Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

PPP Hints and Tricks

The ppp manual is very good and detailed but for the average joe that just wants to get on the net its a little too big, So I thought I would write some text on some of the useful things I have done with ppp over time now I am using a faster connection before I forget :)
Setting up dial on Demand for certain traffic
Basically this involves adding a single line per rule to the /etc/ppp/ppp.conf file. EG
set filter dial 10 permit udp dst eq 53
This will cause user ppp to dial up when a nat user tries to access the DNS servers (being on when ppp -nat -auto is invoked.
One problem that can exist with demand dialing was that Microsoft hosts sometimes do a broadcast then a DNS lookup for servers which don't exist by themselves about every 30mins this will always causes a modem to dial up, these DNS requests MS hosts send go to the DNS server port 53 UDP just like a normal DNS request would but one difference about them is that they come from source port 137-139, normal DNS traffic would have a source port roughly of 1080+ so it makes it easy to block those by putting this in /etc/ppp/ppp.conf

set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny udp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny udp dst eq 139 # NetBIOS session service
If you have IPFW compiled in your kernel as well you may as well block it there as well cause its evil
ipfw add 800 deny udp from any 137-139 to any

Disconnecting from the net after a certain time.
Easy, add one of these to ppp.conf. With the number being in seconds, 0 disables timeout, 600 would cause you to get disconnected after 10 mins of idle.
set timeout 0 set timeout 600
You will have to decide on what is interesting traffic to keep the connection alive. This should ignore ICQ connections as interesting traffic but allow any TCP activity to keep it alive
set filter alive 0 deny udp dst eq 4000
set filter alive 1 permit tcp

Port Forwarding with user PPP
If you need to forward ports its easier to do with user ppp then using IPFW or IPFilter.
An example would be if you only have 1 IRC user on your internal NAT network you can just port forward TCP 113 (ident) to your internal IRC using machine, add this to your ppp.conf file EG
alias port tcp 113 or nat port tcp 113
with being the irc user with internal IP and destination port and the last 113 being the modems tcp port (note no ip is needed to be listed for modem)
For this to work you might have to disable the your ident line in /etc/inetd.conf with a # EG and give it a killall -HUP inetd after adding the #
#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120
Changing PPP settings without restarting user PPP
If you edit the ppp.conf file you have to kill and restart the ppp daemon for the changes to take effect.
If you have a pricey service provider and it costs a bit of money to dial up but nothing once your connected its possible to make changes to your ppp setup while its running using pppctl.
The first thing to do is make a local domain socket (dont ask why :) put this in your /etc/ppp/ppp.conf file

set server /var/run/internet "" 0177
You might have to create a 0 byte file first
cat "" > /var/run/internet
Now you can port forward 113 to your internal machine and disable timeout
#! /bin/sh
exec pppctl /var/run/internet set timeout 0\; alias port tcp 113
If you wanted to check if you are dialed up put this in a file
#! /bin/sh
pppctl -p 'YOURDIALUPPASSWORD' -v /var/run/internet quit | grep ^PPP >/dev/null if [ $? -eq 0 ]; then
echo Link is up
echo Link is down

Running scripts after a connection is established
If your IP changes every time you dialup and you want to re-run your IPFW firewall etc to match your new IP you need to create a /etc/ppp/ppp.linkup and give it the right permissions chmod 744 /etc/ppp.linkup you can also do one for when your link goes down called ppp.linkdown, now add this to ppp.linkup
!bg /etc/rc.myfirewall

This should now execute /etc/rc.myfirewall every time your link comes up. Since I got your this far I will give a very small firewall example making use of the startup script
$fwcmd -f flush
$fwcmd add 60 pass all from any to any via lo0
$fwcmd add 50 deny all from any to
oip=`/sbin/ifconfig -a | grep -B 1 ppp0 | awk '/inet/ { print $2 }' | sed -e s/inet,//`
# This line extracts your IP from the the ifconfig command so it can be sent into firewall code using $oip
# Might need to be modified
$fwcmd add 10 reset log tcp from any to $oip 21,22,110,80,1080 via tun0
$fwcmd add 60 allow tcp from any to any
$fwcmd add 62 allow udp from any to any
$fwcmd add 63 allow icmp from any to any
$fwcmd add 70 deny log all from any to any

Okies this should really get you going :)

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail