※ Origin: 鳥窩 (BirdNest.twbbs.org) ◆ From: sw68-83-248.adsl.seed.net.tw
> -------------------------------------------------------------------------- <
發信人: [email protected] (頭文字D餅乾), 看板: FreeBSD
標 題: Re: 利用 ppp 撥接架站的技巧
發信站: 鳥窩 BBS (Sun Sep 7 16:02:59 2003)
轉信站: ptt!ctu-reader!ctu-peer!news.nctu!News.Math.NCTU!birdnest
該站不收 email, 又, 應該是很多人沒注意到的...
作者 [email protected] (Mail Delivery Subsystem)
標題 Returned mail: Service unavailable
時間 Sun Sep 7 15:30:25 2003
※ 引述《foo@bar》之銘言:
: 在開機時撥接上了以後…卻沒有去執行ppp.linkup的樣子…並未更新…
: 內容如下:
: hinet:
: ! /bin/sh "/etc/ppp/up-date.sh"
: 這樣子做是不行的…(up-date.sh是我更新dns的script)
: 請問我這樣子下是錯的嗎?有沒有別的debug方式去看是那裡有錯呢?
你可以去看看 /var/log/messages, 是不是出現了類似這樣的錯誤
ppp[528]: Warning: /etc/ppp/ppp.linkup: ! sh /etc/ppp/miscup.sh: Invalid command
這和 ppp.conf/ppp.linkup/ppp.linkdown 的格式有關,
hinet:
! /bin/sh "/etc/ppp/up-date.sh"
與
hinet:
! /bin/sh "/etc/ppp/up-date.sh"
雖然只差一個空格, 不過 ppp 只認得後者, 這應該是可能的原因,
可以參考 /usr/share/examples/ppp/ppp.conf.sample 前面的註解說明
: 還有請問在執行的後面…文章中提到interface這個是否一定要加呢?
: 還是它是說指定給後面的script的另一個變數值呢?!!
interface 不一定要加, 只是給 script 用的
> -------------------------------------------------------------------------- <
發信人: [email protected] (樂腳仔), 看板: FreeBSD
標 題: Re: 利用 ppp 撥接架站的技巧
發信站: 台大電機 Maxwell BBS (Tue Sep 9 23:25:03 2003)
轉信站: ptt!ctu-reader!ctu-peer!news.nctu!netnews.csie.nctu!freebsd.ntu!bbs.ee
自問自答…
hinet:
add default HISADDR
enable dns
! /bin/sh "/etc/ppp/up-date.sh"
就可以了
※ 引述《bicar (樂腳仔)》之銘言:
: 謝謝…果真是因為空格的問題:
: 但是我在執行了up-date.sh了以後…卻發現
: 我沒辦法ping 外部的dns了…
: 也就是說撥接了之後他不知道dns是那一個…
: 我有將enable dns 或是add default HISADDR加到hinet:的後面…都不行
: 請問是要怎麼做才能回復正常的連線呢?
: ※ 引述《[email protected] (頭文字D餅乾)》之銘言:
: : 該站不收 email, 又, 應該是很多人沒注意到的...
: : 作者 [email protected] (Mail Delivery Subsystem)
: : 標題 Returned mail: Service unavailable
: : 時間 Sun Sep 7 15:30:25 2003
: : 你可以去看看 /var/log/messages, 是不是出現了類似這樣的錯誤
: : ppp[528]: Warning: /etc/ppp/ppp.linkup: ! sh /etc/ppp/miscup.sh: Invalid command
: : 這和 ppp.conf/ppp.linkup/ppp.linkdown 的格式有關,
: : hinet:
: : ! /bin/sh "/etc/ppp/up-date.sh"
: : 與
: : hinet:
: : ! /bin/sh "/etc/ppp/up-date.sh"
: : 雖然只差一個空格, 不過 ppp 只認得後者, 這應該是可能的原因,
: : 可以參考 /usr/share/examples/ppp/ppp.conf.sample 前面的註解說明
: : interface 不一定要加, 只是給 script 用的
利用 ppp 撥接架站的技巧:
這段不是要講 ppp 撥接, 這段要講的是 ppp 撥接時的一個小問題,
在不明原因斷線後, ppp 雖然有能力再撥接上去, 但此時取得的是一個新的
ip, 許多網友的作法是用 cron/crontab 的方式, 訂個幾分鐘查一次 ip 是否
改變, 其實這不是必要的.
細讀 ppp(8), 有提及兩個檔案, ppp.linkup 與 ppp.linkdown, 這兩個檔
案在 ppp 連線和斷線時會分別被讀入處理, 可以根據不同需求, 將指令加入. 而
這條途境所具有的主要優點, 是使 ipfw/firewall 能夠自動更新 rule.
系統啟動的時候, ppp 會在 rc.firewall 設定前先執行, 所以會先執行一
次 ppp.linkup, 這時候 firewall 已經設定好, 因此 rc.conf 要將 firewall 設
為 UNKNOWN, 避免重複設定, 且 ppp 設定成 ddial, 一旦斷線, 會立即透過
ppp.linkdown/ppp.linkup 執行預定的指令. 以下的範例直接改 ppp.conf 裡的
papchap, 所以 ppp.linkup/ppp.linkdown 都是設 papchap 為 label. 另外一點是
聲音, 加不加隨便個人, 要加的自己找檔案替代 :-)
最後記得要把 firewall 的 rule 改成自己要的, 詳情請自行 man ipfw
[檔案] /etc/ppp/ppp.conf:
default:
set log Phase Chat LCP IPCP CCP tun command
set device PPPoE:vr0 # 512/64 adsl, 雖然不是好卡, 不過在這個流量下
# 還沒發生過 watchdog timeout, 加減用啦 :-p
set mtu 1492
set mru 1492
set dial
set login
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR # Add a (sticky) default route
# enable dns # request DNS info (for resolv.conf)
# 我有自己跑 named, 所以這邊不需要
papchap:
set authname "撥接帳號"
set authkey "你猜"
# end of ppp.conf
[檔案] /etc/ppp/ppp.linkup:
# Example of ppp.linkup file
papchap:
!bg /bin/sh "/etc/ppp/trumpet.sh"" INTERFACE
! /bin/sh "/etc/ppp/firewall.sh" MYADDR HISADDR INTERFACE
! /bin/sh "/etc/ppp/misc.sh" INTERFACE
# end of ppp.linkup
[檔案] /etc/ppp/ppp.linkdown:
# Example of ppp.linkdown file
papchap:
! /etc/ppp/babu.sh INTERFACE
# end of ppp.linkup
[檔案] /etc/ppp/firewall.sh (由 /etc/rc.firewall 抄過來修改的, 這邊只是示範):
#!/bin/sh
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
# set these to your outside interface network and netmask and ip
# 這裡的 $1 $3, 就是 ppp 傳過來的 ($2 沒用到)
# onet 和 omask 的關系請自行瞭解 ipfw 的詳細設定
# 這裡只是當初敝人自己測試時使用, ssh/ftp 等一堆都沒開
oif=$3
onet=$1
omask="255.255.255.0"
oip=$1
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.128.63"
imask="255.255.255.0"
iip="192.168.128.63"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
# end of firewall.sh
[檔案] /etc/ppp/misc.sh:
#!/bin/sh
# 敝人是使用 ddclient, 更新 dyndns 的記錄
kill -HUP `cat /var/run/ddclient.pid`
# 重新啟動 named, 也許有比較好的方式, 不過我一直沒仔細查
ndc restart
# end of misc.sh
[檔案] /etc/ppp/trumpet.sh:
#!/bin/sh
# 使用 logger 將訊息加入系統的紀錄檔
logger "ppp: dialup connection established! "$1", "`date`
# 製造點噪音讓自己覺得愉快(?)
cat /etc/ppp/trumpet.au > /dev/audio
# end of misc.sh
[檔案] /etc/ppp/babu.sh:
#!/bin/sh
cat /etc/ppp/alarm.au > /dev/audio
logger "ppp: dialup connection dropped! babu~ "$1", "`date`
--