Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo
Defcon1 Logo

PPP Hints and Tricks

 The ppp manual is very good and detailed but for the average joe that just wants to get on the net its a little too big, So I thought I would write some text on some of the useful things I have done with ppp over time now I am using a faster connection before I forget :)

Setting up dial on Demand for certain traffic

Basically this involves adding a single line per rule to the /etc/ppp/ppp.conf file. EG

set filter dial 10 permit 192.168.0.0/24 203.63.152.0/24 udp dst eq 53

This will cause user ppp to dial up when a nat user tries to access the DNS servers (being on 203.63.152.0/24) when ppp -nat -auto is invoked.

One problem that can exist with demand dialing was that Microsoft hosts sometimes do a broadcast then a DNS lookup for servers which don't exist by themselves about every 30mins this will always causes a modem to dial up, these DNS requests MS hosts send go to the DNS server port 53 UDP just like a normal DNS request would but one difference about them is that they come from source port 137-139, normal DNS traffic would have a source port roughly of 1080+ so it makes it easy to block those by putting this in /etc/ppp/ppp.conf


set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny udp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny udp dst eq 139 # NetBIOS session service

If you have IPFW compiled in your kernel as well you may as well block it there as well cause its evil

ipfw add 800 deny udp from any 137-139 to any
 

Disconnecting from the net after a certain time.
Easy, add one of these to ppp.conf. With the number being in seconds, 0 disables timeout, 600 would cause you to get disconnected after 10 mins of idle.

set timeout 0 set timeout 600

You will have to decide on what is interesting traffic to keep the connection alive. This should ignore ICQ connections as interesting traffic but allow any TCP activity to keep it alive

set filter alive 0 deny udp dst eq 4000
set filter alive 1 permit tcp
 

Port Forwarding with user PPP
If you need to forward ports its easier to do with user ppp then using IPFW or IPFilter.
An example would be if you only have 1 IRC user on your internal NAT network you can just port forward TCP 113 (ident) to your internal IRC using machine, add this to your ppp.conf file EG

alias port tcp 192.168.1.5:113 113 or nat port tcp 192.168.1.5:113 113

with 192.168.1.5:113 being the irc user with internal IP and destination port and the last 113 being the modems tcp port (note no ip is needed to be listed for modem)

For this to work you might have to disable the your ident line in /etc/inetd.conf with a # EG and give it a killall -HUP inetd after adding the #

#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120

Changing PPP settings without restarting user PPP

If you edit the ppp.conf file you have to kill and restart the ppp daemon for the changes to take effect.
If you have a pricey service provider and it costs a bit of money to dial up but nothing once your connected its possible to make changes to your ppp setup while its running using pppctl.

The first thing to do is make a local domain socket (dont ask why :) put this in your /etc/ppp/ppp.conf file
 

set server /var/run/internet "" 0177

You might have to create a 0 byte file first

cat "" > /var/run/internet

Now you can port forward 113 to your internal machine and disable timeout

#! /bin/sh
exec pppctl /var/run/internet set timeout 0\; alias port tcp 10.1.1.2:113 113

If you wanted to check if you are dialed up put this in a file

#! /bin/sh
pppctl -p 'YOURDIALUPPASSWORD' -v /var/run/internet quit | grep ^PPP >/dev/null if [ $? -eq 0 ]; then
echo Link is up
else
echo Link is down
fi
 

Running scripts after a connection is established

If your IP changes every time you dialup and you want to re-run your IPFW firewall etc to match your new IP you need to create a /etc/ppp/ppp.linkup and give it the right permissions chmod 744 /etc/ppp.linkup you can also do one for when your link goes down called ppp.linkdown, now add this to ppp.linkup

MYADDR:
!bg /etc/rc.myfirewall
 

This should now execute /etc/rc.myfirewall every time your link comes up. Since I got your this far I will give a very small firewall example making use of the startup script

fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add 60 pass all from any to any via lo0
$fwcmd add 50 deny all from any to 127.0.0.0/8
oip=`/sbin/ifconfig -a | grep -B 1 ppp0 | awk '/inet/ { print $2 }' | sed -e s/inet,//`
# This line extracts your IP from the the ifconfig command so it can be sent into firewall code using $oip
# Might need to be modified
$fwcmd add 10 reset log tcp from any to $oip 21,22,110,80,1080 via tun0
$fwcmd add 60 allow tcp from any to any
$fwcmd add 62 allow udp from any to any
$fwcmd add 63 allow icmp from any to any
$fwcmd add 70 deny log all from any to any
 

 

Okies this should really get you going :)
If I have made any mistake or you feel you have something I should change or add dont hesitate to
email me
purp

michael_vince@hotmail.com
 

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.