|
|
Setting-up PPP and
Creating an Internet Gateway
Applicable to: FreeBSD 3.x
Updated: August 25, 1999
Warning! This procedure has not been verified to work correctly with versions of FreeBSD later than 3.4. If you encounter problems, please e-mail me with suggested corrections.
This Sheet describes the procedure I used to set up dial-on-demand PPP services to act as an Internet gateway for the local network. The User-PPP program provides network address translation (NAT) services and also acts as a simple, but effective, firewall with it's packet-filter functions. Before performing this procedure, you should review the FreeBSD Handbook article Using User PPP and the Pedantic PPP Primer.
start##############################
Check for the tunnel device:
# ifconfig -a
You should see:
tun0: flags=8010< OINTOPOINT,MULTICAST> mtu 1500
Edit /etc/host.conf:
hosts
bind
Edit /etc/hosts:
127.0.0.1 localhost.adsl localhost
Edit /etc/resolv.conf:
domain adsl
nameserver 202.103.229.40
nameserver 202.103.224.68
Edit /etc/ppp/ppp.conf:
# PPP Configuration
default:
set log Phase Chat LCP IPCP CCP tun command
set device /dev/cuaa1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT
OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" (All one line)
set redial 3 10
disable pred1
deny pred1
disable lqr
deny lqr
set authname xxxxxxxx
set authkey xxxxxxxx
set phone xxx-xxxx
set timeout 600
# Usage: 'ppp -alias interactive'
interactive:
set openmode active
accept chap
# Usage: 'ppp -auto -alias demand'
demand:
set openmode active
accept chap
set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
add 0 0 127.2.2.2
# Prevent ICMP, DNS (53), and NTP (123) from keeping the
# connection alive:
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 deny udp src eq 123
set filter alive 4 deny udp dst eq 123
set filter alive 5 permit 0 0
# Prevent NTP (123) from causing a dialup:
set filter dial 0 deny udp src eq 123
set filter dial 1 deny udp dst eq 123
set filter dial 2 permit 0 0
# Allow ident (113), ftp (20 & 21), SMTP (25), DNS (53),
# HTTP (80), POP3 (110), NNTP (119), NTP (123), HTTPS (443),
# SOCKS (1080), ICMP (ping), CVSup (5998 & 5999),
# and traceroute (>33433).
# Everything else is blocked by default:
set filter in 0 permit tcp dst eq 113
set filter out 0 permit tcp src eq 113
set filter in 1 permit tcp src eq 20 dst gt 1023
set filter out 1 permit tcp dst eq 20
set filter in 2 permit tcp src eq 21 estab
set filter out 2 permit tcp dst eq 21
set filter in 3 permit tcp src eq 25
set filter out 3 permit tcp dst eq 25
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 5 permit tcp src eq 80
set filter out 5 permit tcp dst eq 80
set filter in 6 permit udp src eq 80
set filter out 6 permit udp dst eq 80
set filter in 7 permit tcp src eq 110
set filter out 7 permit tcp dst eq 110
set filter in 8 permit tcp src eq 119
set filter out 8 permit tcp dst eq 119
set filter in 9 permit udp src eq 123
set filter out 9 permit udp dst eq 123
set filter in 10 permit tcp src eq 443
set filter out 10 permit tcp dst eq 443
set filter in 11 permit udp src eq 443
set filter out 11 permit udp dst eq 443
set filter in 12 permit tcp src eq 1080
set filter out 12 permit tcp dst eq 1080
set filter in 13 permit udp src eq 1080
set filter out 13 permit udp dst eq 1080
set filter in 14 permit tcp src eq 5998
set filter out 14 permit tcp dst eq 5998
set filter in 15 permit tcp src eq 5999
set filter out 15 permit tcp dst eq 5999
set filter in 16 permit icmp
set filter out 16 permit icmp
set filter in 17 permit udp dst gt 33433
set filter out 17 permit udp src gt 33433
Warning: This file contains cleartext passwords, make it read/writeable by root only!
Edit /etc/ppp/ppp.linkup:
# Dial-on-demand:
demand:
?delete ALL
?add 0 0 HISADDR
# All other configurations use this:
MYADDR:
?add 0 0 HISADDR
Edit /etc/ppp/ppp.linkdown:
# Dial-on-demand:
demand:
?iface clear
Edit /etc/rc.conf:
### Basic network options: ###
hostname="pandora.home"
network_interfaces="ep0 tun0 lo0"
ifconfig_ep0="inet 10.20.155.1 netmask 255.255.255.0"
ifconfig_tun0=""
# User ppp configuration.
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="demand"
### Network routing options: ###
gateway_enable="YES" |
|
IP卡
狗仔卡
发表于 2003-9-23 11:02:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主