Setting-up PPP and Creating an Internet Gateway

You can't request more than 20 challenges without solving them. Your previous challenges were flushed.

Applicable to: FreeBSD 3.x
Updated: August 25, 1999

Warning! This procedure has not been verified to work correctly with versions of FreeBSD later than 3.4. If you encounter problems, please e-mail me with suggested corrections.

This Sheet describes the procedure I used to set up dial-on-demand PPP services to act as an Internet gateway for the local network. The User-PPP program provides network address translation (NAT) services and also acts as a simple, but effective, firewall with it's packet-filter functions. Before performing this procedure, you should review the FreeBSD Handbook article Using User PPP and the Pedantic PPP Primer.

Check for the tunnel device:
# ifconfig -a

You should see:
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
Edit /etc/host.conf:
hosts
bind
Edit /etc/hosts:
127.0.0.1   localhost.home   localhost
10.0.0.1    pandora.home     pandora
10.0.0.1    pandora.home.
10.0.0.2    danco.home       danco
Edit /etc/resolv.conf:
domain      home
nameserver  207.228.35.42
nameserver  207.228.37.195

Edit /etc/ppp/ppp.conf:

# PPP Configuration

default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cuaa1
 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT
  OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" (All one line)
 set redial 3 10
 disable pred1
 deny pred1
 disable lqr
 deny lqr
 set authname xxxxxxxx
 set authkey xxxxxxxx
 set phone xxx-xxxx
 set timeout 600

# Usage: 'ppp -alias interactive'
interactive:
 set openmode active
 accept chap

# Usage: 'ppp -auto -alias demand'
demand:
 set openmode active
 accept chap
 set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
 add 0 0 127.2.2.2

# Prevent ICMP, DNS (53), and NTP (123) from keeping the
# connection alive:
 set filter alive 0 deny icmp
 set filter alive 1 deny udp src eq 53
 set filter alive 2 deny udp dst eq 53
 set filter alive 3 deny udp src eq 123
 set filter alive 4 deny udp dst eq 123
 set filter alive 5 permit 0 0

# Prevent NTP (123) from causing a dialup:
 set filter dial 0 deny udp src eq 123
 set filter dial 1 deny udp dst eq 123
 set filter dial 2 permit 0 0

# Allow ident (113), ftp (20 & 21), SMTP (25), DNS (53), 
# HTTP (80), POP3 (110), NNTP (119), NTP (123), HTTPS (443),
# SOCKS (1080), ICMP (ping), CVSup (5998 & 5999), 
# and traceroute (>33433). 
# Everything else is blocked by default:

 set filter in   0 permit tcp dst eq 113
 set filter out  0 permit tcp src eq 113
 set filter in   1 permit tcp src eq 20 dst gt 1023
 set filter out  1 permit tcp dst eq 20
 set filter in   2 permit tcp src eq 21 estab
 set filter out  2 permit tcp dst eq 21
 set filter in   3 permit tcp src eq 25
 set filter out  3 permit tcp dst eq 25
 set filter in   4 permit udp src eq 53
 set filter out  4 permit udp dst eq 53
 set filter in   5 permit tcp src eq 80
 set filter out  5 permit tcp dst eq 80
 set filter in   6 permit udp src eq 80
 set filter out  6 permit udp dst eq 80
 set filter in   7 permit tcp src eq 110
 set filter out  7 permit tcp dst eq 110
 set filter in   8 permit tcp src eq 119
 set filter out  8 permit tcp dst eq 119
 set filter in   9 permit udp src eq 123
 set filter out  9 permit udp dst eq 123
 set filter in  10 permit tcp src eq 443
 set filter out 10 permit tcp dst eq 443
 set filter in  11 permit udp src eq 443
 set filter out 11 permit udp dst eq 443
 set filter in  12 permit tcp src eq 1080
 set filter out 12 permit tcp dst eq 1080
 set filter in  13 permit udp src eq 1080
 set filter out 13 permit udp dst eq 1080
 set filter in  14 permit tcp src eq 5998
 set filter out 14 permit tcp dst eq 5998
 set filter in  15 permit tcp src eq 5999
 set filter out 15 permit tcp dst eq 5999      
 set filter in  16 permit icmp
 set filter out 16 permit icmp
 set filter in  17 permit udp dst gt 33433
 set filter out 17 permit udp src gt 33433

Warning: This file contains cleartext passwords, make it read/writeable by root only!

Edit /etc/ppp/ppp.linkup:
# Dial-on-demand:
demand:
delete ALL
add 0 0 HISADDR

# All other configurations use this:
MYADDR:
add 0 0 HISADDR
Edit /etc/ppp/ppp.linkdown:
# Dial-on-demand:
demand:
iface clear
Edit /etc/rc.conf:
### Basic network options: ###
hostname="pandora.home"
network_interfaces="ep0 tun0 lo0"
ifconfig_ep0="inet 10.20.155.1 netmask 255.255.255.0"
ifconfig_tun0=""

# User ppp configuration.
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="demand"

### Network routing options: ###
gateway_enable="YES"

http://www.mostgraveconcern.com/freebsd/
Questions or Comments? Contact Us...

Click here to go back to FreeBSD HOWTO's Index

FreeBSD HOWTO

Syndicate

Setting-up PPP and Creating an Internet Gateway

Applicable to: FreeBSD 3.x
Updated: August 25, 1999

Warning! This procedure has not been verified to work correctly with versions of FreeBSD later than 3.4. If you encounter problems, please e-mail me with suggested corrections.

Post new comment

FreeBSD HOWTO

Syndicate

Setting-up PPP and Creating an Internet Gateway

Applicable to: FreeBSD 3.x Updated: August 25, 1999

Warning! This procedure has not been verified to work correctly with versions of FreeBSD later than 3.4. If you encounter problems, please e-mail me with suggested corrections.

Post new comment

Applicable to: FreeBSD 3.x
Updated: August 25, 1999