作者 主題: [轉貼]利用 ppp 撥接架站的技巧 (FreeBSD 用)  (閱讀 4955 次)

0 會員 與 1 訪客 正在閱讀本文。

逸晨

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 1205
  • 我是逸晨
    • 檢視個人資料
原作者︰頭文字D餅乾 dinocookie.bbs@BirdNest.twbbs.org 2003/08/31 00:01:26
轉貼來源︰http://bbs.openfind.com.tw/cgi-bin/x_list?VAL=4023156199&BOARD=tw.bbs.comp.386bsd&DISPLEN=15&NO=391&SORTBY=0

    這段不是要講 ppp 撥接, 這段要講的是 ppp 撥接時的一個小問題,
在不明原因斷線後, ppp 雖然有能力再撥接上去, 但此時取得的是一個新的
ip, 許多網友的作法是用 cron/crontab 的方式, 訂個幾分鐘查一次 ip 是否
改變, 其實這不是必要的.

    細讀 ppp (8), 有提及兩個檔案, ppp.linkup 與 ppp.linkdown, 這兩個檔
案在 ppp 連線和斷線時會分別被讀入處理, 可以根據不同需求, 將指令加入.

這條途境所具有的主要優點, 是使 ipfw/firewall 能夠自動更新 rule.

    系統啟動的時候, ppp 會在 rc.firewall 設定前先執行, 所以會先執行一
次 ppp.linkup, 這時候 firewall 已經設定好, 因此 rc.conf 要將 firewall

為 UNKNOWN, 避免重複設定, 且 ppp 設定成 ddial, 一旦斷線, 會立即透過
ppp.linkdown/ppp.linkup 執行預定的指令. 以下的範例直接改 ppp.conf 裡的
papchap, 所以 ppp.linkup/ppp.linkdown 都是設 papchap 為 label. 另外一
點是
聲音, 加不加隨便個人, 要加的自己找檔案替代 :-)

    最後記得要把 firewall 的 rule 改成自己要的, 詳情請自行 man ipfw

[檔案] /etc/ppp/ppp.conf:

default:
 set log Phase Chat LCP IPCP CCP tun command
 set device PPPoE:vr0   # 512/64 adsl, 雖然不是好卡, 不過在這個流量下
                        # 還沒發生過 watchdog timeout, 加減用啦 :-p
 set mtu 1492
 set mru 1492
 set dial
 set login
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR                    # Add a (sticky) default route
# enable dns                            # request DNS info (for resolv.conf)
                                        # 我有自己跑 named, 所以這邊不
需要

papchap:
 set authname "撥接帳號"
 set authkey "你猜"

# end of ppp.conf


[檔案] /etc/ppp/ppp.linkup:

# Example of ppp.linkup file

papchap:
 !bg /bin/sh "/etc/ppp/trumpet.sh"" INTERFACE
 ! /bin/sh "/etc/ppp/firewall.sh" MYADDR HISADDR INTERFACE
 ! /bin/sh "/etc/ppp/misc.sh" INTERFACE

# end of ppp.linkup

[檔案] /etc/ppp/ppp.linkdown:


# Example of ppp.linkdown file

papchap:
 ! /etc/ppp/babu.sh INTERFACE

# end of ppp.linkup


[檔案] /etc/ppp/firewall.sh (由 /etc/rc.firewall 抄過來修改的, 這邊只
是示範):

#!/bin/sh

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush

        # set these to your outside interface network and netmask and ip
        # 這裡的 $1 $3, 就是 ppp 傳過來的 ($2 沒用到)
        # onet 和 omask 的關系請自行瞭解 ipfw 的詳細設定
        # 這裡只是當初敝人自己測試時使用, ssh/ftp 等一堆都沒開
        oif=$3
        onet=$1
        omask="255.255.255.0"
        oip=$1

        # set these to your inside interface network and netmask and ip
        iif="fxp0"
        inet="192.168.128.63"
        imask="255.255.255.0"
        iip="192.168.128.63"

        setup_loopback

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

        # Network Address Translation.  This rule is placed here deliberately
        # so that it does not interfere with the surrounding address-checking
        # rules.  If for example one of your internal LAN machines had its IP
        # address set to 192.0.2.1 then an incoming packet for it after being
        # translated by natd(8) would match the `deny' rule above.  Similarly
        # an outgoing packet originated from it before being translated would
        # match the `deny' rule below.

        ${fwcmd} add divert natd all from any to any via ${natd_interface}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

        # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established

        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to ${oip} 53 setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any

        # Allow access to our WWW
        ${fwcmd} add pass tcp from any to ${oip} 80 setup

        # Reject&Log all setup of incoming connections from the outside
        ${fwcmd} add deny log tcp from any to any in via ${oif} setup

        # Allow setup of any other TCP connection
        ${fwcmd} add pass tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 53 keep-state

        # Allow NTP queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 123 keep-state

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.
        ;;

        # end of firewall.sh


[檔案] /etc/ppp/misc.sh:

#!/bin/sh

# 敝人是使用 ddclient, 更新 dyndns 的記錄
kill -HUP `cat /var/run/ddclient.pid`
# 重新啟動 named, 也許有比較好的方式, 不過我一直沒仔細查
ndc restart

# end of misc.sh


[檔案] /etc/ppp/trumpet.sh:

#!/bin/sh

# 使用 logger 將訊息加入系統的紀錄檔
logger "ppp: dialup connection established! "$1", "`date`
# 製造點噪音讓自己覺得愉快(?)
cat /etc/ppp/trumpet.au > /dev/audio

# end of misc.sh

[檔案] /etc/ppp/babu.sh:

#!/bin/sh
cat /etc/ppp/alarm.au > /dev/audio
logger "ppp: dialup connection dropped! babu~ "$1", "`date`

#轉貼完畢
原本是想貼到 FreeBSD 版的,因為比較符合分類性質,
不過想到咱這兒有『拾人牙慧』版,所以就按章行事吧 ^_^

會貼上此文,主要是作者的這兩句話︰『網友的作法是用 cron/crontab 的方式, 訂個幾分鐘查一次 ip 是否改變』,且也不時有人提起相關問題,再加上 BBS 上的文章會因時間而消失,所以貼上來給有需要的人能有搜尋的機會!!