCP phase. 4283Otherwise, 4284.Nm 4285attempts to use the given phone 4286.Ar number Ns No (s). 4287.Pp 4288In server mode 4289.Pq Fl direct , 4290.Nm 4291will insist that the client uses one of these numbers, unless 4292.Dq \&* 4293is used in which case the client is expected to specify the number. 4294.Pp 4295In client mode, 4296.Nm 4297will attempt to use one of the given numbers (whichever it finds to 4298be agreeable with the peer), or if 4299.Dq \&* 4300is specified, 4301.Nm 4302will expect the peer to specify the number. 4303.It set cd Oo 4304.No off| Ns Ar seconds Ns Op !\& 4305.Oc 4306Normally, 4307.Nm 4308checks for the existence of carrier depending on the type of device 4309that has been opened: 4310.Bl -tag -width XXX -offset XXX 4311.It Terminal Devices 4312Carrier is checked one second after the login script is complete. 4313If it's not set, 4314.Nm 4315assumes that this is because the device doesn't support carrier (which 4316is true for most 4317.Dq laplink 4318NULL-modem cables), logs the fact and stops checking 4319for carrier. 4320.Pp 4321As ptys don't support the 4322.Dv TIOCMGET 4323ioctl, the tty device will switch all 4324carrier detection off when it detects that the device is a pty. 4325.It PPPoE (netgraph) Devices 4326Carrier is checked once per second for 5 seconds. 4327If it's not set after 4328the fifth second, the connection attempt is considered to have failed and 4329the device is closed. 4330Carrier is always required for PPPoE devices. 4331.El 4332.Pp 4333All other device types don't support carrier. 4334Setting a carrier value will 4335result in a warning when the device is opened. 4336.Pp 4337Some modems take more than one second after connecting to assert the carrier 4338signal. 4339If this delay isn't increased, this will result in 4340.Nm Ns No 's 4341inability to detect when the link is dropped, as 4342.Nm 4343assumes that the device isn't asserting carrier. 4344.Pp 4345The 4346.Dq set cd 4347command overrides the default carrier behaviour. 4348.Ar seconds 4349specifies the maximum number of seconds that 4350.Nm 4351should wait after the dial script has finished before deciding if 4352carrier is available or not. 4353.Pp 4354If 4355.Dq off 4356is specified, 4357.Nm 4358will not check for carrier on the device, otherwise 4359.Nm 4360will not proceed to the login script until either carrier is detected 4361or until 4362.Ar seconds 4363has elapsed, at which point 4364.Nm 4365assumes that the device will not set carrier. 4366.Pp 4367If no arguments are given, carrier settings will go back to their default 4368values. 4369.Pp 4370If 4371.Ar seconds 4372is followed immediately by an exclamation mark 4373.Pq Dq !\& , 4374.Nm 4375will 4376.Em require 4377carrier. 4378If carrier is not detected after 4379.Ar seconds 4380seconds, the link will be disconnected. 4381.It set choked Op Ar timeout 4382This sets the number of seconds that 4383.Nm 4384will keep a choked output queue before dropping all pending output packets. 4385If 4386.Ar timeout 4387is less than or equal to zero or if 4388.Ar timeout 4389isn't specified, it is set to the default value of 4390.Em 120 seconds . 4391.Pp 4392A choked output queue occurs when 4393.Nm 4394has read a certain number of packets from the local network for transmission, 4395but cannot send the data due to link failure (the peer is busy etc.). 4396.Nm 4397will not read packets indefinitely. 4398Instead, it reads up to 4399.Em 30 4400packets (or 4401.Em 30 No + 4402.Em nlinks No * 4403.Em 2 4404packets in multi-link mode), then stops reading the network interface 4405until either 4406.Ar timeout 4407seconds have passed or at least one packet has been sent. 4408.Pp 4409If 4410.Ar timeout 4411seconds pass, all pending output packets are dropped. 4412.It set ctsrts|crtscts on|off 4413This sets hardware flow control. 4414Hardware flow control is 4415.Ar on 4416by default. 4417.It set deflate Ar out-winsize Op Ar in-winsize 4418This sets the DEFLATE algorithms default outgoing and incoming window 4419sizes. 4420Both 4421.Ar out-winsize 4422and 4423.Ar in-winsize 4424must be values between 4425.Em 8 4426and 4427.Em 15 . 4428If 4429.Ar in-winsize 4430is specified, 4431.Nm 4432will insist that this window size is used and will not accept any other 4433values from the peer. 4434.It set dns Op Ar primary Op Ar secondary 4435This command specifies DNS overrides for the 4436.Dq accept dns 4437command. 4438Refer to the 4439.Dq accept 4440command description above for details. 4441This command does not affect the IP numbers requested using 4442.Dq enable dns . 4443.It set device|line Xo 4444.Ar value Ns No ... 4445.Xc 4446This sets the device(s) to which 4447.Nm 4448will talk to the given 4449.Dq value . 4450.Pp 4451All serial device names are expected to begin with 4452.Pa /dev/ 4453and are usually called 4454.Pa cuaXX . 4455.Pp 4456If 4457.Dq value 4458does not begin with 4459.Pa /dev/ , 4460it must either begin with an exclamation mark 4461.Pq Dq !\& , 4462be of the format 4463.No PPPoE: Ns Ar iface Ns Xo 4464.Op \&: Ns Ar provider Ns 4465.Xc 4466(on 4467.Xr netgraph 4 4468enabled systems), or be of the format 4469.Sm off 4470.Ar host : port Op /tcp|udp . 4471.Sm on 4472.Pp 4473If it begins with an exclamation mark, the rest of the device name is 4474treated as a program name, and that program is executed when the device 4475is opened. 4476Standard input, output and error are fed back to 4477.Nm 4478and are read and written as if they were a regular device. 4479.Pp 4480If a 4481.No PPPoE: Ns Ar iface Ns Xo 4482.Op \&: Ns Ar provider Ns 4483.Xc 4484specification is given, 4485.Nm 4486will attempt to create a 4487.Em PPP 4488over Ethernet connection using the given 4489.Ar iface 4490interface by using 4491.Xr netgraph 4 . 4492If 4493.Xr netgraph 4 4494is not available, 4495.Nm 4496will attempt to load it using 4497.Xr kldload 2 . 4498If this fails, an external program must be used such as the 4499.Xr pppoe 8 4500program available under 4501.Ox . 4502The given 4503.Ar provider 4504is passed as the service name in the PPPoE Discovery Initiation (PADI) 4505packet. 4506If no provider is given, an empty value will be used. 4507.Pp 4508When a PPPoE connection is established, 4509.Nm 4510will place the name of the Access Concentrator in the environment variable 4511.Ev ACNAME . 4512.Pp 4513Refer to 4514.Xr netgraph 4 4515and 4516.Xr ng_pppoe 4 4517for further details. 4518.Pp 4519If a 4520.Ar host Ns No : Ns Ar port Ns Oo 4521.No /tcp|udp 4522.Oc 4523specification is given, 4524.Nm 4525will attempt to connect to the given 4526.Ar host 4527on the given 4528.Ar port . 4529If a 4530.Dq /tcp 4531or 4532.Dq /udp 4533suffix is not provided, the default is 4534.Dq /tcp . 4535Refer to the section on 4536.Em PPP OVER TCP and UDP 4537above for further details. 4538.Pp 4539If multiple 4540.Dq values 4541are specified, 4542.Nm 4543will attempt to open each one in turn until it succeeds or runs out of 4544devices. 4545.It set dial Ar chat-script 4546This specifies the chat script that will be used to dial the other 4547side. 4548See also the 4549.Dq set login 4550command below. 4551Refer to 4552.Xr chat 8 4553and to the example configuration files for details of the chat script 4554format. 4555It is possible to specify some special 4556.Sq values 4557in your chat script as follows: 4558.Bl -tag -width 2n 4559.It Li \ec 4560When used as the last character in a 4561.Sq send 4562string, this indicates that a newline should not be appended. 4563.It Li \ed 4564When the chat script encounters this sequence, it delays two seconds. 4565.It Li \ep 4566When the chat script encounters this sequence, it delays for one quarter of 4567a second. 4568.It Li \en 4569This is replaced with a newline character. 4570.It Li \er 4571This is replaced with a carriage return character. 4572.It Li \es 4573This is replaced with a space character. 4574.It Li \et 4575This is replaced with a tab character. 4576.It Li \eT 4577This is replaced by the current phone number (see 4578.Dq set phone 4579below). 4580.It Li \eP 4581This is replaced by the current 4582.Ar authkey 4583value (see 4584.Dq set authkey 4585above). 4586.It Li \eU 4587This is replaced by the current 4588.Ar authname 4589value (see 4590.Dq set authname 4591above). 4592.El 4593.Pp 4594Note that two parsers will examine these escape sequences, so in order to 4595have the 4596.Sq chat parser 4597see the escape character, it is necessary to escape it from the 4598.Sq command parser . 4599This means that in practice you should use two escapes, for example: 4600.Bd -literal -offset indent 4601set dial "... ATDT\\\\T CONNECT" 4602.Ed 4603.Pp 4604It is also possible to execute external commands from the chat script. 4605To do this, the first character of the expect or send string is an 4606exclamation mark 4607.Pq Dq !\& . 4608If a literal exclamation mark is required, double it up to 4609.Dq !!\& 4610and it will be treated as a single literal 4611.Dq !\& . 4612When the command is executed, standard input and standard output are 4613directed to the open device (see the 4614.Dq set device 4615command), and standard error is read by 4616.Nm 4617and substituted as the expect or send string. 4618If 4619.Nm 4620is running in interactive mode, file descriptor 3 is attached to 4621.Pa /dev/tty . 4622.Pp 4623For example (wrapped for readability): 4624.Bd -literal -offset indent 4625set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4626word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4627\\"!/bin/echo in\\" HELLO" 4628.Ed 4629.Pp 4630would result in the following chat sequence (output using the 4631.Sq set log local chat 4632command before dialing): 4633.Bd -literal -offset indent 4634Dial attempt 1 of 1 4635dial OK! 4636Chat: Expecting: 4637Chat: Sending: 4638Chat: Expecting: login:--login: 4639Chat: Wait for (5): login: 4640Chat: Sending: ppp 4641Chat: Expecting: word: 4642Chat: Wait for (5): word: 4643Chat: Sending: ppp 4644Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4645Chat: Exec: sh -c "echo -n label: >&2" 4646Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4647Chat: Exec: /bin/echo in 4648Chat: Sending: 4649Chat: Expecting: HELLO 4650Chat: Wait for (5): HELLO 4651login OK! 4652.Ed 4653.Pp 4654Note (again) the use of the escape character, allowing many levels of 4655nesting. 4656Here, there are four parsers at work. 4657The first parses the original line, reading it as three arguments. 4658The second parses the third argument, reading it as 11 arguments. 4659At this point, it is 4660important that the 4661.Dq \&- 4662signs are escaped, otherwise this parser will see them as constituting 4663an expect-send-expect sequence. 4664When the 4665.Dq !\& 4666character is seen, the execution parser reads the first command as three 4667arguments, and then 4668.Xr sh 1 4669itself expands the argument after the 4670.Fl c . 4671As we wish to send the output back to the modem, in the first example 4672we redirect our output to file descriptor 2 (stderr) so that 4673.Nm 4674itself sends and logs it, and in the second example, we just output to stdout, 4675which is attached directly to the modem. 4676.Pp 4677This, of course means that it is possible to execute an entirely external 4678.Dq chat 4679command rather than using the internal one. 4680See 4681.Xr chat 8 4682for a good alternative. 4683.Pp 4684The external command that is executed is subjected to the same special 4685word expansions as the 4686.Dq !bg 4687command. 4688.It set enddisc Op label|IP|MAC|magic|psn value 4689This command sets our local endpoint discriminator. 4690If set prior to LCP negotiation, and if no 4691.Dq disable enddisc 4692command has been used, 4693.Nm 4694will send the information to the peer using the LCP endpoint discriminator 4695option. 4696The following discriminators may be set: 4697.Bl -tag -width indent 4698.It Li label 4699The current label is used. 4700.It Li IP 4701Our local IP number is used. 4702As LCP is negotiated prior to IPCP, it is 4703possible that the IPCP layer will subsequently change this value. 4704If 4705it does, the endpoint discriminator stays at the old value unless manually 4706reset. 4707.It Li MAC 4708This is similar to the 4709.Ar IP 4710option above, except that the MAC address associated with the local IP 4711number is used. 4712If the local IP number is not resident on any Ethernet 4713interface, the command will fail. 4714.Pp 4715As the local IP number defaults to whatever the machine host name is, 4716.Dq set enddisc mac 4717is usually done prior to any 4718.Dq set ifaddr 4719commands. 4720.It Li magic 4721A 20 digit random number is used. 4722Care should be taken when using magic numbers as restarting 4723.Nm 4724or creating a link using a different 4725.Nm 4726invocation will also use a different magic number and will therefore not 4727be recognised by the peer as belonging to the same bundle. 4728This makes it unsuitable for 4729.Fl direct 4730connections. 4731.It Li psn Ar value 4732The given 4733.Ar value 4734is used. 4735.Ar Value 4736should be set to an absolute public switched network number with the 4737country code first. 4738.El 4739.Pp 4740If no arguments are given, the endpoint discriminator is reset. 4741.It set escape Ar value... 4742This option is similar to the 4743.Dq set accmap 4744option above. 4745It allows the user to specify a set of characters that will be 4746.Sq escaped 4747as they travel across the link. 4748.It set filter dial|alive|in|out Ar rule-no Xo 4749.No permit|deny|clear| Ns Ar rule-no 4750.Op !\& 4751.Oo Op host 4752.Ar src_addr Ns Op / Ns Ar width 4753.Op Ar dst_addr Ns Op / Ns Ar width 4754.Oc [ Ns Ar proto 4755.Op src lt|eq|gt Ar port 4756.Op dst lt|eq|gt Ar port 4757.Op estab 4758.Op syn 4759.Op finrst 4760.Op timeout Ar secs ] 4761.Xc 4762.Nm 4763supports four filter sets. 4764The 4765.Em alive 4766filter specifies packets that keep the connection alive - resetting the 4767idle timer. 4768The 4769.Em dial 4770filter specifies packets that cause 4771.Nm 4772to dial when in 4773.Fl auto 4774mode. 4775The 4776.Em in 4777filter specifies packets that are allowed to travel 4778into the machine and the 4779.Em out 4780filter specifies packets that are allowed out of the machine. 4781.Pp 4782Filtering is done prior to any IP alterations that might be done by the 4783NAT engine on outgoing packets and after any IP alterations that might 4784be done by the NAT engine on incoming packets. 4785By default all empty filter sets allow all packets to pass. 4786Rules are processed in order according to 4787.Ar rule-no 4788(unless skipped by specifying a rule number as the 4789.Ar action ) . 4790Up to 40 rules may be given for each set. 4791If a packet doesn't match 4792any of the rules in a given set, it is discarded. 4793In the case of 4794.Em in 4795and 4796.Em out 4797filters, this means that the packet is dropped. 4798In the case of 4799.Em alive 4800filters it means that the packet will not reset the idle timer (even if 4801the 4802.Ar in Ns No / Ns Ar out 4803filter has a 4804.Dq timeout 4805value) and in the case of 4806.Em dial 4807filters it means that the packet will not trigger a dial. 4808A packet failing to trigger a dial will be dropped rather than queued. 4809Refer to the 4810section on 4811.Sx PACKET FILTERING 4812above for further details. 4813.It set hangup Ar chat-script 4814This specifies the chat script that will be used to reset the device 4815before it is closed. 4816It should not normally be necessary, but can 4817be used for devices that fail to reset themselves properly on close. 4818.It set help|? Op Ar command 4819This command gives a summary of available set commands, or if 4820.Ar command 4821is specified, the command usage is shown. 4822.It set ifaddr Oo Ar myaddr Ns 4823.Op / Ns Ar \&nn 4824.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4825.Oo Ar netmask 4826.Op Ar triggeraddr 4827.Oc Oc 4828.Oc 4829This command specifies the IP addresses that will be used during 4830IPCP negotiation. 4831Addresses are specified using the format 4832.Pp 4833.Dl a.b.c.d/nn 4834.Pp 4835Where 4836.Dq a.b.c.d 4837is the preferred IP, but 4838.Ar nn 4839specifies how many bits of the address we will insist on. 4840If 4841.No / Ns Ar nn 4842is omitted, it defaults to 4843.Dq /32 4844unless the IP address is 0.0.0.0 in which case it defaults to 4845.Dq /0 . 4846.Pp 4847If you wish to assign a dynamic IP number to the peer, 4848.Ar hisaddr 4849may also be specified as a range of IP numbers in the format 4850.Bd -ragged -offset indent 4851.Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo 4852.Oc Ns Oo , Ns Ar \&IP Ns 4853.Op \&- Ns Ar \&IP Ns 4854.Oc Ns ... 4855.Xc 4856.Ed 4857.Pp 4858for example: 4859.Pp 4860.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4861.Pp 4862will only negotiate 4863.Dq 10.0.0.1 4864as the local IP number, but may assign any of the given 10 IP 4865numbers to the peer. 4866If the peer requests one of these numbers, 4867and that number is not already in use, 4868.Nm 4869will grant the peers request. 4870This is useful if the peer wants 4871to re-establish a link using the same IP number as was previously 4872allocated (thus maintaining any existing tcp or udp connections). 4873.Pp 4874If the peer requests an IP number that's either outside 4875of this range or is already in use, 4876.Nm 4877will suggest a random unused IP number from the range. 4878.Pp 4879If 4880.Ar triggeraddr 4881is specified, it is used in place of 4882.Ar myaddr 4883in the initial IPCP negotiation. 4884However, only an address in the 4885.Ar myaddr 4886range will be accepted. 4887This is useful when negotiating with some 4888.Dv PPP 4889implementations that will not assign an IP number unless their peer 4890requests 4891.Dq 0.0.0.0 . 4892.Pp 4893It should be noted that in 4894.Fl auto 4895mode, 4896.Nm 4897will configure the interface immediately upon reading the 4898.Dq set ifaddr 4899line in the config file. 4900In any other mode, these values are just 4901used for IPCP negotiations, and the interface isn't configured 4902until the IPCP layer is up. 4903.Pp 4904Note that the 4905.Ar HISADDR 4906argument may be overridden by the third field in the 4907.Pa ppp.secret 4908file once the client has authenticated itself 4909(if PAP or CHAP are 4910.Dq enabled ) . 4911Refer to the 4912.Sx AUTHENTICATING INCOMING CONNECTIONS 4913section for details. 4914.Pp 4915In all cases, if the interface is already configured, 4916.Nm 4917will try to maintain the interface IP numbers so that any existing 4918bound sockets will remain valid. 4919.It set ifqueue Ar packets 4920Set the maximum number of packets that 4921.Nm 4922will read from the tunnel interface while data cannot be sent to any of 4923the available links. 4924This queue limit is necessary to flow control outgoing data as the tunnel 4925interface is likely to be far faster than the combined links available to 4926.Nm . 4927.Pp 4928If 4929.Ar packets 4930is set to a value less than the number of links, 4931.Nm 4932will read up to that value regardless. 4933This prevents any possible latency problems. 4934.Pp 4935The default value for 4936.Ar packets 4937is 4938.Dq 30 . 4939.It set ccpretry|ccpretries Oo Ar timeout 4940.Op Ar reqtries Op Ar trmtries 4941.Oc 4942.It set chapretry|chapretries Oo Ar timeout 4943.Op Ar reqtries 4944.Oc 4945.It set ipcpretry|ipcpretries Oo Ar timeout 4946.Op Ar reqtries Op Ar trmtries 4947.Oc 4948.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 4949.Op Ar reqtries Op Ar trmtries 4950.Oc 4951.It set lcpretry|lcpretries Oo Ar timeout 4952.Op Ar reqtries Op Ar trmtries 4953.Oc 4954.It set papretry|papretries Oo Ar timeout 4955.Op Ar reqtries 4956.Oc 4957These commands set the number of seconds that 4958.Nm 4959will wait before resending Finite State Machine (FSM) Request packets. 4960The default 4961.Ar timeout 4962for all FSMs is 3 seconds (which should suffice in most cases). 4963.Pp 4964If 4965.Ar reqtries 4966is specified, it tells 4967.Nm 4968how many configuration request attempts it should make while receiving 4969no reply from the peer before giving up. 4970The default is 5 attempts for 4971CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4972.Pp 4973If 4974.Ar trmtries 4975is specified, it tells 4976.Nm 4977how many terminate requests should be sent before giving up waiting for the 4978peers response. 4979The default is 3 attempts. 4980Authentication protocols are 4981not terminated and it is therefore invalid to specify 4982.Ar trmtries 4983for PAP or CHAP. 4984.Pp 4985In order to avoid negotiations with the peer that will never converge, 4986.Nm 4987will only send at most 3 times the configured number of 4988.Ar reqtries 4989in any given negotiation session before giving up and closing that layer. 4990.It set log Xo 4991.Op local 4992.Op +|- Ns 4993.Ar value Ns No ... 4994.Xc 4995This command allows the adjustment of the current log level. 4996Refer to the Logging Facility section for further details. 4997.It set login Ar chat-script 4998This 4999.Ar chat-script 5000complements the dial-script. 5001If both are specified, the login 5002script will be executed after the dial script. 5003Escape sequences available in the dial script are also available here. 5004.It set logout Ar chat-script 5005This specifies the chat script that will be used to logout 5006before the hangup script is called. 5007It should not normally be necessary. 5008.It set lqrperiod Ar frequency 5009This command sets the 5010.Ar frequency 5011in seconds at which 5012.Em LQR 5013or 5014.Em ECHO LQR 5015packets are sent. 5016The default is 30 seconds. 5017You must also use the 5018.Dq enable lqr 5019command if you wish to send LQR requests to the peer. 5020.It set mode Ar interactive|auto|ddial|background 5021This command allows you to change the 5022.Sq mode 5023of the specified link. 5024This is normally only useful in multi-link mode, 5025but may also be used in uni-link mode. 5026.Pp 5027It is not possible to change a link that is 5028.Sq direct 5029or 5030.Sq dedicated . 5031.Pp 5032Note: If you issue the command 5033.Dq set mode auto , 5034and have network address translation enabled, it may be useful to 5035.Dq enable iface-alias 5036afterwards. 5037This will allow 5038.Nm 5039to do the necessary address translations to enable the process that 5040triggers the connection to connect once the link is up despite the 5041peer assigning us a new (dynamic) IP address. 5042.It set mppe Op 40|56|128|* Op stateless|stateful|* 5043This option selects the encryption parameters used when negotiation 5044MPPE. 5045MPPE can be disabled entirely with the 5046.Dq disable mppe 5047command. 5048If no arguments are given, 5049.Nm 5050will attempt to negotiate a stateful link with a 128 bit key, but 5051will agree to whatever the peer requests (including no encryption 5052at all). 5053.Pp 5054If any arguments are given, 5055.Nm 5056will 5057.Em insist 5058on using MPPE and will close the link if it's rejected by the peer (Note; 5059this behaviour can be overridden by a configured RADIUS server). 5060.Pp 5061The first argument specifies the number of bits that 5062.Nm 5063should insist on during negotiations and the second specifies whether 5064.Nm 5065should insist on stateful or stateless mode. 5066In stateless mode, the 5067encryption dictionary is re-initialised with every packet according to 5068an encryption key that is changed with every packet. 5069In stateful mode, 5070the encryption dictionary is re-initialised every 256 packets or after 5071the loss of any data and the key is changed every 256 packets. 5072Stateless mode is less efficient but is better for unreliable transport 5073layers. 5074.It set mrru Op Ar value 5075Setting this option enables Multi-link PPP negotiations, also known as 5076Multi-link Protocol or MP. 5077There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5078If no argument is given, multi-link mode is disabled. 5079.It set mru Xo 5080.Op max Ns Op imum 5081.Op Ar value 5082.Xc 5083The default MRU (Maximum Receive Unit) is 1500. 5084If it is increased, the other side *may* increase its MTU. 5085In theory there is no point in decreasing the MRU to below the default as the 5086.Em PPP 5087protocol says implementations *must* be able to accept packets of at 5088least 1500 octets. 5089.Pp 5090If the 5091.Dq maximum 5092keyword is used, 5093.Nm 5094will refuse to negotiate a higher value. 5095The maximum MRU can be set to 2048 at most. 5096Setting a maximum of less than 1500 violates the 5097.Em PPP 5098rfc, but may sometimes be necessary. 5099For example, 5100.Em PPPoE 5101imposes a maximum of 1492 due to hardware limitations. 5102.Pp 5103If no argument is given, 1500 is assumed. 5104A value must be given when 5105.Dq maximum 5106is specified. 5107.It set mtu Xo 5108.Op max Ns Op imum 5109.Op Ar value 5110.Xc 5111The default MTU is 1500. 5112At negotiation time, 5113.Nm 5114will accept whatever MRU the peer requests (assuming it's 5115not less than 296 bytes or greater than the assigned maximum). 5116If the MTU is set, 5117.Nm 5118will not accept MRU values less than 5119.Ar value . 5120When negotiations are complete, the MTU is used when writing to the 5121interface, even if the peer requested a higher value MRU. 5122This can be useful for 5123limiting your packet size (giving better bandwidth sharing at the expense 5124of more header data). 5125.Pp 5126If the 5127.Dq maximum 5128keyword is used, 5129.Nm 5130will refuse to negotiate a higher value. 5131The maximum MTU can be set to 2048 at most. 5132.Pp 5133If no 5134.Ar value 5135is given, 1500, or whatever the peer asks for is used. 5136A value must be given when 5137.Dq maximum 5138is specified. 5139.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5140This option allows the setting of the Microsoft NetBIOS name server 5141values to be returned at the peers request. 5142If no values are given, 5143.Nm 5144will reject any such requests. 5145.It set openmode active|passive Op Ar delay 5146By default, 5147.Ar openmode 5148is always 5149.Ar active 5150with a one second 5151.Ar delay . 5152That is, 5153.Nm 5154will always initiate LCP/IPCP/CCP negotiation one second after the line 5155comes up. 5156If you want to wait for the peer to initiate negotiations, you 5157can use the value 5158.Ar passive . 5159If you want to initiate negotiations immediately or after more than one 5160second, the appropriate 5161.Ar delay 5162may be specified here in seconds. 5163.It set parity odd|even|none|mark 5164This allows the line parity to be set. 5165The default value is 5166.Ar none . 5167.It set phone Ar telno Ns Xo 5168.Oo \&| Ns Ar backupnumber 5169.Oc Ns ... Ns Oo : Ns Ar nextnumber 5170.Oc Ns ... 5171.Xc 5172This allows the specification of the phone number to be used in 5173place of the \\\\T string in the dial and login chat scripts. 5174Multiple phone numbers may be given separated either by a pipe 5175.Pq Dq \&| 5176or a colon 5177.Pq Dq \&: . 5178.Pp 5179Numbers after the pipe are only dialed if the dial or login 5180script for the previous number failed. 5181.Pp 5182Numbers after the colon are tried sequentially, irrespective of 5183the reason the line was dropped. 5184.Pp 5185If multiple numbers are given, 5186.Nm 5187will dial them according to these rules until a connection is made, retrying 5188the maximum number of times specified by 5189.Dq set redial 5190below. 5191In 5192.Fl background 5193mode, each number is attempted at most once. 5194.It set Op proc Ns Xo 5195.No title Op Ar value 5196.Xc 5197The current process title as displayed by 5198.Xr ps 1 5199is changed according to 5200.Ar value . 5201If 5202.Ar value 5203is not specified, the original process title is restored. 5204All the 5205word replacements done by the shell commands (see the 5206.Dq bg 5207command above) are done here too. 5208.Pp 5209Note, if USER is required in the process title, the 5210.Dq set proctitle 5211command must appear in 5212.Pa ppp.linkup , 5213as it is not known when the commands in 5214.Pa ppp.conf 5215are executed. 5216.It set radius Op Ar config-file 5217This command enables RADIUS support (if it's compiled in). 5218.Ar config-file 5219refers to the radius client configuration file as described in 5220.Xr radius.conf 5 . 5221If PAP, CHAP, MSCHAP or MSCHAPv2 are 5222.Dq enable Ns No d , 5223.Nm 5224behaves as a 5225.Em \&N Ns No etwork 5226.Em \&A Ns No ccess 5227.Em \&S Ns No erver 5228and uses the configured RADIUS server to authenticate rather than 5229authenticating from the 5230.Pa ppp.secret 5231file or from the passwd database. 5232.Pp 5233If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5234.Dq set radius 5235will do nothing. 5236.Pp 5237.Nm 5238uses the following attributes from the RADIUS reply: 5239.Bl -tag -width XXX -offset XXX 5240.It RAD_FRAMED_IP_ADDRESS 5241The peer IP address is set to the given value. 5242.It RAD_FRAMED_IP_NETMASK 5243The tun interface netmask is set to the given value. 5244.It RAD_FRAMED_MTU 5245If the given MTU is less than the peers MRU as agreed during LCP 5246negotiation, *and* it is less that any configured MTU (see the 5247.Dq set mru 5248command), the tun interface MTU is set to the given value. 5249.It RAD_FRAMED_COMPRESSION 5250If the received compression type is 5251.Dq 1 , 5252.Nm 5253will request VJ compression during IPCP negotiations despite any 5254.Dq disable vj 5255configuration command. 5256.It RAD_FILTER_ID 5257If this attribute is supplied, 5258.Nm 5259will attempt to use it as an additional label to load from the 5260.Pa ppp.linkup 5261and 5262.Pa ppp.linkdown 5263files. 5264The load will be attempted before (and in addition to) the normal 5265label search. 5266If the label doesn't exist, no action is taken and 5267.Nm 5268proceeds to the normal load using the current label. 5269.It RAD_FRAMED_ROUTE 5270The received string is expected to be in the format 5271.Ar dest Ns Op / Ns Ar bits 5272.Ar gw 5273.Op Ar metrics . 5274Any specified metrics are ignored. 5275.Dv MYADDR 5276and 5277.Dv HISADDR 5278are understood as valid values for 5279.Ar dest 5280and 5281.Ar gw , 5282.Dq default 5283can be used for 5284.Ar dest 5285to specify the default route, and 5286.Dq 0.0.0.0 5287is understood to be the same as 5288.Dq default 5289for 5290.Ar dest 5291and 5292.Dv HISADDR 5293for 5294.Ar gw . 5295.Pp 5296For example, a returned value of 5297.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5298would result in a routing table entry to the 1.2.3.0/24 network via 5299.Dv HISADDR 5300and a returned value of 5301.Dq 0.0.0.0 0.0.0.0 5302or 5303.Dq default HISADDR 5304would result in a default route to 5305.Dv HISADDR . 5306.Pp 5307All RADIUS routes are applied after any sticky routes are applied, making 5308RADIUS routes override configured routes. 5309This also applies for RADIUS routes that don't {include} the 5310.Dv MYADDR 5311or 5312.Dv HISADDR 5313keywords. 5314.Pp 5315.It RAD_SESSION_TIMEOUT 5316If supplied, the client connection is closed after the given number of 5317seconds. 5318.It RAD_REPLY_MESSAGE 5319If supplied, this message is passed back to the peer as the authentication 5320SUCCESS text. 5321.It RAD_MICROSOFT_MS_CHAP_ERROR 5322If this 5323.Dv RAD_VENDOR_MICROSOFT 5324vendor specific attribute is supplied, it is passed back to the peer as the 5325authentication FAILURE text. 5326.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5327If this 5328.Dv RAD_VENDOR_MICROSOFT 5329vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5330being used, it is passed back to the peer as the authentication SUCCESS text. 5331.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5332If this 5333.Dv RAD_VENDOR_MICROSOFT 5334vendor specific attribute is supplied and has a value of 2 (Required), 5335.Nm 5336will insist that MPPE encryption is used (even if no 5337.Dq set mppe 5338configuration command has been given with arguments). 5339If it is supplied with a value of 1 (Allowed), encryption is made optional 5340(despite any 5341.Dq set mppe 5342configuration commands with arguments). 5343.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5344If this 5345.Dv RAD_VENDOR_MICROSOFT 5346vendor specific attribute is supplied, bits 1 and 2 are examined. 5347If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5348options are set, overriding any given first argument to the 5349.Dq set mppe 5350command. 5351Note, it is not currently possible for the RADIUS server to specify 56 bit 5352encryption. 5353.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5354If this 5355.Dv RAD_VENDOR_MICROSOFT 5356vendor specific attribute is supplied, it's value is used as the master 5357key for decryption of incoming data. When clients are authenticated using 5358MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5359to function. 5360.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5361If this 5362.Dv RAD_VENDOR_MICROSOFT 5363vendor specific attribute is supplied, it's value is used as the master 5364key for encryption of outgoing data. When clients are authenticated using 5365MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5366to function. 5367.El 5368.Pp 5369Values received from the RADIUS server may be viewed using 5370.Dq show bundle . 5371.It set reconnect Ar timeout ntries 5372Should the line drop unexpectedly (due to loss of CD or LQR 5373failure), a connection will be re-established after the given 5374.Ar timeout . 5375The line will be re-connected at most 5376.Ar ntries 5377times. 5378.Ar Ntries 5379defaults to zero. 5380A value of 5381.Ar random 5382for 5383.Ar timeout 5384will result in a variable pause, somewhere between 1 and 30 seconds. 5385.It set recvpipe Op Ar value 5386This sets the routing table RECVPIPE value. 5387The optimum value is just over twice the MTU value. 5388If 5389.Ar value 5390is unspecified or zero, the default kernel controlled value is used. 5391.It set redial Ar secs Ns Xo 5392.Oo + Ns Ar inc Ns 5393.Op - Ns Ar max Ns 5394.Oc Ns Op . Ns Ar next 5395.Op Ar attempts 5396.Xc 5397.Nm 5398can be instructed to attempt to redial 5399.Ar attempts 5400times. 5401If more than one phone number is specified (see 5402.Dq set phone 5403above), a pause of 5404.Ar next 5405is taken before dialing each number. 5406A pause of 5407.Ar secs 5408is taken before starting at the first number again. 5409A literal value of 5410.Dq Li random 5411may be used here in place of 5412.Ar secs 5413and 5414.Ar next , 5415causing a random delay of between 1 and 30 seconds. 5416.Pp 5417If 5418.Ar inc 5419is specified, its value is added onto 5420.Ar secs 5421each time 5422.Nm 5423tries a new number. 5424.Ar secs 5425will only be incremented at most 5426.Ar max 5427times. 5428.Ar max 5429defaults to 10. 5430.Pp 5431Note, the 5432.Ar secs 5433delay will be effective, even after 5434.Ar attempts 5435has been exceeded, so an immediate manual dial may appear to have 5436done nothing. 5437If an immediate dial is required, a 5438.Dq !\& 5439should immediately follow the 5440.Dq open 5441keyword. 5442See the 5443.Dq open 5444description above for further details. 5445.It set sendpipe Op Ar value 5446This sets the routing table SENDPIPE value. 5447The optimum value is just over twice the MTU value. 5448If 5449.Ar value 5450is unspecified or zero, the default kernel controlled value is used. 5451.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5452.Ar LocalName Ns No |none|open|closed 5453.Op password Op Ar mask 5454.Xc 5455This command tells 5456.Nm 5457to listen on the given socket or 5458.Sq diagnostic port 5459for incoming command connections. 5460.Pp 5461The word 5462.Dq none 5463instructs 5464.Nm 5465to close any existing socket and clear the socket configuration. 5466The word 5467.Dq open 5468instructs 5469.Nm 5470to attempt to re-open the port. 5471The word 5472.Dq closed 5473instructs 5474.Nm 5475to close the open port. 5476.Pp 5477If you wish to specify a local domain socket, 5478.Ar LocalName 5479must be specified as an absolute file name, otherwise it is assumed 5480to be the name or number of a TCP port. 5481You may specify the octal umask to be used with a local domain socket. 5482Refer to 5483.Xr umask 2 5484for umask details. 5485Refer to 5486.Xr services 5 5487for details of how to translate TCP port names. 5488.Pp 5489You must also specify the password that must be entered by the client 5490(using the 5491.Dq passwd 5492variable above) when connecting to this socket. 5493If the password is 5494specified as an empty string, no password is required for connecting clients. 5495.Pp 5496When specifying a local domain socket, the first 5497.Dq %d 5498sequence found in the socket name will be replaced with the current 5499interface unit number. 5500This is useful when you wish to use the same 5501profile for more than one connection. 5502.Pp 5503In a similar manner TCP sockets may be prefixed with the 5504.Dq + 5505character, in which case the current interface unit number is added to 5506the port number. 5507.Pp 5508When using 5509.Nm 5510with a server socket, the 5511.Xr pppctl 8 5512command is the preferred mechanism of communications. 5513Currently, 5514.Xr telnet 1 5515can also be used, but link encryption may be implemented in the future, so 5516.Xr telnet 1 5517should be avoided. 5518.Pp 5519Note; 5520.Dv SIGUSR1 5521and 5522.Dv SIGUSR2 5523interact with the diagnostic socket. 5524.It set speed Ar value 5525This sets the speed of the serial device. 5526If speed is specified as 5527.Dq sync , 5528.Nm 5529treats the device as a synchronous device. 5530.Pp 5531Certain device types will know whether they should be specified as 5532synchronous or asynchronous. 5533These devices will override incorrect 5534settings and log a warning to this effect. 5535.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5536If this option is set, 5537.Nm 5538will time out after the given FSM (Finite State Machine) has been in 5539the stopped state for the given number of 5540.Dq seconds . 5541This option may be useful if the peer sends a terminate request, 5542but never actually closes the connection despite our sending a terminate 5543acknowledgement. 5544This is also useful if you wish to 5545.Dq set openmode passive 5546and time out if the peer doesn't send a Configure Request within the 5547given time. 5548Use 5549.Dq set log +lcp +ccp 5550to make 5551.Nm 5552log the appropriate state transitions. 5553.Pp 5554The default value is zero, where 5555.Nm 5556doesn't time out in the stopped state. 5557.Pp 5558This value should not be set to less than the openmode delay (see 5559.Dq set openmode 5560above). 5561.It set timeout Ar idleseconds Op Ar mintimeout 5562This command allows the setting of the idle timer. 5563Refer to the section titled 5564.Sx SETTING THE IDLE TIMER 5565for further details. 5566.Pp 5567If 5568.Ar mintimeout 5569is specified, 5570.Nm 5571will never idle out before the link has been up for at least that number 5572of seconds. 5573.It set urgent Xo 5574.Op tcp|udp|none 5575.Oo Op +|- Ns 5576.Ar port 5577.Oc No ... 5578.Xc 5579This command controls the ports that 5580.Nm 5581prioritizes when transmitting data. 5582The default priority TCP ports 5583are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5584543 (klogin) and 544 (kshell). 5585There are no priority UDP ports by default. 5586See 5587.Xr services 5 5588for details. 5589.Pp 5590If neither 5591.Dq tcp 5592or 5593.Dq udp 5594are specified, 5595.Dq tcp 5596is assumed. 5597.Pp 5598If no 5599.Ar port Ns No s 5600are given, the priority port lists are cleared (although if 5601.Dq tcp 5602or 5603.Dq udp 5604is specified, only that list is cleared). 5605If the first 5606.Ar port 5607argument is prefixed with a plus 5608.Pq Dq \&+ 5609or a minus 5610.Pq Dq \&- , 5611the current list is adjusted, otherwise the list is reassigned. 5612.Ar port Ns No s 5613prefixed with a plus or not prefixed at all are added to the list and 5614.Ar port Ns No s 5615prefixed with a minus are removed from the list. 5616.Pp 5617If 5618.Dq none 5619is specified, all priority port lists are disabled and even 5620.Dv IPTOS_LOWDELAY 5621packets are not prioritised. 5622.It set vj slotcomp on|off 5623This command tells 5624.Nm 5625whether it should attempt to negotiate VJ slot compression. 5626By default, slot compression is turned 5627.Ar on . 5628.It set vj slots Ar nslots 5629This command sets the initial number of slots that 5630.Nm 5631will try to negotiate with the peer when VJ compression is enabled (see the 5632.Sq enable 5633command above). 5634It defaults to a value of 16. 5635.Ar Nslots 5636must be between 5637.Ar 4 5638and 5639.Ar 16 5640inclusive. 5641.El 5642.Pp 5643.It shell|! Op Ar command 5644If 5645.Ar command 5646is not specified a shell is invoked according to the 5647.Dv SHELL 5648environment variable. 5649Otherwise, the given 5650.Ar command 5651is executed. 5652Word replacement is done in the same way as for the 5653.Dq !bg 5654command as described above. 5655.Pp 5656Use of the ! character 5657requires a following space as with any of the other commands. 5658You should note that this command is executed in the foreground; 5659.Nm 5660will not continue running until this process has exited. 5661Use the 5662.Dv bg 5663command if you wish processing to happen in the background. 5664.It show Ar var 5665This command allows the user to examine the following: 5666.Bl -tag -width 2n 5667.It show bundle 5668Show the current bundle settings. 5669.It show ccp 5670Show the current CCP compression statistics. 5671.It show compress 5672Show the current VJ compression statistics. 5673.It show escape 5674Show the current escape characters. 5675.It show filter Op Ar name 5676List the current rules for the given filter. 5677If 5678.Ar name 5679is not specified, all filters are shown. 5680.It show hdlc 5681Show the current HDLC statistics. 5682.It show help|? 5683Give a summary of available show commands. 5684.It show iface 5685Show the current interface information 5686(the same as 5687.Dq iface show ) . 5688.It show ipcp 5689Show the current IPCP statistics. 5690.It show layers 5691Show the protocol layers currently in use. 5692.It show lcp 5693Show the current LCP statistics. 5694.It show Op data Ns Xo 5695.No link 5696.Xc 5697Show high level link information. 5698.It show links 5699Show a list of available logical links. 5700.It show log 5701Show the current log values. 5702.It show mem 5703Show current memory statistics. 5704.It show ncp 5705Show the current NCP statistics. 5706.It show physical 5707Show low level link information. 5708.It show mp 5709Show Multi-link information. 5710.It show proto 5711Show current protocol totals. 5712.It show route 5713Show the current routing tables. 5714.It show stopped 5715Show the current stopped timeouts. 5716.It show timer 5717Show the active alarm timers. 5718.It show version 5719Show the current version number of 5720.Nm . 5721.El 5722.Pp 5723.It term 5724Go into terminal mode. 5725Characters typed at the keyboard are sent to the device. 5726Characters read from the device are displayed on the screen. 5727When a remote 5728.Em PPP 5729peer is detected, 5730.Nm 5731automatically enables Packet Mode and goes back into command mode. 5732.El 5733.Sh MORE DETAILS 5734.Bl -bullet 5735.It 5736Read the example configuration files. 5737They are a good source of information. 5738.It 5739Use 5740.Dq help , 5741.Dq nat \&? , 5742.Dq enable \&? , 5743.Dq set ?\& 5744and 5745.Dq show ?\& 5746to get online information about what's available. 5747.It 5748The following URLs contain useful information: 5749.Bl -bullet -compact 5750.It 5751.Pa http://www.dragonflybsd.org/docs/handbook/handbook-userppp/ 5752.El 5753.El 5754.Sh FILES 5755.Nm 5756refers to four files: 5757.Pa ppp.conf , 5758.Pa ppp.linkup , 5759.Pa ppp.linkdown 5760and 5761.Pa ppp.secret . 5762These files are placed in the 5763.Pa /etc/ppp 5764directory. 5765.Bl -tag -width 2n 5766.It Pa /etc/ppp/ppp.conf 5767System default configuration file. 5768.It Pa /etc/ppp/ppp.secret 5769An authorisation file for each system. 5770.It Pa /etc/ppp/ppp.linkup 5771A file to check when 5772.Nm 5773establishes a network level connection. 5774.It Pa /etc/ppp/ppp.linkdown 5775A file to check when 5776.Nm 5777closes a network level connection. 5778.It Pa /var/log/ppp.log 5779Logging and debugging information file. 5780Note, this name is specified in 5781.Pa /etc/syslog.conf . 5782See 5783.Xr syslog.conf 5 5784for further details. 5785.It Pa /var/spool/lock/LCK..* 5786tty port locking file. 5787Refer to 5788.Xr uucplock 3 5789for further details. 5790.It Pa /var/run/tunN.pid 5791The process id (pid) of the 5792.Nm 5793program connected to the tunN device, where 5794.Sq N 5795is the number of the device. 5796.It Pa /var/run/ttyXX.if 5797The tun interface used by this port. 5798Again, this file is only created in 5799.Fl background , 5800.Fl auto 5801and 5802.Fl ddial 5803modes. 5804.It Pa /etc/services 5805Get port number if port number is using service name. 5806.It Pa /var/run/ppp-authname-class-value 5807In multi-link mode, local domain sockets are created using the peer 5808authentication name 5809.Pq Sq authname , 5810the peer endpoint discriminator class 5811.Pq Sq class 5812and the peer endpoint discriminator value 5813.Pq Sq value . 5814As the endpoint discriminator value may be a binary value, it is turned 5815to HEX to determine the actual file name. 5816.Pp 5817This socket is used to pass links between different instances of 5818.Nm . 5819.El 5820.Sh SEE ALSO 5821.Xr at 1 , 5822.Xr ftp 1 , 5823.Xr gzip 1 , 5824.Xr hostname 1 , 5825.Xr login 1 , 5826.Xr tcpdump 1 , 5827.Xr telnet 1 , 5828.Xr kldload 2 , 5829ifdef({LOCALNAT},{},{.Xr libalias 3 , 5830})dnl 5831ifdef({LOCALRAD},{},{.Xr libradius 3 , 5832})dnl 5833.Xr syslog 3 , 5834.Xr uucplock 3 , 5835.Xr netgraph 4 , 5836.Xr ng_pppoe 4 , 5837.Xr crontab 5 , 5838.Xr group 5 , 5839.Xr passwd 5 , 5840.Xr protocols 5 , 5841.Xr radius.conf 5 , 5842.Xr resolv.conf 5 , 5843.Xr syslog.conf 5 , 5844.Xr adduser 8 , 5845.Xr chat 8 , 5846.Xr getty 8 , 5847.Xr inetd 8 , 5848.Xr init 8 , 5849.Xr named 8 , 5850.Xr ping 8 , 5851.Xr pppctl 8 , 5852.Xr pppd 8 , 5853.Xr pppoe 8 , 5854.Xr route 8 , 5855.Xr sshd 8 , 5856.Xr syslogd 8 , 5857.Xr traceroute 8 , 5858.Xr vipw 8 5859.Sh HISTORY 5860This program was originally written by 5861.An Toshiharu OHNO Aq Mt tony-o@iij.ad.jp , 5862and was submitted to 5863.Fx 2.0.5 5864by 5865.An Atsushi Murai Aq Mt amurai@spec.co.jp . 5866.Pp 5867It was substantially modified during 1997 by 5868.An Brian Somers Aq Mt brian@Awfulhak.org , 5869and was ported to 5870.Ox 5871in November that year 5872(just after the 2.2 release). 5873.Pp 5874Most of the code was rewritten by 5875.An Brian Somers 5876in early 1998 when multi-link ppp support was added. 5877