Setting-up PPP and Creating an Internet Gateway

Applicable to: FreeBSD 3.x
Updated: August 25, 1999

Warning! This procedure has not been verified to work correctly with versions of FreeBSD later than 3.4. If you encounter problems, please e-mail me with suggested corrections.

This Sheet describes the procedure I used to set up dial-on-demand PPP services to act as an Internet gateway for the local network. The User-PPP program provides network address translation (NAT) services and also acts as a simple, but effective, firewall with it's packet-filter functions. Before performing this procedure, you should review the FreeBSD Handbook article Using User PPP and the Pedantic PPP Primer.

  1. Check for the tunnel device:

    # ifconfig -a

    You should see:

    tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500

  2. Edit /etc/host.conf:

    hosts
    bind

  3. Edit /etc/hosts:

    127.0.0.1   localhost.home   localhost
    10.0.0.1    pandora.home     pandora
    10.0.0.1    pandora.home.
    10.0.0.2    danco.home       danco

  4. Edit /etc/resolv.conf:

    domain      home
    nameserver  207.228.35.42
    nameserver  207.228.37.195

  5. Edit /etc/ppp/ppp.conf:
    # PPP Configuration
    
    default:
     set log Phase Chat LCP IPCP CCP tun command
     set device /dev/cuaa1
     set speed 115200
     set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT
      OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" (All one line)
     set redial 3 10
     disable pred1
     deny pred1
     disable lqr
     deny lqr
     set authname xxxxxxxx
     set authkey xxxxxxxx
     set phone xxx-xxxx
     set timeout 600
    
    # Usage: 'ppp -alias interactive'
    interactive:
     set openmode active
     accept chap
    
    # Usage: 'ppp -auto -alias demand'
    demand:
     set openmode active
     accept chap
     set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
     add 0 0 127.2.2.2
    
    # Prevent ICMP, DNS (53), and NTP (123) from keeping the
    # connection alive:
     set filter alive 0 deny icmp
     set filter alive 1 deny udp src eq 53
     set filter alive 2 deny udp dst eq 53
     set filter alive 3 deny udp src eq 123
     set filter alive 4 deny udp dst eq 123
     set filter alive 5 permit 0 0
    
    # Prevent NTP (123) from causing a dialup:
     set filter dial 0 deny udp src eq 123
     set filter dial 1 deny udp dst eq 123
     set filter dial 2 permit 0 0
    
    # Allow ident (113), ftp (20 & 21), SMTP (25), DNS (53), 
    # HTTP (80), POP3 (110), NNTP (119), NTP (123), HTTPS (443),
    # SOCKS (1080), ICMP (ping), CVSup (5998 & 5999), 
    # and traceroute (>33433). 
    # Everything else is blocked by default:
    
     set filter in   0 permit tcp dst eq 113
     set filter out  0 permit tcp src eq 113
     set filter in   1 permit tcp src eq 20 dst gt 1023
     set filter out  1 permit tcp dst eq 20
     set filter in   2 permit tcp src eq 21 estab
     set filter out  2 permit tcp dst eq 21
     set filter in   3 permit tcp src eq 25
     set filter out  3 permit tcp dst eq 25
     set filter in   4 permit udp src eq 53
     set filter out  4 permit udp dst eq 53
     set filter in   5 permit tcp src eq 80
     set filter out  5 permit tcp dst eq 80
     set filter in   6 permit udp src eq 80
     set filter out  6 permit udp dst eq 80
     set filter in   7 permit tcp src eq 110
     set filter out  7 permit tcp dst eq 110
     set filter in   8 permit tcp src eq 119
     set filter out  8 permit tcp dst eq 119
     set filter in   9 permit udp src eq 123
     set filter out  9 permit udp dst eq 123
     set filter in  10 permit tcp src eq 443
     set filter out 10 permit tcp dst eq 443
     set filter in  11 permit udp src eq 443
     set filter out 11 permit udp dst eq 443
     set filter in  12 permit tcp src eq 1080
     set filter out 12 permit tcp dst eq 1080
     set filter in  13 permit udp src eq 1080
     set filter out 13 permit udp dst eq 1080
     set filter in  14 permit tcp src eq 5998
     set filter out 14 permit tcp dst eq 5998
     set filter in  15 permit tcp src eq 5999
     set filter out 15 permit tcp dst eq 5999      
     set filter in  16 permit icmp
     set filter out 16 permit icmp
     set filter in  17 permit udp dst gt 33433
     set filter out 17 permit udp src gt 33433
    
    

    Warning: This file contains cleartext passwords, make it read/writeable by root only!

  6. Edit /etc/ppp/ppp.linkup:

    # Dial-on-demand:
    demand:
     delete ALL
     add 0 0 HISADDR

    # All other configurations use this:
    MYADDR:
     add 0 0 HISADDR

  7. Edit /etc/ppp/ppp.linkdown:

    # Dial-on-demand:
    demand:
     iface clear

  8. Edit /etc/rc.conf:

    ### Basic network options: ###
    hostname="pandora.home"
    network_interfaces="ep0 tun0 lo0"
    ifconfig_ep0="inet 10.20.155.1 netmask 255.255.255.0"
    ifconfig_tun0=""

    # User ppp configuration.
    ppp_enable="YES"
    ppp_mode="auto"
    ppp_nat="YES"
    ppp_profile="demand"

    ### Network routing options: ###
    gateway_enable="YES"




http://www.mostgraveconcern.com/freebsd/
Questions or Comments? Contact Us...




Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
omega replica watches