path: root/en_US.ISO8859-1/books/ppp-primer/book.sgml

<!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [
<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
%man;
]>

<book>

<bookinfo>
<title>PPP - Pedantic PPP Primer</title>

<authorgroup>
<author>
<firstname>Steve</firstname>			
<surname>Sims</surname>
<affiliation>
<address><email>SimsS@IBM.net</email></address>
</affiliation>
</author>
</authorgroup>

<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/books/ppp-primer/book.sgml,v 1.7 2001/04/05 01:44:24 dd Exp $</pubdate>

<abstract><para>This is a step-by-step guide for configuring FreeBSD systems to act as
a dial-up router/gateway in a Local Area Environment.  All entries may
be assumed to be relevant to FreeBSD 2.2+, unless otherwise noted.</para></abstract>

</bookinfo>

<preface>
<title>Overview:</title>

<para>The User-Mode PPP dialer in FreeBSD Version 2.2 (also known as:
<emphasis remap=it>"IIJ-PPP"</emphasis> ) now supports Packet Aliasing for dial up
connections to the Internet.  This feature, also known as
"<emphasis remap=it>Masquerading</emphasis>", "<emphasis remap=it>IP Aliasing</emphasis>", or "<emphasis remap=it>Network Address
Translation</emphasis>", allows a FreeBSD system to act as a dial- on-demand
router between an Ethernet-based Local Area Network and an Internet
Service Provider.  Systems on the LAN can use the FreeBSD system to
forward information between the Internet by means of a single
dial-connection.</para>
  
<para>This guide explains how to:
<itemizedlist>

<listitem>
<para>Configure the FreeBSD system to support dial-out connections,</para>
</listitem>

<listitem>
<para>Share a dial-out connection with other systems in a network,</para>
</listitem>

<listitem>
<para>Configure Windows platforms to use the FreeBSD system as a gateway to the Internet.</para>
</listitem>

</itemizedlist>
</para>
  
<para>While the focus of this guide is to assist in configuring IP Aliasing,
it also includes specific examples of the configuration steps necessary
to configure and install each individual component; each section stands
alone and may be used to assist in the configuration of various aspects
of FreeBSD internetworking.</para>
  
</preface>

<chapter>
<title>Building the Local Area Network</title>

<para> While the ppp program can, and usually is, be configured to provide
services to <emphasis>only</emphasis> the local FreeBSD box it can also be used to serve as a
"Gateway" (or "router") between other LAN-connected resources and the Internet or
other Dial-Up service.</para>
  

<sect1>
<title>Typical Network Topology</title>

<para>This guide assumes a typical Local Area Network lashed together as
follows:
<programlisting> 
+---------+       ----&gt; Dial-Up Internet Connection
| FreeBSD |       \       (i.e.: NetCom, AOL, AT&amp;T, EarthLink,
etc)
|         |--------
| "Curly" |
|         |
+----+----+
     |
|----+-------------+-------------+----|  &lt;-- Ethernet Network
     |             |             |
     |             |             |
+----+----+   +----+----+   +----+----+
|         |   |         |   |         |
|  Win95  |   |   WFW   |   |  WinNT  |
| "Larry" |   |  "Moe"  |   | "Shemp" |
|         |   |         |   |         |
+---------+   +---------+   +---------+</programlisting>
</para>
  
</sect1>

<sect1>
<title>Assumptions about the Local Area Network</title>

<para>Some specific assumptions about this sample network are:</para>
  
<para>Three workstations and a Server are connected with Ethernet
cabling:
<itemizedlist>

<listitem>
<para>a FreeBSD Server ("Curly") with an NE-2000 adapter configured as
'ed0'</para>
</listitem>

<listitem>
<para>a Windows-95 workstation ("Larry") with Microsoft's "native"
32-bit TCP/IP drivers</para>
</listitem>

<listitem>
<para>a Windows for Workgroups workstation ("Moe") with Microsoft's
16-bit TCP/IP extensions</para>
</listitem>

<listitem>
<para>a Windows NT workstation ("Shemp") with Microsoft's "native"
32-bit TCP/IP drivers</para>
</listitem>

</itemizedlist>
 </para>

<para>The IP addresses on the Ethernet side of this sample LAN have been
taken from a pool addresses proposed reserved by RFC 1918 for use on
private LANs, so you are free to use these actual IP addresses on your
own LAN if you want.  IP addresses are assigned as follows:</para>

<informaltable>
  <tgroup cols=3>
    <thead>
      <row>
        <entry>Name</entry>
	<entry>IP Address</entry>
	<entry>Comment</entry>
      </row>
    </thead>

    <tbody>
      <row>
        <entry><hostid>Curly</hostid></entry>
        <entry><hostid role="ipaddr">192.168.1.1</hostid></entry>
        <entry>The FreeBSD box</entry>
      </row>

      <row>
        <entry><hostid>Larry</hostid></entry>
        <entry><hostid role="ipaddr">192.168.1.2</hostid></entry>
        <entry>The Win'95 box</entry>
      </row>

      <row>
        <entry><hostid>Moe</hostid></entry>
        <entry><hostid role="ipaddr">192.168.1.3</hostid></entry>
        <entry>The WfW box</entry>
      </row>

      <row>
        <entry><hostid>Shemp</hostid></entry>
        <entry><hostid role="ipaddr">192.168.1.4</hostid></entry>
        <entry>The Windows NT box</entry>
      </row>
    </tbody>
  </tgroup>
</informaltable>

<para>This guide assumes that the modem on the FreeBSD box is connected 
to the first serial port ('<filename>/dev/cuaa0</filename>' or '<emphasis remap=tt>COM1:</emphasis>' in
DOS-terms).</para>
  
<para>Finally, we'll also assume that your Internet Service Provider (ISP)
automatically provides the IP addresses of both your PPP/FreeBSD side
as well as the ISP's side.  (i.e.: Dynamic IP Addresses on both ends 
of the link.)  Specific details for configuring the Dial-Out side of 
PPP will be addressed in Section 2, "Configuring the FreeBSD System".</para>
  
</sect1>
</chapter>

<chapter id="system-config">
<title>FreeBSD System Configuration</title>

<para>There are three basic pieces of information that must be known to
the FreeBSD box before you can proceed with integrating the sample
Local Area Network:</para>
  
<para>
<itemizedlist>

<listitem>
<para>The Host Name of the FreeBSD system; in our example it's "Curly",</para>
</listitem>

<listitem>
<para>The Network configuration,</para>
</listitem>

<listitem>
<para>The <filename>/etc/hosts</filename> file (which lists the names and IP addresses of
the other systems in your network)</para>
</listitem>

</itemizedlist>
</para>
  
<para>If you performed the installation of FreeBSD over a network
connection some of this information may already be configured into
your FreeBSD system.</para>
  
<para>Even if you believe that the FreeBSD system was properly configured
when it was installed you should at least verify each of these bits of
information to prevent trouble in subsequent steps.</para>
  

<sect1>
<title>Verifying the FreeBSD Host Name</title>

<para>It's possible that the FreeBSD host name was specified and saved
when the system was initially installed.  To verify that it was, enter
the following command at a prompt:</para>
  
<para>
<informalexample>
<screen># hostname</screen>
</informalexample>
</para>
  
<para>The name of the host FreeBSD system will be displayed on a single
line.  If the name looks correct (this is very subjective :-) skip
ahead to <xref linkend="verify-ether-if-config">.</para>
        
<para>For example, in our sample network, we would see 'curly.my.domain'
as a result of the `hostname` command if the name had been set
correctly during, or after, installation.  (At this point, don't worry
too much about the ".my.domain" part, we'll sort this out later.  The
important part is the name up to the first dot.)</para>
  
<para>If a host name wasn't specified when FreeBSD was installed you'll
probably see 'myname.my.domain` as a response.  You'll need to edit
<filename>/etc/rc.conf</filename> to set the name of the machine.</para>
  

<sect2>
<title>Configuring the FreeBSD Host Name</title>

<para><emphasis><emphasis remap=bf>Reminder: You must be logged in as 'root' to edit the
system configuration files!</emphasis></emphasis></para>
  
<para><emphasis><emphasis remap=bf>CAUTION: If you mangle the system configuration files,
chances are your system WILL NOT BOOT correctly!  Be careful!</emphasis></emphasis></para>
  
<para>The configuration file that specifies the FreeBSD system's host
name when the system boots is in <filename>/etc/rc.conf</filename>.  Use the
default text editor ('<emphasis remap=tt>ee</emphasis>') to edit this file.</para>
  
<para>Logged in as user 'root' load <filename>/etc/rc.conf</filename> into the
editor with the following command:
<informalexample>
<screen># ee /etc/rc.conf</screen>
</informalexample>
</para>
  
<para>Using the arrow keys, scroll down until you find the line that 
specifies the host name of the FreeBSD system.  By default, this 
section says:
<informalexample>
<screen>---
### Basic network options: ###
hostname="myname.my.domain"	# Set this!
---</screen>
</informalexample>

Change this section to say (in our example):
<informalexample>
<screen>---
### Basic network options: ###
hostname="curly.my.domain"	# Set this!
---</screen>
</informalexample>
</para>
  
<para>Once the change to the host name has been made, press the 'Esc' key to
access the command menu.  Select "leave editor" and make sure to
specify "save changes" when prompted.</para>
  
</sect2>
</sect1>

<sect1 id="verify-ether-if-config">
<title>Verifying the Ethernet Interface Configuration</title>

<para>To reiterate our basic assumption, this guide assumes that the
Ethernet Interface in the FreeBSD system is named '<emphasis remap=tt>ed0</emphasis>'.  This is
the default for NE-1000, NE-2000, WD/SMC models 8003, 8013 and Elite
Ultra (8216) network adapters.</para>
  
<para>Other models of network adapters may have different device names in
FreeBSD.  Check the FAQ for specifics about your network adapter.  If
you're not sure of the device name of your adapter, check the FreeBSD
FAQ to determine the device name for the card you have and substitute
that name (i.e.: '<emphasis remap=tt>de0</emphasis>', '<emphasis remap=tt>zp0</emphasis>', or similar) in the following
steps.</para>
  
<para>As was the case with the host name, the configuration for the
FreeBSD system's Ethernet Interface may have been specified when the
system was installed.</para>
  
<para>To display the configuration for the interfaces in your 
FreeBSD system (Ethernet and others), enter the following command:
<informalexample>
<screen># ifconfig -a</screen>
</informalexample>

(In layman's terms:  "Show me the <emphasis remap=bf>I</emphasis>nter<emphasis remap=bf>F</emphasis>ace <acronym>CONFIG</acronym>uration
for my network devices.") </para>
  
<para>An example:
<informalexample>
<screen># ifconfig -a
 ed0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu
1500
      inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
      ether 01:02:03:04:05:06
 lp0: flags=8810&lt;POINTOPOINT,SIMPLEX,MULTICAST&gt; mtu 1500
 tun0: flags=8050&lt;POINTOPOINT,RUNNING, MULTICAST&gt; mtu 1500
 sl0: flags=c010&lt;POINTOPOINT,LINK2,MULTICAST&gt; mtu 552
 ppp0: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500
 lo0: flags=8049&lt;UP,LOOPBACK,RUNNING,MULTICAST&gt; mtu 16384
      inet 127.0.0.1 netmask 0xff000000
# _</screen>
</informalexample>
</para>
  
<para>In this example, the following devices were displayed:</para>
  
<para><emphasis remap=tt>ed0:</emphasis>  The Ethernet Interface</para>
  
<para><emphasis remap=tt>lp0:</emphasis>  The Parallel Port Interface (ignored in this guide)</para>
  
<para><emphasis remap=tt>tun0:</emphasis> The "tunnel" device; <emphasis>This is the one user-mode ppp uses!</emphasis></para>
  
<para><emphasis remap=tt>sl0:</emphasis>  The SL/IP device (ignored in this guide)</para>
  
<para><emphasis remap=tt>ppp0:</emphasis> Another PPP device (for kernel ppp; ignored in this guide)</para>
  
<para><emphasis remap=tt>lo0:</emphasis>  The "Loopback" device (ignored in this guide)</para>
  
<para>In this example, the 'ed0' device is up and running.  The key 
indicators are:
<orderedlist>

<listitem>
<para>Its status is "<acronym>UP</acronym>",</para>
</listitem>

<listitem>
<para>It has an Internet ("<emphasis remap=tt>inet</emphasis>") address, (in this case, 192.168.1.1)</para>
</listitem>

<listitem>
<para>It has a valid Subnet Mask ("netmask"; 0xffffff00 is the same as
255.255.255.0), and</para>
</listitem>

<listitem>
<para>It has a valid broadcast address (in this case, 192.168.1.255).</para>
</listitem>

</orderedlist>
</para>
  
<para>If the line for the Ethernet card had shown something similar to:
<informalexample>
<screen>ed0: flags=8802&lt;BROADCAST,SIMPLEX,MULTICAST&gt; mtu 1500
        ether 01:02:03:04:05:06</screen>
</informalexample>

then the Ethernet card hasn't been configured yet.</para>
  
<para>If the configuration for the Ethernet interface is correct you can
skip forward to <xref linkend="list-lan-hosts">.</para>
      
<sect2 >
<title>Configuring your Ethernet Interface</title>

<para><emphasis><emphasis remap=bf>Reminder:  You must be logged in as 'root' to edit the
system configuration files!</emphasis></emphasis></para>
  
<para><emphasis><emphasis remap=bf>CAUTION:  If you mangle the system configuration files, 
chances are your system WILL NOT BOOT correctly!  Be careful!</emphasis></emphasis></para>
  
<para>The configuration file that specifies settings for the network
interfaces when the system boots is in <filename>/etc/rc.conf</filename>.  Use
the default text editor ('ee') to edit this file.</para>
  
<para>Logged in as user 'root' load <filename>/etc/rc.conf</filename> into the
editor with the following command:</para>
  
<para><command>  # ee /etc/rc.conf</command></para>
  
<para>About 20 lines from the top of <filename>/etc/rc.conf</filename> is the section
that describes which network interfaces should be activated when the
system boots.  In the default configuration file the specific line
that controls this is:</para>
  
<para>
<informalexample>
<screen>network_interfaces="lo0"       # List of network interfaces (lo0 is loopback).</screen>
</informalexample>
</para>
  
<para>You'll need to amend this line to tell FreeBSD that you want to add
another device, namely the '<emphasis remap=tt>ed0</emphasis>' device.  Change this line to
read:</para>
  
<para>
<informalexample>
<screen>network_interfaces="lo0 ed0"   # List of network interfaces (lo0 is loopback).</screen>
</informalexample>
</para>
  
<para>(Note the space between the definition for the loopback device
("<emphasis remap=tt>lo0</emphasis>") 
and the Ethernet device ("<emphasis remap=tt>ed0</emphasis>")! </para>
  
<para><emphasis><emphasis remap=bf> Reminder: If your Ethernet card isn't named '<emphasis remap=tt>ed0</emphasis>', specify
the correct device name here instead.</emphasis></emphasis></para>
  
<para>If you performed the installation of FreeBSD over a network
connection then the '<literal>network_interfaces=</literal>' line may already
include a reference to your Ethernet adapter.  If it is, verify that
it is the correct device name.</para>
  
<para>Specify the Interface Settings for the Ethernet device
('<emphasis remap=tt>ed0</emphasis>'):</para>
  
<para>Beneath the line that specifies which interfaces should be
activated are the lines that specify the actual settings for each
interface.  In the default <filename>/etc/rc.conf</filename> file is a single
line that says:</para>
  
<para>
<informalexample>
<screen>ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.</screen>
</informalexample>
</para>
  
<para>You'll need to add another line after that to specify the settings
for your '<emphasis remap=tt>ed0</emphasis>' device.</para>
  
<para>If you performed the installation of FreeBSD over a network
connection then there may already be an '<literal>ifconfig_ed0=</literal>' line
after the loopback definition. If so, verify that it has the correct
values.</para>
  
<para>For our sample configuration we'll insert a line immediately after
the loopback device definition that says:</para>
  
<para>
<informalexample>
<screen>ifconfig_ed0="inet 192.168.1.1 netmask 255.255.255.0"</screen>
</informalexample>
</para>
  
<para>When you've finished editing <filename>/etc/rc.conf</filename> to specify and
configure the network interfaces the section should look really close
to:</para>
  
<para>
<informalexample>
<screen>---
network_interfaces="ed1 lo0"    # List of network interfaces (lo0 is loopback).
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.
ifconfig_ed1="inet 192.168.1.1  netmask 255.255.255.0"
---</screen>
</informalexample>
</para>
  
<para>Once all of the necessary changes to <filename>/etc/rc.conf</filename> have
been made, press the 'Esc' key to invoke the control menu.  Select
"leave editor" and be sure to select "save changes" when prompted.</para>
  
</sect2>
</sect1>

<sect1>
<title>Enabling Packet Forwarding</title>

<para>By default the FreeBSD system will not forward IP packets between
various network interfaces.  In other words, routing functions (also
known as gateway functions) are disabled.</para>
  
<para>If your intent is to use a FreeBSD system as stand-alone Internet 
workstation and not as a gateway between LAN nodes and your ISP you 
should skip forward to <xref linkend="list-lan-hosts">.</para>
  
<para>If you intend for the PPP program to service the local FreeBSD box
as well as LAN workstations (as a router) you'll need to enable IP 
forwarding.</para>
  
<para>To enable IP Packet forwarding you'll need to edit the
<filename>/etc/rc.conf</filename> file.</para>

      <para>This file contains overrides of the defaults in
	<filename>/etc/defaults/rc.conf</filename>.  The default gateway
	setting is controlled by the line</para>

      <programlisting>gateway_enable="NO"</programlisting>

      <para>in that file.  To override it, add a line like</para>

      <programlisting>gateway_enable="YES"</programlisting>

      <para><filename>/etc/rc.conf</filename>.</para>
  
<para><emphasis><emphasis remap=bf>NOTE: This line may already be set to
'<literal>gateway_enable="YES"</literal>' if IP forwarding was enabled when the
FreeBSD system was installed.</emphasis></emphasis></para>
  
</sect1>

<sect1 id="list-lan-hosts">
<title>Creating the List of other LAN Hosts(<filename>/etc/hosts</filename>)</title>

<para>The final step in configuring the LAN side of the FreeBSD system is
to create a list of the names and TCP/IP addresses of the various
systems that are connected to the Local Area Network.  This list is
stored in the '<filename>/etc/hosts</filename>' file.</para>
  
<para>The default version of this file has only a single host name
listing in it: the name and address of the loopback device ('lo0').
By networking convention, this device is always named "localhost" and
always has an IP address of 127.0.0.1. <xref
	  linkend="verify-ether-if-config">.</para>
      
	  
<para>To edit the <filename>/etc/hosts</filename> file enter the following command:
<informalexample>
<screen> # ee /etc/hosts </screen>
</informalexample>
</para>
  
<para>Scroll all the way to the bottom of the file (paying attention to
the comments along the way; there's some good information there!)  and
enter (assuming our sample network) the following IP addresses and
host names:
<informalexample>
<screen>192.168.1.1    curly  curly.my.domain  # FreeBSD System
192.168.1.2    larry  larry.my.domain  # Windows '95 System
192.168.1.3    moe    moe.my.domain    # Windows for Workgroups
System
192.168.1.4    shemp  shemp.my.domain  # Windows NT System</screen>
</informalexample>
</para>
  
<para>(No changes are needed to the line for the '<emphasis remap=tt>127.0.0.1
localhost</emphasis>' entry.)</para>
  
<para>Once you've entered these lines, press the 'Esc' key to invoke the
control menu.  Select "leave editor" and be sure to select "save
changes" when prompted.</para>
  
</sect1>

<sect1>
<title>Testing the FreeBSD system</title>

<para>Congratulations!  Once you've made it to this point, the FreeBSD
system is configured as a network-connected UNIX system!  If you made
any changes to the <filename>/etc/rc.conf</filename> file you should probably
re-boot your FreeBSD system.  This will accomplish two important
objectives:
<itemizedlist>

<listitem>
<para>Allow the changes to the interface configurations to be applied, and</para>
</listitem>

<listitem>
<para>Verify that the system restarts without any glaring configuration errors.</para>
</listitem>

</itemizedlist>
</para>
  
<para>Once the system has been rebooted you should test the network
interfaces.</para>
  

<sect2>
<title>Verifying the operation of the loopback device</title>

<para>To verify that the loopback device is configured correctly, log in as
'root' and enter:
<informalexample>
<screen># ping localhost</screen>
</informalexample>
</para>
  
<para>You should see:
<informalexample>
<screen># ping localhost
PING localhost.my.domain. (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.219 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.287 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.214 m
[...]</screen>
</informalexample>

messages scroll by until you hit Ctrl-C to stop the madness.</para>
  
</sect2>

<sect2>
<title>Verifying the operation of the Ethernet Device</title>

<para>To verify that the Ethernet device is configured correctly, enter:</para>
  
<para>
<informalexample>
<screen># ping curly</screen>
</informalexample>
</para>
  
<para>You should see:
<informalexample>
<screen># ping curly
PING curly.my.domain. (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.219 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.200 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.187 ms
[...]</screen>
</informalexample>

messages.</para>
  
<para>One important thing to look at in these two examples is that the
names (loopback and curly) correctly correlate to their IP addresses
(127.0.0.1 and 192.168.1.1).  This verifies that the
<filename>/etc/hosts</filename> files is correct.</para>
  
<para>If the IP address for "curly" isn't 192.168.1.1 or the address for
"localhost" isn't 127.0.0.1, return to <xref linkend="list-lan-hosts"> and review your
entries in '<filename>/etc/hosts</filename>'.</para>
  
<para>If the names and addresses are indicated correctly in the result of
the ping command but there are errors displayed then something is
amiss with the interface configuration(s).  Return to <xref linkend="system-config"> and
verify everything again.</para>
  
<para>If everything here checks out, proceed with the next section.</para>
  
</sect2>
</sect1>
</chapter>

<chapter>
<title>Configuring the PPP Dial-Out Connection</title>

<para>There are two basic modes of operation of the ppp driver:
"Interactive" and "Automatic".</para>
  
<para>In Interactive mode you:</para>
  
<para>
<itemizedlist>

<listitem>
<para>Manually establish a connection to your ISP,</para>
</listitem>

<listitem>
<para>Browse, surf, transfer files and mail, etc...,</para>
</listitem>

<listitem>
<para>Manually disconnect from your ISP.</para>
</listitem>

</itemizedlist>
</para>
  
<para>In Automatic mode, the PPP program silently watches what goes on
inside the FreeBSD system and automagically connects and disconnects
with your ISP as required to make the Internet a seamless element of
your network.</para>
  
<para>In this section we'll address the configuration(s) for both modes
with emphasis on configuring your `ppp` environment to operate in
"Automatic" mode.</para>
  

<sect1>
<title>Backing up the original PPP configuration files</title>

      <note>
	<para>More recent versions of FreeBSD have the examples files in
	  <filename>/usr/share/examples/ppp</filename>, so this step may not
	  be necessary.</para>
      </note>
      
<para>Before making any changes to the files which are used by PPP you
should make a copy of the default files that were created when the
FreeBSD system was installed.</para>
  
<para>Log in as the 'root' user and perform the following steps:</para>
  
<para>Change to the '<filename>/etc</filename> directory:</para>
  
<para><emphasis remap=tt># cd /etc</emphasis></para>
  
<para>Make a backup copy the original files in the 'ppp' directory:</para>
  
<para><emphasis remap=tt># cp -R ppp ppp.ORIGINAL</emphasis></para>
  
<para>You should now be able to see both a '<emphasis remap=tt>ppp</emphasis>' and a
'<filename>ppp.ORIGINAL</filename>' subdirectory
in the '<filename>/etc</filename>' directory.</para>
  
</sect1>

<sect1>
<title>Create your own PPP configuration files</title>

<para>By default, the FreeBSD installation process creates a number of
sample configuration files in the <filename>/etc/ppp</filename>
and <filename>/usr/share/examples/ppp</filename> directories.  Please take
some time to review these files; they were derived from working
systems and represent the features and capabilities of the PPP
program.</para>
  
<para>I <emphasis>strongly</emphasis> encourage you to learn from these sample files and
apply them to your own configuration as necessary.</para>
  
<para>For detailed information about the `ppp` program, read the ppp
manpage:
<informalexample>
<screen># man ppp</screen>
</informalexample>
</para>
  
<para>For detailed information about the `chat` scripting language used by
the PPP dialer, read the chat manpage:
<informalexample>
<screen># man chat</screen>
</informalexample>
</para>
  
<para>The remainder of this section describes the recommended contents of
the PPP configuration files.</para>
  

<sect2>
<title>The '<filename>/etc/ppp/ppp.conf</filename>' file</title>

<para>The '<filename>/etc/ppp/ppp.conf</filename>' file contains the information and
settings required to set up a dial-out PPP connection.  More than one
configuration may be contained in this file.  The FreeBSD handbook
(XXX URL? XXX) describes the contents and syntax of this file in
detail.</para>
  
<para>This section will describe only the minimal configuration to get a
dial-out connection working.</para>
  
<para>Below is the /etc/ppp/ppp.conf file that we'll be using to provide a
dial-out Internet gateway for our example LAN:

<note>
  <para>The full syntax for <filename>ppp.conf</filename> is described in
    &man.ppp.8;.  Particuarly, note that any line that isn't a label that
    ends with a colon (e.g., <literal>default:</literal>,
    <literal>interactive:</literal>), a command that begins with
    <quote>!</quote> (e.g., <literal>!include</literal>), or a comment
    <emphasis>must</emphasis> be indented!</para>
</note>

<programlisting>################################################################
# PPP Configuration File ('/etc/ppp/ppp.conf')
#
# Default settings; These are always executed always when PPP
# is invoked and apply to all system configurations.
################################################################
default:
  set device /dev/cuaa0
  set speed 57600
  disable pred1
  deny pred1
  disable lqr
  deny lqr
  set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT"
  set redial 3 10
#
#
################################################################
#
# For interactive mode use this configuration:
#
# Invoke with `ppp -alias interactive`
#
################################################################
interactive:
  set authname Your_User_ID_On_Remote_System
  set authkey Your_Password_On_Remote_System
  set phone 1-800-123-4567
  set timeout 300
  set openmode active
  accept chap
#
################################################################
#
# For demand-dial (automatic) mode we'll use this configuration:
#
# Invoke with: 'ppp -auto -alias demand'
#
################################################################
demand:
  set authname Your_User_ID_On_Remote_System
  set authkey Your_Password_On_Remote_System
  set phone 1-800-123-4567
  set timeout 300
  set openmode active
  accept chap
  set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
  add 0 0 127.2.2.2
################################################################
# End of /etc/ppp/ppp.conf</programlisting>

This file, taken verbatim from a working system, has three relevant 
configuration sections:</para>
  

<sect3>
<title>The "<emphasis remap=tt>default</emphasis>" Section</title>

<para>The '<emphasis remap=tt>default:</emphasis>' section contains the values and settings
used by every other section in the file.  Essentially, this section is
implicitly added to the configuration lines to each other section.</para>
  
<para>This is a good place to put "global defaults" applicable to all
dial-up sessions; especially modem settings and dialing prefixes which
typically don't change based on which destination system you're
connecting to.</para>
  
<para>Following are the descriptions of each line in the "default" section
of the sample '<filename>/etc/ppp/ppp.conf</filename>' file:
<informalexample>
<screen>set device /dev/cuaa0</screen>
</informalexample>

This statement informs the PPP program that it should use the first
serial port.
Under FreeBSD the '<filename>/dev/cuaa0</filename>' device is the same port that's
known as "<emphasis remap=tt>COM1:</emphasis>" under DOS, Windows, Windows 95, etc....</para>
  
<para>If your modem is on <emphasis remap=tt>COM2:</emphasis> you should specify
'<filename>/dev/cuaa1</filename>; <emphasis remap=tt>COM3:</emphasis> would be '<filename>/dev/cuaa2</filename>'.</para>
  
<para>
<informalexample>
<screen>set speed 57600 </screen>
</informalexample>
</para>
  
<para>This line sets the transmit and receive speed for the connection
between the serial port and the modem. While the modem used for this
configuration is only a 28.8 device, setting this value to 57600 lets
the serial link run at a higher rate to accommodate higher throughput
as a result of the data compression built into late-model modems.</para>
  
<para>If you have trouble communicating with your modem, try setting this
value to 38400 or even as low as 19200.</para>
  
<para>
<informalexample>
<screen>disable pred1
deny pred1</screen>
</informalexample>
</para>
  
<para>These two lines disable the "CCP/Predictor type 1" compression
features of the PPP program.  The current version of `ppp` supports
data compression in accordance with draft Internet standards.
Unfortunately many ISPs use equipment that does not support this
capability.  Since most modems try to perform on-the-fly compression
anyway you're probably not losing much performance by disabling this
feature on the FreeBSD side and denying the remote side from forcing
it on you.</para>
  
<para>
<informalexample>
<screen>disable lqr
deny lqr</screen>
</informalexample>
</para>
  
<para>These two lines control the "Line Quality Reporting" functions which
are part of the complete Point-to-Point (PPP) protocol specification.
(See RFC-1989 for details.)</para>
  
<para>The first line, "disable lqr", instructs the PPP program to not
attempt to report line quality status to the device on the remote end.</para>
  
<para>The second line, "deny lqr", instructs the PPP program to deny any
attempts by the remote end to reports line quality.</para>
  
<para>As most modern dial-up modems have automatic error correction and
detection and LQR reporting is not fully implemented in many vendor's
products it's generally a safe bet to include these two lines in the
default configuration.</para>
  
<para>
<informalexample>
<screen>set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0
OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT"</screen>
</informalexample>
</para>
  
<para><emphasis>NOTE: (This statement should appear on a single line; ignore any
line wrapping that may appear in this document.)</emphasis></para>
  
<para>This line instructs the PPP program how to dial the modem and
specifies some rudimentary guidelines for doing so:
<itemizedlist>

<listitem>
<para>Attempts to dial should fail if the modem returns a "BUSY" result code,</para>
</listitem>

<listitem>
<para>Attempts to dial should also fail if the modem returns a "NO CARRIER" result code,</para>
</listitem>

<listitem>
<para>The PPP program should expect each of the following events to complete within a
5-second timeout period:
<itemizedlist>

<listitem>
<para>The PPP program will initially expect nothing (specified above
by the \"\" portion of the statement) from the modem </para>
</listitem>

<listitem>
<para>The program
will send the modem initialization string "ATE1Q0M0" to the modem and
await a response of "OK".  If a response is not received, the program
should send an attention command to the modem ("AT") and look again
for a response of "OK", </para>
</listitem>

<listitem>
<para>The program should delay for one second
(specified by the "\\d" part of the statement, and send the dialing
string to the modem.  The "ATDT" portion of the statement is the
standard modem prefix to dial using tone-dialing; if you do not have
touch-tone service on your local phone line, replace the "ATDT" with
"ATDP".  The "\\T" string is a placeholder for the actual phone number
(which will be automatically inserted as specified by the "set dial
123-4567").</para>
</listitem>

</itemizedlist>
</para>
</listitem>

<listitem>
<para>Finally, before a (maximum) timeout of 40 seconds, the PPP
program should expect to see a "CONNECT" result code returned from the
modem.</para>
</listitem>

</itemizedlist>
</para>
  
<para>A failure at any point in this dialog will be interpreted as a dialing
failure and the PPP program will fail to connect.</para>
  
<para>(For a detailed description of the mini-scripting language used by the
PPP dialer, refer to the "chat" manpage.)</para>
  
<para>
<informalexample>
<screen>set redial 3 10</screen>
</informalexample>

This line specifies that if a dial connection cannot immediately be made
the PPP program should retry (up to 3 times if necessary) with a delay of 10 seconds
between redialing attempts.</para>
  
</sect3>

<sect3>
<title>The "<emphasis remap=tt>interactive</emphasis>" Section</title>

<para>The '<emphasis remap=tt>interactive:</emphasis>' section contains the values and
settings used to set up an "interactive" PPP session with a specific
remote system.  Settings in this section will have the lines included
in the "default" section included automatically.</para>
  
<para>The example cited in this section of the guide presumes that you'll
be connecting to a remote system that understands how to authenticate
a user without any fancy scripting language.  That is, this sample
uses the CHAP protocol to set up the connection.</para>
  
<para>A good rule of thumb is that if the Windows '95 dialer can set up a
connection by just clicking the "Connect" button this sample
configuration should work OK.</para>
  
<para>If, on the other hand, when you connect to your ISP using Microsoft
Windows '95 Dial-Up Networking you need to resort to using the "Dial
Up Scripting Tool" from the Microsoft Plus! pack or you have to select
"Bring up a terminal windows after dialing" in the Windows '95
connection options then you'll need to look at the sample PPP
configuration files and the ppp manpage for examples of "expect /
response" scripting to make your ISP connection.  The "set login"
command is used for this purpose.</para>
  
<para>Or even better, find an ISP who knows how to provide PAP or CHAP
authentication!</para>
  
<para>The configuration examples shown here have been successfully used to
connect to:
<itemizedlist>

<listitem>
<para>Various Shiva LanRovers</para>
</listitem>

<listitem>
<para>The IBM Network (<ulink URL="http://www.ibm.net">http://www.ibm.net</ulink>)</para>
</listitem>

<listitem>
<para>AT&amp;T WorldNet (<ulink URL="http://att.com/worldnet">http://att.com/worldnet</ulink>)</para>
</listitem>

<listitem>
<para>Erol's (<ulink URL="http://www.erols.com">http://www.erols.com</ulink>)</para>
</listitem>

</itemizedlist>
</para>
  
<para>Following are descriptions for each line in the "interactive" section
of the sample '<filename>/etc/ppp/ppp.conf</filename>' file:</para>
  
<para>
<informalexample>
<screen>set authname Your_User_ID_On_Remote_System</screen>
</informalexample>

This line specifies the name you would use to log in to the remote
system.  </para>
  
<para>
<informalexample>
<screen>set authkey Your_Password_On_Remote_System</screen>
</informalexample>

This is the password you'd use to log in to the remote system.</para>
  
<para>
<informalexample>
<screen>set phone 1-800-123-4567</screen>
</informalexample>

This is the phone number of the remote system.  If you're inside a PBX
you can 
prepend '<emphasis remap=tt>9, </emphasis>' to the number here.</para>
  
<para>
<informalexample>
<screen>set timeout 300</screen>
</informalexample>

This tells the PPP program that it should automatically hang up the
phone if no data has 
be exchanged for 300 seconds (5 minutes).  You may wish to tailor this
number to your 
specific requirements.</para>
  
<para>
<informalexample>
<screen>set openmode active</screen>
</informalexample>

This tells the PPP program that once the modems are connected it
should immediately attempt to negotiate the connection.  Some remote
sites do this automatically, some don't.  This instructs your side of
the link to take the initiative and try to set up the connection.</para>
  


<screen>accept chap</screen>


<para>This tells the PPP program to use the "Challenge-Handshake
Authentication Protocol" to authenticate you.  The values exchanged
between the local and remote side for UserID and password are taken
from the 'authname' and 'authkey' entries above.</para>
  
</sect3>

<sect3>
<title>The "<emphasis remap=tt>demand</emphasis>" Section</title>

<para>The "<emphasis remap=tt>demand</emphasis>" section contains the values and settings used
to set up a "Dial-on-demand" PPP session with a specific remote
system.  Settings in this section will also have the lines included in
the "default" section included automatically.</para>
  
<para>Except for the last two lines in this section it is identical to
the configuration section which defines the "interactive"
configuration.</para>
  
<para>As noted earlier, the examples cited in this section of
the guide presume that you'll be connecting to a remote system that
understands how to use the CHAP protocol to set up the connection.</para>
  
<para>Following are descriptions for each line in the "demand" section of
the sample '<filename>/etc/ppp/ppp.conf</filename>' file:</para>
  
<para>
<informalexample>
<screen>set authname Your_User_ID_On_Remote_System</screen>
</informalexample>

This line specifies the name you would use to log in to the remote
system.  </para>
  
<para>
<informalexample>
<screen>set authkey Your_Password_On_Remote_System</screen>
</informalexample>

This is the password you'd use to log in to the remote system.</para>
  
<para>
<informalexample>
<screen>set phone 1-800-123-4567</screen>
</informalexample>

This is the phone number of the remote system.</para>
  
<para>
<informalexample>
<screen>set timeout 300</screen>
</informalexample>
</para>
  
<para>This tells the PPP program that it should automatically hang up the
phone if no data has be exchanged for 300 seconds (5 minutes).  You
may wish to tailor this number to your specific requirements.</para>
  
<para>
<informalexample>
<screen>set openmode active</screen>
</informalexample>
</para>
  
<para>This tells the PPP program that once the modems are connected it
should immediately attempt to negotiate the connection.  Some remote
sites do this automatically, some don't.  This instructs your side of
the link to take the initiative and try to set up the connection.</para>
  
<para>
<informalexample>
<screen>accept chap</screen>
</informalexample>
</para>
  
<para>This tells the PPP program to use the "Challenge-Handshake
Authentication Protocol" to authenticate you.  The values exchanged
between the local and remote side for UserID and password are taken
from the 'authname' and 'authkey' entries above.</para>
  
<para>
<informalexample>
<screen>set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0</screen>
</informalexample>
</para>
  
<para>This command sets up a pair of "fake" IP addresses for the local and
remote sides of the PPP link.  It instructs the PPP program to create
an IP address of 127.1.1.1 for the local side of the '<emphasis remap=tt>tun0</emphasis>'
(tunnel) device 
and 127.2.2.2 for the remote side.  Appending '<filename>/0</filename>' to
each address tells the PPP program that zero of the bits that make up
these addresses are significant and can (in fact, must!) be negotiated
between the local and remote systems when the link is established.
The 255.255.255.0 string tells the PPP program what Subnet mask to
apply to these pseudo-interfaces.</para>
  
<para>Remember, we've assumed that your ISP provides the IP addresses for
both ends of the link!  If your ISP assigned you a specific IP address
that you should use on your side when configuring your system, enter
that IP address here <emphasis>instead</emphasis> of <emphasis remap=tt>127.1.1.1</emphasis>.</para>
  
<para>Conversly, if your ISP gave you a specific IP address that he uses on
his end you should enter that IP address here <emphasis>instead</emphasis> of
<emphasis remap=tt>127.2.2.2</emphasis>.</para>
  
<para>In both cases, it's probably a good idea to leave the '<filename>/0</filename>' on
the end of each address.  This gives the PPP program the opportunity
to change the address(es) of the link if it <emphasis>has</emphasis> to.</para>
  
<para>
<informalexample>
<screen>add 0 0 127.2.2.2</screen>
</informalexample>
</para>
  
<para>This last line tells the PPP program that it should add a default
route for IP traffic that points to the (fake) IP address of the ISP's
system.</para>
  
<para><emphasis><emphasis remap=bf>Note: If you used an ISP-specified address instead of
<emphasis remap=tt>127.2.2.2</emphasis> on the preceeding line, use the same number here
instead of <emphasis remap=tt>127.2.2.2</emphasis></emphasis></emphasis>.</para>
  
<para>By adding this "fake" route for IP traffic, the PPP program can,
while idle:
<itemizedlist>

<listitem>
<para>Accept packets that FreeBSD doesn't already know how to forward,</para>
</listitem>

<listitem>
<para>Establish a connection to the ISP "<emphasis>on-the-fly</emphasis>",</para>
</listitem>

<listitem>
<para>Reconfigure the IP addresses of the local and remote side of the link,</para>
</listitem>

<listitem>
<para>Forward packets between your workstation and the ISP.</para>
</listitem>

</itemizedlist>

automatically!</para>
  
<para>Once the number of seconds specified by the timeout value in the
"default" section have elapsed without any TCP/IP traffic the PPP
program will automatically close the dial-up connection and the
process will begin again.</para>
  
</sect3>
</sect2>

<sect2>
<title>The '<filename>/etc/ppp/ppp.linkup</filename>' file</title>

<para>The other file needed to complete the PPP configuration is found in
'<filename>/etc/ppp/ppp.linkup</filename>'.  This file contains instructions for
the PPP program on what actions to take after a dial-up link is
established.</para>
  
<para>In the case of dial-on-demand configurations the PPP program will need
to delete the default route that was created to the fake IP address of
the remote side (127.2.2.2 in our example in the previous section) and
install a new default route that points the actual IP address of the
remote end (discovered during the dial-up connection setup).</para>
  
<para>A representative '<filename>/etc/ppp/ppp.linkup</filename>' file:
<informalexample>
<screen>#########################################################################=

# PPP Link Up File ('/etc/ppp/ppp.linkup')
#
#  This file is checked after PPP establishes a network connection.
# 
#  This file is searched in the following order.
#
#  1) First, the IP address assigned to us is searched and
#     the associated command(s) are executed.
#
#  2) If the IP Address is not found, then the label name specified at

#     PPP startup time is searched and the associated command(s) 
#     are executed.
#
#  3) If neither of the above are found then commands under the label
#     'MYADDR:' are executed.
#
#########################################################################=

#
# This section is used for the "demand" configuration in
#   /etc/ppp/ppp.conf:
demand:
 delete ALL
 add 0 0 HISADDR
#
# All other configurations in /etc/ppp/ppp.conf use this:
#
MYADDR:
 add 0 0 HISADDR
########################################################################
# End of /etc/ppp/ppp.linkup</screen>
</informalexample>

Notice that there is a section in this file named "demand:", identical
to the configuration name used in the '<filename>/etc/ppp/ppp.conf</filename>'
file.  This section instructs the PPP program that once a link is
established using this configuration, it must:
<orderedlist>

<listitem>
<para>Remove any IP routing information that the PPP program has created</para>
</listitem>

<listitem>
<para>Add a default route the remote end's actual address.</para>
</listitem>

</orderedlist>
</para>
  
<para>It's critical that those configurations in
'<filename>/etc/ppp/ppp.conf</filename>' which include the '<emphasis remap=tt>set ifaddr</emphasis>' and
'<emphasis remap=tt>add 0 0</emphasis>' statements (i.e.: those configurations used for
Dial-on-Demand configurations) execute the "delete ALL" and "add 0 0
HISADDR" commands in <filename>/etc/ppp/ppp.linkup</filename>.</para>
  
<para><emphasis><emphasis remap=bf>This is the mechanism that controls the actual on-demand
configuration of the link.</emphasis></emphasis></para>
  
<para>All configurations not explicitly named in
<filename>/etc/ppp/ppp.linkup</filename> will use whatever commands are in the
"MYADDR:" section of the file.  This is where non-Demand-Dial
configurations (such as our "interactive:" sample) will fall through
to.  This section simply adds a default route to the ISP's IP address
(at the remote end).</para>
  
</sect2>
</sect1>

<sect1>
<title>IP Aliasing</title>

<para>All of the configuration steps described thus far are relevant to
any FreeBSD system which will be used to connect to an ISP via dial-up
connection.</para>
  
<para>If your sole objective in reading this guide is to connect your
FreeBSD box to the Internet using dial-out ppp you can proceed to
<xref linkend="testing-the-network">.</para>
  
<para>One very attractive feature of the PPP program in on-demand mode is
its ability to route IP traffic between other systems on the Local
Area Network automatically.  This feature is known by various names,
"<emphasis>IP Aliasing</emphasis>", "<emphasis>Network Address Translation</emphasis>", "<emphasis>Address
Masquerading</emphasis>" or "<emphasis>Transparent Proxying</emphasis>".</para>
  
<para>Regardless of the terminology used, this mode is not, however,
automatic.  If the PPP program is started normally then the program
will not forward packets between LAN interface(s) and the dial-out
connection. In effect, only the FreeBSD system is connected to the
ISP; other workstations cannot "share" the same connection.</para>
  
<para>For example, if the program is started with either of the following
command lines:</para>
  
<para><emphasis remap=tt># ppp interactive   (Interactive mode)</emphasis></para>
  
<para> or</para>
  
<para><emphasis remap=tt># ppp -auto demand  (Dial-on-Demand mode)</emphasis></para>
  
<para>then the system will function as an Internet-connected workstation
<emphasis>only</emphasis> for the 
FreeBSD box.</para>
  
<para>To start the PPP program as a gateway between LAN resources and the
Internet, one of the following command lines would be used instead:</para>
  
<para><emphasis remap=tt># ppp -alias interactive   (Interactive mode)</emphasis></para>
  
<para> or</para>
  
<para><emphasis remap=tt># ppp -auto -alias demand  (Dial-on-Demand mode)</emphasis></para>
  
<para>You can alternatively use the command <emphasis remap=tt>``alias enable yes''</emphasis>
in your ppp configuration file (refer to the man page for details).</para>
  
<para>Keep this in mind if you intend to proceed with <xref
	  linkend="config-window-system">.</para>      
  
</sect1>
</chapter>

<chapter id="config-window-system">
<title>Configuring Windows Systems</title>

<para>As indicated in Section 1, our example network consists of a
FreeBSD system ("Curly") which acts as a gateway (or router) between a
Local Area Network consisting of two different flavors of Windows
Workstations.  In order for the LAN nodes to use Curly as a router
they need to be properly configured.  Note that this section does not
explain how to configure the Windows workstations for Dial-Up
networking.  If you need a good explanation of that procedure, I
recommend <ulink URL="http://www.aladdin.co.uk/techweb">http://www.aladdin.co.uk/techweb</ulink>.</para>
  

<sect1>
<title> Configuring Windows 95</title>

<para>Configuring Windows 95 to act as an attached resource on your LAN
is relatively simple.  The Windows 95 network configuration must be
slightly modified to use the FreeBSD system as the default gateway to
the ISP.  Perform the following steps:</para>
  
<para><emphasis remap=bf>Create the Windows 95 "hosts" file:</emphasis></para>
  
<para>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in <xref linkend="list-lan-hosts">.
<itemizedlist>

<listitem>
<para>Click the "Start" button; select "Run..."; enter "notepad
\WINDOWS\HOSTS" (without the quotes) and click "OK"</para>
</listitem>

<listitem>
<para>In the editor, enter the addresses and system names from the hosts
file shown in <xref linkend="list-lan-hosts">.</para>
</listitem>

<listitem>
<para>When finished editing, close the notepad application (making sure
that you save the file!).</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Windows 95 TCP/IP Network Configuation
settings</emphasis>:
<itemizedlist>

<listitem>
<para>Click the "Start" button on the taskbar; select "Settings" and
"Control Panel". </para>
</listitem>

<listitem>
<para>Double-click the "Network" icon to open it.</para>

<para> 
The settings for all Network Elements are displayed.</para>
</listitem>

<listitem>
<para>With the "Configuration" tab selected, scroll down the list of
installed components and highlight the "TCP/IP-&gt;<emphasis>YourInterfaceType</emphasis>" line
(where "<emphasis>YourInterfaceType</emphasis>" is the name or type of Ethernet adapter in your system).
</para>

<para>If TCP/IP is not listed in the list of installed network
components, click the "Add" button and install it before proceeding.</para>

<para>(Hint:  "Add | Protocol | Microsoft | TCP/IP | OK")</para>
</listitem>

<listitem>
<para>Click on the "Properties" button to display a list of the
settings associated with the TCP component.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the IP Address Information:</emphasis>
<itemizedlist>

<listitem>
<para>Click the "IP Address" tab</para>
</listitem>

<listitem>
<para>Click the "Specify an IP address" radio button. 
</para>

<para>(In our example LAN the Windows 95 system is the one we've called "Larry".)</para>
</listitem>

<listitem>
<para>In the "IP Address" field enter "192.168.1.2".</para>
</listitem>

<listitem>
<para>Enter 255.255.255.0 in the "Subnet Mask" field.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Gateway information:</emphasis>
<itemizedlist>

<listitem>
<para>Click on the "Gateway" tab
</para>

<para>For our example network the FreeBSD box will be acting as our
gateway to the Internet (routing packets between the Ethernet LAN and
the PPP dial-up connection.  Enter the IP address of the FreeBSD
Ethernet interface, 192.168.1.1, in the "New gateway" field and click
the "Add" button.  If any other gateways are defined in the "Installed
gateways" list you may wish to consider removing them.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the DNS Information:</emphasis></para>
  
<para>This guide assumes that your Internet Service Provider has given
you a list of Domain Name Servers (or "DNS Servers") that you should
use.  If you wish to run a DNS server on your local FreeBSD system,
refer to Section 6, "Exercise for the Interested Student" for tips on
setting up DNS on your FreeBSD system.</para>
  
<para>
<itemizedlist>

<listitem>
<para>Click the "DNS Configuration" tab</para>
</listitem>

<listitem>
<para>Make sure that the "Enable DNS" radio button is selected.
</para>

<para>(If this button is not selected only the entries that 
we put in the host file(s) will be available and your Net-Surfing 
will not work as you expect!)</para>
</listitem>

<listitem>
<para>In the "Host" field enter the name of the Windows 95 box, in this
case: "Larry".</para>
</listitem>

<listitem>
<para>In the "Domain" field enter the name of our local network, in this
case: "my.domain"</para>
</listitem>

<listitem>
<para>In the "DNS Server Search Order" section, enter the IP address
of the DNS server(s) that your ISP provided, clicking the "Add" button
after every address is entered.  Repeat this step as many times as
necessary to add all of the addresses that your ISP provided.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Other Windows 95 TCP/IP options:</emphasis></para>
  
<para>For our purposes the settings under the "Advanced", "WINS
Configuration" and "Bindings" tabs are not necessary.</para>
  
<para>If you wish to use the Windows Internet Naming Service ("WINS")
your attention is invited to <ulink URL="http://www.localnet.org">http://www.localnet.org</ulink> for
more information about WINS settings, specifically regarding sharing
files transparently across the Internet.</para>
  
<para><emphasis remap=bf>Mopping up:</emphasis>
<itemizedlist>

<listitem>
<para>Click on the "OK" button to close the TCP/IP Properties window.</para>
</listitem>

<listitem>
<para>Click on the "OK" button to close the Network Control Panel. </para>
</listitem>

<listitem>
<para>Reboot your computer if prompted to do so. </para>
</listitem>

</itemizedlist>
</para>
  
<para> That's it!</para>
  
</sect1>

<sect1>
<title>Configuring Windows NT</title>

<para>Configuring Windows NT to act as a LAN resource is also relatively
straightforward.  The procedures for configuring Windows NT are
similar to Windows 95 with minor exceptions in the user interface.</para>
  
<para>The steps shown here are appropriate for a Windows NT 4.0
Workstation, but the principles are the same for NT 3.5x.  You may
wish to refer to the "Configuring Windows for Workgroups" section if
you're configuring Windows NT 3.5<emphasis remap=it>x</emphasis>, since the user interface is
the same for NT 3.5 and WfW.</para>
  
<para>Perform the following steps: </para>
  
<para><emphasis remap=bf>Create the Windows NT "hosts" file:</emphasis></para>
  
<para>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in Section 3.4
<itemizedlist>

<listitem>
<para>Click the "Start" button; select "Run..."; enter "notepad
\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS" (without the quotes) and click
"OK"</para>
</listitem>

<listitem>
<para>In the editor, enter the addresses and system names from Section
3.4.</para>
</listitem>

<listitem>
<para>When finished editing, close the notepad application (making sure
that you save the file!).</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Windows NT TCP/IP Network Configuation
settings</emphasis>:
<itemizedlist>

<listitem>
<para>Click the "Start" button on the taskbar; select "Settings" and
"Control Panel". </para>
</listitem>

<listitem>
<para>Double-click the "Network" icon to open it. </para>
</listitem>

<listitem>
<para>With the "Identification" tab selected, verify the "Computer Name"
and "Workgroup" fields.  In this example we'll use "Shemp" for the name
and "Stooges" for the workgroup.  Click the "Change" button and amend
these entries as necessary.</para>
</listitem>

<listitem>
<para>Select the "Protocols" tab. 

</para>

<para>The installed Network Protocols will be displayed.  There may be a
number of protocols listed but the one of interest to this guide is
the "TCP/IP Protocol".  If "TCP/IP Protocol" is not listed, click the
"Add" button to load it.</para>

<para>(Hint: "Add | TCP/IP Protocol | OK") </para>
</listitem>

<listitem>
<para>Highlight "TCP/IP
Protocol" and click the "Properties" button.
</para>

<para>Tabs for specifying various settings for TCP/IP will be displayed.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configuring the IP Address:</emphasis></para>
  
<para>Make sure that the Ethernet Interface is shown in the "Adapter"
box; if not, scroll through the list of adapters until the correct
interface is shown.
<itemizedlist>

<listitem>
<para>Click the "Specify an IP address" radio button to enable the three
text boxes.
</para>

<para>In our example LAN the Windows NT system is the one we've called
"Shemp"</para>
</listitem>

<listitem>
<para>In the "IP Address" field enter "192.168.1.4".</para>
</listitem>

<listitem>
<para>Enter 255.255.255.0 in the "Subnet Mask" field.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Gateway information:</emphasis></para>
  
<para>For our example network the FreeBSD box will be acting as our gateway
to the Internet (routing packets between the Ethernet LAN and the PPP dial-up
connection.
<itemizedlist>

<listitem>
<para>Enter the IP address of the FreeBSD Ethernet interface,
192.168.1.1, in the "New gateway" field and click the "Add" button.  
</para>

<para>If any other gateways are defined in the "Installed gateways" list
you may wish to consider removing them.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configuring DNS:</emphasis></para>
  
<para>Again, this guide assumes that your Internet Service Provider has
given you a list of Domain Name Servers (or "DNS Servers") that you
should use.</para>
  
<para>If you wish to run a DNS server on your local FreeBSD system, refer to
Section 6, "Exercise for the Interested Student" for tips on setting
up DNS on your FreeBSD system.
<itemizedlist>

<listitem>
<para>Click the "DNS" tab</para>
</listitem>

<listitem>
<para>In the "Host Name" field enter the name of the Windows NT box, in
this case: "Shemp".</para>
</listitem>

<listitem>
<para>In the "Domain" field enter the name of our local network, in this
case: "my.domain"</para>
</listitem>

<listitem>
<para>In the "DNS Server Search Order" section, enter the IP address of
the DNS server that your ISP provided, clicking the "Add" button after
every address is entered.  Repeat this step as many times as necessary
to add all of the addresses that your ISP provided.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Other Windows NT TCP/IP options:</emphasis></para>
  
<para>For our purposes the settings under the "WINS Address" and
"Routing" tabs are not used.</para>
  
<para>If you wish to use the Windows Internet Naming Service ("WINS")
your attention is invited to <ulink URL="http://www.localnet.org">http://www.localnet.org</ulink> for
more information about WINS settings, specifically regarding sharing
files transparently across the Internet.</para>
  
<para><emphasis remap=bf>Mopping up:</emphasis>
<itemizedlist>

<listitem>
<para>Click on the "OK" button to close the TCP/IP Properties section.
</para>
</listitem>

<listitem>
<para>Click on the "Close" button to close the Network Control Panel.
</para>
</listitem>

<listitem>
<para>Restart your computer if prompted to do so.</para>
</listitem>

</itemizedlist>
</para>
  
<para>That's it!</para>
  
</sect1>

<sect1>
<title>Configuring Windows for Workgroups</title>

<para>Configuring Windows for Workgroups to act as a network client
requires that the Microsoft TCP/IP-32 driver diskette has been
installed on the workstation.  The TCP/IP drivers are not included
with the WfW CD or diskettes; if you need a copy they're available at
<ulink URL="ftp://ftp.microsoft.com:/peropsys/windows/public/tcpip">ftp://ftp.microsoft.com:/peropsys/windows/public/tcpip</ulink>.</para>
  
<para>Once the TCP/IP drivers have been loaded, perform the following
steps:</para>
  
<para><emphasis remap=bf>Create the Windows for Workgroups "hosts" file:</emphasis></para>
  
<para>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in Section 3.4.
<itemizedlist>

<listitem>
<para>In Program Manager, click the "File" button; select "Run"; and
enter: "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK"</para>
</listitem>

<listitem>
<para>In the editor, enter the addresses and system names from the hosts
file shown in Section 3.4.</para>
</listitem>

<listitem>
<para>When finished editing, close the notepad application (making sure
that you save the file!).</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Windows 95 TCP/IP Network Configuation
settings</emphasis>
<itemizedlist>

<listitem>
<para>In the main window of Program Manager, open the "Network" group by
double-clicking the icon. </para>
</listitem>

<listitem>
<para>Double click on the "Network Setup" icon. </para>
</listitem>

<listitem>
<para>In the "Network Drivers Box" double-click the "Microsoft
TCP/IP-32" entry. </para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Windows for Workgroups IP Address:</emphasis> </para>
  
<para>Ensure
the correct Ethernet Interface is selected in the "Adapter" list.  If
not, scroll down until it is displayed and select it by clicking on
it.
<itemizedlist>

<listitem>
<para>Ensure that the "Enable Automatic DHCP Configuration" check box is
blank.  If it is checked, click it to remove the "X".</para>
</listitem>

<listitem>
<para>In our example LAN the Windows for Workgroups system is the one
we've called "Moe"; in the "IP Address" field enter "192.168.1.3".</para>
</listitem>

<listitem>
<para>Enter 255.255.255.0 in the "Subnet Mask" field.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configure the Gateway information:</emphasis></para>
  
<para>For our example network the FreeBSD box will be acting as our
gateway to the Internet (routing packets between the Ethernet LAN and
the PPP dial-up connection).
<itemizedlist>

<listitem>
<para>Enter the IP address of the FreeBSD system, 192.168.1.1, in the
"Default Gateway" field.</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Configuring DNS:</emphasis></para>
  
<para>Again, this guide assumes that your Internet Service Provider has
given you a list of Domain Name Servers (or "DNS Servers") that you
should use.  If you wish to run a DNS server on your local FreeBSD
system, refer to Section 6, "Exercise for the Interested Student" for
tips on setting up DNS on your FreeBSD system.
<itemizedlist>

<listitem>
<para>Click the "DNS" button.</para>
</listitem>

<listitem>
<para>In the "Host Name" field enter the name of the Windows for
Workgroups box, in this case: "Moe".</para>
</listitem>

<listitem>
<para>In the "Domain" field enter the name of our local network, in this
case: "my.domain"</para>
</listitem>

<listitem>
<para>In the "Domain Name Service (DNS) Search Order" section, enter the
IP address of the DNS server that your ISP provided, clicking the "Add"
button after each address is entered.  Repeat this step as many times as
necessary to add all of the addresses that your ISP provided.</para>
</listitem>

<listitem>
<para>Click on the "OK" button to close the DNS Configuration window.
</para>
</listitem>

</itemizedlist>
</para>
  
<para><emphasis remap=bf>Mopping up:</emphasis>
<itemizedlist>

<listitem>
<para>Click on the "OK" button to close the TCP/IP Configuration window.
</para>
</listitem>

<listitem>
<para>Click on the "OK" button to close the Network Setup window.</para>
</listitem>

<listitem>
<para>Reboot your computer if prompted. </para>
</listitem>

</itemizedlist>
</para>
  
<para>That's it!</para>
  
</sect1>
</chapter>

<chapter id="testing-the-network">
<title>Testing the Network</title>

<para> Once you've completed that appropriate tasks above you should have
a functioning PPP gateway to the Internet.</para>
  

<sect1>
<title>Testing the Dial-Up link:</title>

<para> The first thing to test is that the connection is being made
between your modem and the ISP.</para>
  
</sect1>

<sect1>
<title>Testing the Ethernet LAN</title>

<para> *** TBD ***</para>
  
</sect1>
</chapter>

<chapter>
<title>Exercises for the Interested Student</title>


<sect1>
<title>Creating a mini-DNS system</title>

<para>While managing a Domain Name Service (DNS) hierarchy can be a black
art, it is possible to set up a Mini-DNS server on the FreeBSD system
that also acts as your gateway to your ISP.</para>
  
<para>Building on the files in <filename>/etc/namedb</filename> when the FreeBSD
system was installed it's possible to create a name server that is
both authoritative for the example network shown here as well as a
front-door to the Internet DNS architecture.</para>
  
<para>In this minimal DNS configuration, only three files are necessary:
<informalexample>
<screen>/etc/namedb/named.boot
/etc/namedb/named.root
/etc/namedb/mydomain.db</screen>
</informalexample>
</para>
  
<para>The <filename>/etc/namedb/named.root</filename> file is automatically installed
as part of the FreeBSD base installation; the other two files must be
created manually.</para>
  

<sect2>
<title>The <filename>/etc/namedb/named.boot</filename> file</title>

<para>The <filename>/etc/namedb/named.boot</filename> file controls the startup
settings of the DNS server.
Esentially, it tells the Name Server:
<orderedlist>

<listitem>
<para>Where to find configuration files,</para>
</listitem>

<listitem>
<para>What "domain names" it's responsible for, and</para>
</listitem>

<listitem>
<para>Where to find other DNS servers.</para>
</listitem>

</orderedlist>
</para>
  
<para>Using the '<emphasis remap=tt>ee</emphasis>' editor, create a
<filename>/etc/namedb/named.boot</filename> with the following contents:
<informalexample>
<screen>; boot file for mini-name server

directory	/etc/namedb

; type    domain		source host/file		backup file

cache     .			named.root
primary   my.domain.		mydomain.db</screen>
</informalexample>
</para>
  
<para>Lines that begin with a semi-colon are comments.  The significant
lines in this file are:
<itemizedlist>

<listitem>
<para><command>directory /etc/namedb</command>
</para>

<para>Tells the Name Server where to find the configuration files
referenced in the remaining sections of the
'<filename>/etc/namedb/named.boot</filename>' file.</para>
</listitem>

<listitem>
<para><emphasis remap=tt>cache . named.root</emphasis>
</para>

<para>Tells the Name Server that the list of "Top-Level" DNS servers for
the Internet can be found in a file called '<filename>named.root</filename>'.
(This file is included in the base installation and its 
contents are not described in this document.)</para>
</listitem>

<listitem>
<para><emphasis remap=tt>primary my.domain. mydomain.db</emphasis>
</para>

<para>Tells the Name Server that it will be "authoritative" for a DNS
domain called "my.domain" and that a list of names and IP addresses
for the systems in "my.domain" (the local network)
can be found in a file named '<filename>mydomain.db</filename>'.</para>
</listitem>

</itemizedlist>
</para>
  
<para>Once the <filename>/etc/namedb/named.boot</filename> file has been created and
saved, proceed to the next section to create the
<filename>/etc/namedb/mydomain.db</filename> file.</para>
  
</sect2>

<sect2>
<title>The <filename>/etc/namedb/mydomain.db</filename> file</title>

<para>The <filename>/etc/namedb/mydomain.db</filename> file lists the names and IP
addresses of <emphasis>every</emphasis> system in the Local Area Network.</para>
  
<para><emphasis>For a detailed description of the statements used in this file,
refer to the <emphasis remap=tt>named</emphasis> manpage.</emphasis></para>
  
<para>The <filename>/etc/namedb/mydomain.db</filename> file for our minimal DNS
server has the following contents:
<informalexample>
<screen>@	IN SOA	my.domain. root.my.domain.  (
				961230	; Serial
				3600	; Refresh
				300	; Retry
				3600000	; Expire
				3600 )	; Minimum
	IN NS	curly.my.domain.

curly.my.domain.	IN A	192.168.1.1	# The FreeBSD box
larry.my.domain.	IN A	192.168.1.2	# The Win'95 box
moe.my.domain.		IN A	192.168.1.3	# The WfW box
shemp.my.domain.	IN A	192.168.1.4	# The Windows NT box

$ORIGIN 1.168.192.IN-ADDR.ARPA
		IN NS	curly.my.domain.
1		IN PTR	curly.my.domain.
2		IN PTR	larry.my.domain.
3		IN PTR	moe.my.domain.
4		IN PTR	shemp.my.domain.

$ORIGIN 0.0.127.IN-ADDR.ARPA
		IN NS	curly.my.domain.
1		IN PTR	localhost.my.domain.</screen>
</informalexample>
</para>
  
<para>In simple terms, this file declares that the local DNS server is:
<itemizedlist>

<listitem>
<para>The Start of Authority for ("SOA") for a domain called
'my.domain',</para>
</listitem>

<listitem>
<para>The Name Server ("NS") for 'my.domain',</para>
</listitem>

<listitem>
<para>Responsible for the reverse-mapping for all IP addresses that
start with '192.168.1.' and 
'127.0.0.' ("$ORIGIN ...")</para>
</listitem>

</itemizedlist>
</para>
  
<para>To add workstation entries to this file you'll need to add two
lines for each system; one in the top section where the name(s) are
mapped into Internet Addresses ("IN A"), and another line that maps
the addresses back into names in the <filename>$ORIGIN
1.168.192.IN-ADDR.ARPA</filename> section.</para>
  
</sect2>

<sect2>
<title>Starting the DNS Server</title>

<para>By default the DNS server ('<filename>/usr/sbin/named</filename>') is not
started when the system boots.  You can modify this behavior by
changing a single line in '<filename>/etc/rc.conf</filename>' as follows:</para>
  
<para> Using the '<emphasis remap=tt>ee</emphasis>' editor, load <filename>/etc/rc.conf</filename>.  Scroll
down approximately 40 lines until you come to the section that says:
<informalexample>
<screen>---
named_enable="NO"                       # Run named, the DNS server (or NO).
named_flags="-b /etc/namedb/named.boot" # Flags to named (if enabled).
---</screen>
</informalexample>

Change this section to read:
<informalexample>
<screen>---
named_enable="YES"                      # Run named, the DNS server (or NO).
named_flags="-b /etc/namedb/named.boot" # Flags to named (if enabled).
---</screen>
</informalexample>

Save the file and reboot.</para>
  
<para>Alternatively, start the Name Server daemon by entering the following
command:
<informalexample>
<screen># named -b /etc/namedb/named.boot</screen>
</informalexample>
</para>
  
<para>Whenever you modify any of the files in <filename>/etc/namedb</filename> you'll
need to kick-start the Name Server process to make it pick up the
modifications.  This is performed with the following system command:
<informalexample>
<screen># kill -HUP `cat /var/run/named.pid`</screen>
</informalexample>
</para>
  
</sect2>
</sect1>

<sect1>
<title>Playing with PPP filters</title>

<para>The PPP program has the ability to apply selected filtering rules
to the traffic it routes.  While this is not nearly as secure as a
formal firewall it does provide some access control as to how the link
is used.</para>
  
<para>('<emphasis remap=tt>man ipfw</emphasis>' for information on setting up a more secure
FreeBSD system.)</para>
  
<para>The complete documentation for the various filters and rules under
PPP are availabe in the PPP manpage.</para>
  
<para>There are four distinct classes of rules which may be applied to
the PPP program:
<itemizedlist>

<listitem>
<para><emphasis>alive</emphasis> filter - Access Counter (or "Keep Alive") filters
</para>

<para>These control which events are ignored by the <literal>set timeout=</literal>
statement in the configuration file.</para>
</listitem>

<listitem>
<para><emphasis>dial</emphasis> filter - Dialing filters
</para>

<para>These filtering rules control which events are ignored by the
demand-dial mode of PPP.</para>
</listitem>

<listitem>
<para><emphasis>in</emphasis> filter - Input filters
</para>

<para>Control whether incoming packets should be discarded or passed into
the system.</para>
</listitem>

<listitem>
<para><emphasis>out</emphasis> filter - Output filters
</para>

<para>Control whether outgoing packets should be discarded or passed into
the system.</para>
</listitem>

</itemizedlist>
</para>
  
<para>What follows is a snippet from an operating system which provides a
good foundation for "normal" Internet operations while preventing PPP
from pumping <emphasis>all</emphasis> data over the dial-up connection.  Comments
briefly describe the logic of each rule set:
<informalexample>
<screen>#
# KeepAlive filters
# Don't keep Alive with ICMP,DNS and RIP packet
#
 set filter alive 0 deny icmp
 set filter alive 1 deny udp src eq 53
 set filter alive 2 deny udp dst eq 53
 set filter alive 3 deny udp src eq 520
 set filter alive 4 deny udp dst eq 520
 set filter alive 5 permit 0/0 0/0
#
# Dial Filters:
#  Note:  ICMP will trigger a dial-out in this configuration!
#
 set filter dial 0 permit 0/0 0/0
#
# Allow ident packet pass through
#
 set filter in 0 permit tcp dst eq 113
 set filter out 0 permit tcp src eq 113
#
# Allow telnet connection to the Internet
#
 set filter in 1 permit tcp src eq 23 estab
 set filter out 1 permit tcp dst eq 23
#
# Allow ftp access to the Internet
#
 set filter in 2 permit tcp src eq 21 estab
 set filter out 2 permit tcp dst eq 21
 set filter in 3 permit tcp src eq 20 dst gt 1023
 set filter out 3 permit tcp dst eq 20
#
# Allow access to DNS lookups
#
 set filter in 4 permit udp src eq 53
 set filter out 4 permit udp dst eq 53
#
# Allow DNS Zone Transfers
#
 set filter in 5 permit tcp src eq 53
 set filter out 5 permit tcp dst eq 53
#
# Allow access from/to local network
#
 set filter in 6 permit 0/0 192.168.1.0/24
 set filter out 6 permit 192.168.1.0/24 0/0
#
# Allow ping and traceroute response
#
 set filter in 7 permit icmp
 set filter out 7 permit icmp
 set filter in 8 permit udp dst gt 33433
 set filter out 9 permit udp dst gt 33433
#
# Allow cvsup
#
 set filter in 9 permit tcp src eq 5998
 set filter out 9 permit tcp dst eq 5998
 set filter in 10 permit tcp src eq 5999
 set filter out 10 permit tcp dst eq 5999
#
# Allow NTP for Time Synchronization
#
 set filter in 11 permit tcp src eq 123 dst eq 123
 set filter out 11 permit tcp src eq 123 dst eq 123
 set filter in 12 permit udp src eq 123 dst eq 123
 set filter out 12 permit udp src eq 123 dst eq 123
#
# SMTP'd be a good idea!
#
 set filter in 13 permit tcp src eq 25
 set filter out 13 permit tcp dst eq 25
#
#
# We use a lot of `whois`, let's pass that
#
 set filter in 14 permit tcp src eq 43
 set filter out 14 permit tcp dst eq 43
 set filter in 15 permit udp src eq 43
 set filter out 15 permit udp dst eq 43
#
# If none of above rules matches, then packet is blocked.
#-------</screen>
</informalexample>
</para>
  
<para>Up to 20 distinct filtering rules can be applied to each class of
filter.  Rules in each class are number sequentially from 0 to 20
<emphasis>but none of the rules for a particular filter class take affect
until ruleset '0' is defined!</emphasis></para>
  
<para>If you choose <emphasis>not</emphasis> to use Filtering Rules in the PPP
configuration then <acronym>ALL</acronym> traffic will be permitted both into and
out of your system while it's connected to your ISP.</para>
  
<para>If you decide that you want to implement filtering rules, add the
above lines to your <filename>/etc/ppp/ppp.conf</filename> file in either the
"default:", "demand:", or "interactive:" section (or all of them - the
choice is yours).</para>
  
</sect1>
</chapter>
</book>