1Copyright (c) 2001 Brian Somers <brian@Awfulhak.org>
2 based on work by Eivind Eklund <perhaps@yes.no>,
3All rights reserved.
4
5Redistribution and use in source and binary forms, with or without
6modification, are permitted provided that the following conditions
7are met:
81. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
102. Redistributions in binary form must reproduce the above copyright
11 notice, this list of conditions and the following disclaimer in the
12 documentation and/or other materials provided with the distribution.
13
14THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24SUCH DAMAGE.
25
26$FreeBSD: src/usr.sbin/ppp/README.changes,v 1.24.26.1 2010/12/21 17:10:29 kensmith Exp $
27
28This file summarises changes made to ppp that effect
29its configuration.
30
31It does not describe new features, rather it attempts
32to answer any `this used to work, why doesn't it now?'
33questions.
34
35o The `set debug' command was replaced with `set log'.
36o The `set log LCP' command was split into LCP, IPCP and CCP logs.
37o Syslogd is used for logging. /etc/syslog.conf must be updated.
38o LQR is disabled by default.
39o Openmode is active by default.
40o Users must be a member of group `network' for ppp access. Furthermore,
41 they must be `allow'ed to run ppp via the `allow' command in the
42 configuration file.
43 For a brief period, ppp could only be run as root.
44o No diagnostic socket is created by default. The `set server' command
45 must be used.
46o The diagnostic socket password must be specified *only* on the `set
47 server' command line.
48o When `set server' is used to re-select a diagnostic port, all existing
49 diagnostic connections are dropped.
50o pppd-deflate is now called deflate24.
51o Filter IPs of 0.0.0.0 have a default width of 0, not 32.
52o Errors in `add' and `delete' are logged as warnings rather than being
53 written to the TCP/IP log.
54o Any number of diagnostic prompts are allowed, and they are allowed in
55 interactive mode.
56o The default `device' is cuad1, then cuad0
57o A password of "*" in ppp.secret causes a passwd database lookup in
58 pap mode.
59o The value of the CONNECT environment variable is logged in the
60 utmp host field in -direct mode.
61o Out-of-sequence FSM packets (IPCP/LCP/CCP) are dropped by default.
62o Reconnect values are used after an LQR timeout.
63o ^C works on the parent in -background mode.
64o The dial/call/open command works asynchronously. As a result, prompts
65 do not lose control while dialing.
66o The `display' command has been removed. All information is available
67 with the appropriate `show' command.
68o Msext does not need to be enabled/disabled. Setting the NBNS (set nbns)
69 will auto enable it. The DNS side may be enabled/disabled, and if
70 enabled without a `set dns' (was `set ns') will use values from
71 /etc/resolv.conf.
72o Filters are now called `allow', `dial', `in' and `out'. `set
73 ifilter ...' becomes `set filter in ...' etc.
74o Authname and Authkey may only be `set' in phase DEAD.
75o Set encrypt is no longer necessary. Ppp will respond to M$CHAP
76 servers correctly if it's built with DES.
77o Throughput statistics are enabled by default.
78o `Set stopped' only has two parameters. It's no longer possible to
79 have an IPCP stopped timer.
80o `Set timeout' only has one or two parameters. Use `set lqrperiod' and
81 `set {lcp,ccp,ipcp,chap,pap}retry' for the other timers. These timeout
82 values can be seen using the relevant show commands.
83o `set loopback' is now `enable/disable loopback'.
84o `show auto', `show loopback' and `show mtu' are all part of `show bundle'.
85o `show mru' is part of `show lcp'
86o `show msext' and `show vj' are part of `show ipcp'
87o `show reconnect' and `show redial' are part of `show link'
88o A signal 15 (TERM) will now shut down the link gracefully.
89o A signal 2 (HUP) will drop all links immediately.
90o Signal 30 (USR1) is now ignored.
91o Add & delete commands are not necessary in ppp.linkup if they are
92 `sticky routes' (ie, contain MYADDR or HISADDR).
93o LINK and CARRIER logging are no longer available.
94o Timer based DEBUG messages are now logged in the new TIMER log.
95o Ppp can use tun devices > tun255.
96o Protocol-compressed packets are accepted even if they were denied
97 at LCP negotiation time.
98o Passwords aren't logged when logging the ``set server'' line.
99o Command line options only need enough characters to uniquely identify
100 them. -a == -auto, -dd == -ddial etc. -interactive is also allowed.
101o If you don't like seeing additional interface aliases when running in
102 -auto -alias mode, add ``iface clear'' to your ppp.linkdown file -
103 check the sample file.
104o Ppp waits for 1 second before checking whether the device supports
105 carrier. This is controllable with ``set cd''.
106o Random dial timeouts are now between 1 and 30 seconds inclusive rather
107 than between 0 and 29.
108o Ppp now accepts M$CHAP (as well as normal CHAP) by default. If this
109 is not required, you must ``deny chap05 chap80''.
110o The ``set device'' command now expects each device to be specified as an
111 argument rather than concatentating all arguments and splitting based
112 on commas and spaces.
113o The ``show modem'' command is deprecated and has been changed to
114 ``show physical''.
115o The words ``host'' and ``port'' are no longer accepted by the ``set filter''
116 command. Removing them should yield the same results as before.
117o The ``set weight'' command has been deprecated. The ``set bandwidth''
118 command should now be used instead.
119o The ``set autoload'' command syntax and implementation have changed as the
120 old implementation was mis-designed and dysfunctional.
121o Ppp now waits either the full ``set cd'' time or until carrier is detected
122 before running the login script (whichever comes first).
123o The -alias flag has been deprecated. The -nat flag should be used instead.
124o Unbalanced quotes in commands are now warned about and the entire command
125 is ignored.
126o It is now only necessary to escape the `-' character in chat scripts twice.
127 See the example files for details.
128o Environment variables and ~ are expanded on in commands
129o ``nat pptp'' is no longer necessary as this is now done transparently
130o The ``!'' at the start of chat scripts and authkey can be made literal
131 (rather than meaning execute) by doubling it to ``!!''.
132o MP autoload throughput measurements are now based on the maximum of input
133 and output averages rather than on the total.
134o When only one link is open in MP mode, MP link level compression is not
135 open and the peer MRU >= the peer MRRU, ppp sends outbound traffic as
136 PROTO_IP traffic rather than PROTO_MP.
137o MSCHAPv2 is now accepted by default. If you don't wish to negotiate
138 this, you must explicitly deny it.
139o MPPE is enabled and accepted by default (although deflate and predictor1
140 are preferred.
141
1Copyright (c) 2001 Charles Mott <cm@linktel.net>
2All rights reserved.
3
4Redistribution and use in source and binary forms, with or without
5modification, are permitted provided that the following conditions
6are met:
71. Redistributions of source code must retain the above copyright
8 notice, this list of conditions and the following disclaimer.
92. Redistributions in binary form must reproduce the above copyright
10 notice, this list of conditions and the following disclaimer in the
11 documentation and/or other materials provided with the distribution.
12
13THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23SUCH DAMAGE.
24
25$FreeBSD: src/usr.sbin/ppp/README.nat,v 1.7.40.1 2010/12/21 17:10:29 kensmith Exp $
26
27User PPP NAT (Packet Aliasing)
28
29
30
310. Contents
32 1. Background
33 2. Setup
34 3. New commands in ppp
35 4. Future Work
36 5. Authors / Acknowledgements
37 6. Revision History for Aliasing Code
38
39
40
411. Background
42
43User mode ppp has embedded NAT (Network Address Translation) code.
44Enabling this, either by the "-nat" command line option or the
45"nat enable yes" command in a ppp.conf file, makes the ppp host
46automatically NAT IP packets forwarded from a local network, making
47them appear to come from the ppp host machine. Incoming packets
48from the outside world are then appropriately de-NAT'd.
49
50The process of NAT'ing involves both the IP address and the TCP or UDP
51port numbers. ICMP echo and timestamp packets are natted by their id
52numbers. ICMP error messages can be properly directed by examining the
53fragment of the offending packet which is contained in the body of the
54message.
55
56This software was specifically meant to support users who have
57unregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x
58addresses). The ppp host can act as a gateway for these networks, and
59computers on the local area net will have some degree of Internet access
60without the need for a registered IP address. Additionally, there will
61be no need for an Internet service provider to maintain routing tables
62for the local area network.
63
64A disadvantage of NAT is that machines on the local network,
65behind the ppp host, are not visible from the outside world. They can
66establish TCP connections and make UDP inquiries (such as domain name
67service requests) but the connections seem to come from the ppp host
68itself. There is, in effect, a partial firewall. Of course, if this is
69what you want, the disadvantage becomes an advantage.
70
71A second disadvantage is that "IP encoding" protocols, which send IP
72address or port information within the data stream, are not supported
73for the cases where exception code exists. This implementation has
74workarounds for FTP and IRC DCC, the most well known of the IP encoding
75protocols. This frees users from depending on using the ftp passive
76mode and avoiding IRC DCC sends, as is sometimes the case with other
77masquerading solutions.
78
79The implementation supports all standard, non-encoding TCP and UDP protocols.
80Examples of these protocols are http, gopher and telnet. The standard UDP
81mode of Real-Audio is not presently supported, but the TCP mode does work
82correctly.
83
84The NAT code also handles many ICMP messages. In particular,
85ping and traceroute are supported.
86
87
88
892. Packet Aliasing Setup
90
91It is recommended that users first verify correct ppp operation without
92NAT enabled. This will confirm that the ppp.conf file is
93properly set up and that there are no ppp problems. Then start ppp with
94the "-nat" option on the command line. The user should verify that
95the ppp host can correctly connect to the Internet in NAT
96mode. Finally, check that machines on the private network can access
97the Internet.
98
99The NAT software handles all packets, whether they come from
100the host or another computer on the local area network. Thus, a correctly
101operating ppp host indicates that the software should work properly for
102other computers on the private network.
103
104If the ppp host can access the Internet, but other computers on the local
105network cannot, check that IP forwarding is enabled on the ppp host. Also,
106verify that the other computers use this machine as a gateway. Of course,
107you should also verify that machines within the local area network
108communicate properly. A common error is inconsistent subnet addresses
109and masks.
110
111
112
1133. New commands in ppp
114
115In order to control NAT behaviour in a simple manner (no need for
116recompilation), a new command has been added to ppp: nat. This
117is in addition to the -nat command line option. System managers and
118more experienced users may prefer to use the ppp command syntax
119within the ppp.conf file. The nat command also allows NAT
120behaviour to be more precisely specified.
121
122The decision to add a command instead of extending 'set' or 'option' was
123to make obvious that these options only work when NAT is enabled.
124
125The syntax for 'nat' is
126
127 ppp> nat option [yes|no]
128
129where option is given by one of the following templates.
130
131
132 - nat enable [yes|no] (default no)
133
134Enable NAT functionality. If disabled, no other NAT
135options will have any effect. You should usually enable NAT
136before routing any packets over the link; good points are in the
137initial script or right before adding a route. If you do not always
138want NAT, consider using the -nat option to ppp instead of this
139command.
140
141
142 - nat deny_incoming [yes|no] (default yes)
143
144Set to "yes" to disable all incoming connections. This just drops
145connections to, for example, ftp, telnet or web servers. The NAT
146mechanism prevents these connections. Technically, this option denies
147all incoming TCP and UDP requests, making the NAT software a
148fairly efficient one-way firewall. The default is no, which will allow
149all incoming connections to telnetd, ftpd, etc.
150
151
152 - nat log [yes|no]
153
154Controls logging of NAT link creation to "/var/log/alias.log" - this
155is usually only useful if debugging a setup, to see if the bug is in
156the PPP NATing. The debugging information is fairly limited, listing
157the number of NAT links open for different protocols.
158
159
160 - nat same_ports [yes|no] (default yes)
161
162When a connection is being established going through the NAT
163routines, it will normally have its port number changed to allow the
164NAT code to track it. If same_ports is enabled, the NAT
165software attempts to keep the connection's source port unchanged.
166This will allow rsh, RPC and other specialised protocols to work
167_most of the time_, at least on the host machine. Please, do not
168report this being unstable as a bug - it is a result of the way
169NAT has to work. TCP/IP was intended to have one IP address
170per machine.
171
172
173 - nat use_sockets [yes|no] (default yes)
174
175This is a fairly obscure option. For the most part, the NAT
176software does not have to allocate system sockets when it chooses a
177NAT port number. Under very specific circumstances, FTP data
178connections (which don't know the remote port number, though it is
179usually 20) and IRC DCC send (which doesn't know either the address or
180the port from which the connection will come), there can potentially be
181some interference with an open server socket having the same port number
182on the ppp host machine. This possibility for interference only exists
183until the TCP connection has been acknowledged on both sides. The safe
184option is yes, though fewer system resources are consumed by specifying
185no.
186
187
188 - nat unregistered_only [yes|no] (default no)
189
190NAT normally remaps all packets coming from the local area
191network to the ppp host machine address. Set this option to only map
192addresses from the following standard ranges for private, unregistered
193addresses:
194
195 10.0.0.0 -> 10.255.255.255
196 172.16.0.0 -> 172.31.255.255
197 192.168.0.0 -> 192.168.255.255 */
198
199In the instance that there is a subnet of public addresses and another
200subnet of private addresses being routed by the ppp host, then only the
201packets on the private subnet will be NAT'd.
202
203
204- nat port <proto> <local addr>:<port> <nat port>
205
206This command allows incoming traffic to <nat port> on the host
207machine to be redirected to a specific machine and port on the
208local area network. One example of this would be:
209
210 nat port tcp 192.168.0.4:telnet 8066
211
212All traffic to port 8066 of the ppp host would then be sent to
213the telnet port (23) of machine 192.168.0.4. Port numbers
214can either be designated numerically or by symbolic names
215listed in /etc/services. Similarly, addresses can be either
216in dotted quad notation or in /etc/hosts.
217
218
219- nat addr <local addr> <public addr>
220
221This command allows traffic for a public IP address to be
222redirected to a machine on the local network. This function
223is known as "static NAT". An address assignment of 0 refers
224to the default address of the ppp host. Normally static
225NAT is useful if your ISP has allocated a small block of
226IP addresses to the user, but it can even be used in the
227case of a single, dynamically allocated IP address:
228
229 nat addr 10.0.0.8 0
230
231The above command would redirect all incoming traffic to
232machine 10.0.0.8.
233
234If several address NATs specify the same public address
235as follows
236
237 nat addr 192.168.0.2 public_addr
238 nat addr 192.168.0.3 public_addr
239 nat addr 192.168.0.4 public_addr
240
241then incoming traffic will be directed to the last
242translated local address (192.168.0.4), but outgoing
243traffic to the first two addresses will still be NAT'd
244to the specified public address.
245
246
247
2484. Future Work
249
250What is called NAT here has been variously called masquerading, packet
251aliasing and transparent proxying by others. It is an extremely useful
252function to many users, but it is also necessarily imperfect. The
253occasional IP-encoding protocols always need workarounds (hacks).
254Users who are interested in supporting new IP-encoding protocols
255can follow the examples of alias_ftp.c and alias_irc.c.
256
257ICMP error messages are currently handled only in the incoming direction.
258A handler needs to be added to correctly NAT outgoing error messages.
259
260IRC and FTP exception handling make reasonable, though not strictly correct
261assumptions, about how IP encoded messages will appear in the control
262stream. Programmers may wish to consider how to make this process more
263robust.
264
265The NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c
266and alias_util.c) runs in user space, and is intended to be both portable
267and reusable for interfaces other than ppp. To access the basic engine
268only requires four simple function calls (initialisation, communication of
269host address, outgoing NAT and incoming de-NATing).
270
271
272
2735. Authors / Acknowledgements
274
275Charles Mott (cm@linktel.net) <versions 1.0 - 1.8, 2.0, 2.1>
276Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands>
277
278Listed below, in chronological order, are individuals who have provided
279valuable comments and/or debugging assistance.
280
281 Gary Roberts
282 Tom Torrance
283 Reto Burkhalter
284 Martin Renters
285 Brian Somers
286 Paul Traina
287 Ari Suutari
288 J. Fortes
289 Andrzej Bialeki
290
291
292
2936. Revision History for Aliasing Code
294
295Version 1.0: August 11, 1996 (cjm)
296
297Version 1.1: August 20, 1996 (cjm)
298 PPP host accepts incoming connections for ports 0 to 1023.
299
300Version 1.2: September 7, 1996 (cjm)
301 Fragment handling error in alias_db.c corrected.
302
303Version 1.3: September 15, 1996 (cjm)
304 - Generalised mechanism for handling incoming connections
305 (no more 0 to 1023 restriction).
306 - Increased ICMP support (will handle traceroute now).
307 - Improved TCP close connection logic.
308
309Version 1.4: September 16, 1996
310 Can't remember (this version only lasted a day -- cjm).
311
312Version 1.5: September 17, 1996 (cjm)
313 Corrected error in handling incoming UDP packets
314 with zero checksum.
315
316Version 1.6: September 18, 1996
317 Simplified ICMP data storage. Will now handle
318 tracert from Win95 as well as FreeBSD traceroute.
319
320Version 1.7: January 9, 1997 (cjm)
321 - Reduced malloc() activity for ICMP echo and
322 timestamp requests.
323 - Added handling for out-of-order IP fragments.
324 - Switched to differential checksum computation
325 for IP headers (TCP, UDP and ICMP checksums
326 were already differential).
327 - Accepts FTP data connections from other than
328 port 20. This allows one ftp connections
329 from two hosts which are both running packet
330 aliasing.
331
332Version 1.8: January 14, 1997 (cjm)
333 - Fixed data type error in function StartPoint()
334 in alias_db.c (this bug did not exist before v1.7)
335
336Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>)
337 - Upgraded base PPP version to be the source code from
338 FreeBSD 2.1.6, with additional security patches. This
339 version should still be possible to run on 2.1.5, though -
340 I've run it with a 2.1.5 kernel without problems.
341 (Update done with the permission of cjm)
342
343Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>)
344 - Added support for IRC DCC (ee)
345 - Changed the aliasing routines to use ANSI style throughout -
346 minor API changes for integration with other programs than PPP (ee)
347 - Changed the build process, making all options switchable
348 from the Makefile (ee)
349 - Fixed minor security hole in alias_ftp.c for other applications
350 of the aliasing software. Hole could _not_ manifest in
351 PPP+pktAlias, but could potentially manifest in other
352 applications of the aliasing. (ee)
353 - Connections initiated from packet aliasing host machine will
354 not have their port number aliased unless it conflicts with
355 an aliasing port already being used. (There is an option to
356 disable this for debugging) (cjm)
357 - Sockets will be allocated in cases where there might be
358 port interference with the host machine. This can be disabled
359 in cases where the ppp host will be acting purely as a
360 masquerading router and not generate any traffic of its own.
361 (cjm)
362
363Version 2.0: March, 1997 (cjm)
364 - Incoming packets which are not recognised by the packet
365 aliasing engine are now completely dropped in ip.c.
366 - Aliasing links are cleared when a host interface address
367 changes (due to re-dial and dynamic address allocation).
368 - PacketAliasPermanentLink() API added.
369 - Option for only aliasing private, unregistered IP addresses
370 added.
371 - Substantial rework to the aliasing lookup engine.
372
373Version 2.1: May, 1997 (cjm)
374 - Continuing rework to the aliasing lookup engine to support
375 multiple incoming addresses and static NAT.
376 - Now supports outgoing as well as incoming ICMP error messages/
377 - PPP commands to support address and port redirection.
378
379