利用 ppp 撥接架站的技巧: 這段不是要講 ppp 撥接, 這段要講的是 ppp 撥接時的一個小問題, 在不明原因斷線後, ppp 雖然有能力再撥接上去, 但此時取得的是一個新的 ip, 許多網友的作法是用 cron/crontab 的方式, 訂個幾分鐘查一次 ip 是否 改變, 其實這不是必要的. 細讀 ppp(8), 有提及兩個檔案, ppp.linkup 與 ppp.linkdown, 這兩個檔 案在 ppp 連線和斷線時會分別被讀入處理, 可以根據不同需求, 將指令加入. 而 這條途境所具有的主要優點, 是使 ipfw/firewall 能夠自動更新 rule. 系統啟動的時候, ppp 會在 rc.firewall 設定前先執行, 所以會先執行一 次 ppp.linkup, 這時候 firewall 已經設定好, 因此 rc.conf 要將 firewall 設 為 UNKNOWN, 避免重複設定, 且 ppp 設定成 ddial, 一旦斷線, 會立即透過 ppp.linkdown/ppp.linkup 執行預定的指令. 以下的範例直接改 ppp.conf 裡的 papchap, 所以 ppp.linkup/ppp.linkdown 都是設 papchap 為 label. 另外一點是 聲音, 加不加隨便個人, 要加的自己找檔案替代 :-) 最後記得要把 firewall 的 rule 改成自己要的, 詳情請自行 man ipfw [檔案] /etc/ppp/ppp.conf: default: set log Phase Chat LCP IPCP CCP tun command set device PPPoE:vr0 # 512/64 adsl, 雖然不是好卡, 不過在這個流量下 # 還沒發生過 watchdog timeout, 加減用啦 :-p set mtu 1492 set mru 1492 set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR # Add a (sticky) default route # enable dns # request DNS info (for resolv.conf) # 我有自己跑 named, 所以這邊不需要 papchap: set authname "撥接帳號" set authkey "你猜" # end of ppp.conf [檔案] /etc/ppp/ppp.linkup: # Example of ppp.linkup file papchap: !bg /bin/sh "/etc/ppp/trumpet.sh"" INTERFACE ! /bin/sh "/etc/ppp/firewall.sh" MYADDR HISADDR INTERFACE ! /bin/sh "/etc/ppp/misc.sh" INTERFACE # end of ppp.linkup [檔案] /etc/ppp/ppp.linkdown: # Example of ppp.linkdown file papchap: ! /etc/ppp/babu.sh INTERFACE # end of ppp.linkup [檔案] /etc/ppp/firewall.sh (由 /etc/rc.firewall 抄過來修改的, 這邊只是示範): #!/bin/sh setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } fwcmd="/sbin/ipfw -q" ${fwcmd} -f flush # set these to your outside interface network and netmask and ip # 這裡的 $1 $3, 就是 ppp 傳過來的 ($2 沒用到) # onet 和 omask 的關系請自行瞭解 ipfw 的詳細設定 # 這裡只是當初敝人自己測試時使用, ssh/ftp 等一堆都沒開 oif=$3 onet=$1 omask="255.255.255.0" oip=$1 # set these to your inside interface network and netmask and ip iif="fxp0" inet="192.168.128.63" imask="255.255.255.0" iip="192.168.128.63" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; # end of firewall.sh [檔案] /etc/ppp/misc.sh: #!/bin/sh # 敝人是使用 ddclient, 更新 dyndns 的記錄 kill -HUP `cat /var/run/ddclient.pid` # 重新啟動 named, 也許有比較好的方式, 不過我一直沒仔細查 ndc restart # end of misc.sh [檔案] /etc/ppp/trumpet.sh: #!/bin/sh # 使用 logger 將訊息加入系統的紀錄檔 logger "ppp: dialup connection established! "$1", "`date` # 製造點噪音讓自己覺得愉快(?) cat /etc/ppp/trumpet.au > /dev/audio # end of misc.sh [檔案] /etc/ppp/babu.sh: #!/bin/sh cat /etc/ppp/alarm.au > /dev/audio logger "ppp: dialup connection dropped! babu~ "$1", "`date` -- ※ Origin: 鳥窩 (BirdNest.twbbs.org) ◆ From: sw68-83-248.adsl.seed.net.tw > -------------------------------------------------------------------------- < 發信人: [email protected] (頭文字D餅乾), 看板: FreeBSD 標 題: Re: 利用 ppp 撥接架站的技巧 發信站: 鳥窩 BBS (Sun Sep 7 16:02:59 2003) 轉信站: ptt!ctu-reader!ctu-peer!news.nctu!News.Math.NCTU!birdnest 該站不收 email, 又, 應該是很多人沒注意到的... 作者 [email protected] (Mail Delivery Subsystem) 標題 Returned mail: Service unavailable 時間 Sun Sep 7 15:30:25 2003 ※ 引述《foo@bar》之銘言： : 在開機時撥接上了以後…卻沒有去執行ppp.linkup的樣子…並未更新… : 內容如下： : hinet: : ! /bin/sh "/etc/ppp/up-date.sh" : 這樣子做是不行的…（up-date.sh是我更新dns的script） : 請問我這樣子下是錯的嗎？有沒有別的debug方式去看是那裡有錯呢？ 你可以去看看 /var/log/messages, 是不是出現了類似這樣的錯誤 ppp[528]: Warning: /etc/ppp/ppp.linkup: ! sh /etc/ppp/miscup.sh: Invalid command 這和 ppp.conf/ppp.linkup/ppp.linkdown 的格式有關, hinet: ! /bin/sh "/etc/ppp/up-date.sh" 與 hinet: ! /bin/sh "/etc/ppp/up-date.sh" 雖然只差一個空格, 不過 ppp 只認得後者, 這應該是可能的原因, 可以參考 /usr/share/examples/ppp/ppp.conf.sample 前面的註解說明 : 還有請問在執行的後面…文章中提到interface這個是否一定要加呢？ : 還是它是說指定給後面的script的另一個變數值呢？!! interface 不一定要加, 只是給 script 用的 > -------------------------------------------------------------------------- < 發信人: [email protected] (樂腳仔), 看板: FreeBSD 標 題: Re: 利用 ppp 撥接架站的技巧 發信站: 台大電機 Maxwell BBS (Tue Sep 9 23:25:03 2003) 轉信站: ptt!ctu-reader!ctu-peer!news.nctu!netnews.csie.nctu!freebsd.ntu!bbs.ee 自問自答… hinet: add default HISADDR enable dns ! /bin/sh "/etc/ppp/up-date.sh" 就可以了 ※ 引述《bicar (樂腳仔)》之銘言： : 謝謝…果真是因為空格的問題： : 但是我在執行了up-date.sh了以後…卻發現 : 我沒辦法ping 外部的dns了… : 也就是說撥接了之後他不知道dns是那一個… : 我有將enable dns 或是add default HISADDR加到hinet:的後面…都不行 : 請問是要怎麼做才能回復正常的連線呢？ : ※ 引述《[email protected] (頭文字D餅乾)》之銘言： : : 該站不收 email, 又, 應該是很多人沒注意到的... : : 作者 [email protected] (Mail Delivery Subsystem) : : 標題 Returned mail: Service unavailable : : 時間 Sun Sep 7 15:30:25 2003 : : 你可以去看看 /var/log/messages, 是不是出現了類似這樣的錯誤 : : ppp[528]: Warning: /etc/ppp/ppp.linkup: ! sh /etc/ppp/miscup.sh: Invalid command : : 這和 ppp.conf/ppp.linkup/ppp.linkdown 的格式有關, : : hinet: : : ! /bin/sh "/etc/ppp/up-date.sh" : : 與 : : hinet: : : ! /bin/sh "/etc/ppp/up-date.sh" : : 雖然只差一個空格, 不過 ppp 只認得後者, 這應該是可能的原因, : : 可以參考 /usr/share/examples/ppp/ppp.conf.sample 前面的註解說明 : : interface 不一定要加, 只是給 script 用的