Selasa, 14 Desember 2010

OSPF The OSPF Protocol

Open Shortest Path Routing (OSPF) is a shortest path first (SPF) or link-state protocol. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system. OSPF chooses the least cost path as the best path. Suitable for complex networks with a large number of routers, OSPF provides equal cost multipath routing where packets to a single destination can be sent via more than one interface simultaneously. In a link-state protocol, each router maintains a database describing the entire AS topology, which it builds out of the collected link state advertisements of all routers. Each participating router distributes its local state (i.e., the router's usable interfaces and reachable neighbors) throughout the AS by flooding. Each multiaccess network that has at least two attached routers has a designated router and a backup designated router. The designated router floods a link state advertisement for the multiaccess network and has other special responsibilities. The designated router concept reduces the number of adjacencies required on a multiaccess network.
OSPF allows networks to be grouped into areas. Routing information passed between areas is abstracted, potentially allowing a significant reduction in routing traffic. OSPF uses four different types of routes, listed in order of preference: intra-area, inter-area, type 1 external and type 2 external. Intra-area paths have destinations within the same area, inter-area paths have destinations in other OSPF areas and Autonomous System External (ASE) routes are routes to destinations external to the AS. Routes imported into OSPF as type 1 routes are supposed to be from igps whose external metrics are directly comparable to OSPF metrics. When a routing decision is being made, OSPF will add the internal cost to the AS Border router to the external metric. Type 2 ASEs are used for egps whose metrics are not comparable to OSPF metrics. In this case, only the internal OSPF cost to the AS Border router is used in the routing decision.
From the topology database, each router constructs a tree of the shortest paths with itself as the root. This shortest-path tree gives the route to each destination in the AS. Externally derived routing information appears on the tree as leaves. The link-state advertisement format distinguishes between information acquired from external sources and information acquired from internal routers, so there is no ambiguity about the source or reliability of routes. Externally derived routing information (for example, routes learned from EGP or BGP) is passed transparently through the autonomous system and is kept separate from OSPF's internally derived data. Each external route can also be tagged by the advertising router, enabling a passing of additional information between routers on the borders of the autonomous system.
OSPF optionally includes type of service (TOS) routing and allows administrators to install multiple routes to a given destination for each type of service (e.g. low delay or high throughput.) A router running OSPF uses the destination address and the type of service to choose the best route to the destination.
OSPF intra- and inter-area routes are always imported into the GateD routing database with a preference of 10. It would be a violation of the protocol if an OSPF router did not participate fully in the area's OSPF, so it is not possible to override this. Although it is possible to give other routes lower preference values explicitly, it is ill-advised to do so.
Hardware multicast capabilities are also used where possible to deliver link-status messages.
OSPF areas are connected by the backbone area, the area with identifier 0.0.0.0. All areas must be logically contiguous and the backbone is no exception. To permit maximum flexibility, OSPF allows the configuration of virtual links to enable the backbone area to appear contiguous despite the physical reality.
All routers in an area must agree on that area's parameters. A separate copy of the link-state algorithm is run for each area. Because of this, most configuration parameters are defined on a per area basis. All routers belonging to an area must agree on that area's configuration. Misconfiguration will lead to adjacencies not forming between neighbors, and routing information might not flow, or even loop.

Authentication

  All OSPF protocol exchanges are authenticated. Authentication guarantees that routing information is only imported from trusted routers, to protect the Internet and its users. A variety of authentication schemes can be used but a single scheme must be configured for each area. This enables some areas to use much stricter authentication than others.
OSPF protocol exchanges may be authenticated. Authentication guarantees that routing information is imported only from trusted routers, to protect the Internet and its users. There are two authentication schemes available. The first uses a simple authentication key of up to 8 characters and is standardized. The second is still experimental and uses the MD5 algorithm and an authentication key of up to 16 characters.
The simple password provides very little protection because in many cases it is possible to easily capture packets from the network and learn the authentication key. The experimental MD5 algorithm provides much more protection as it does not include the authentication key in the packet.
The OSPF specification currently specifies that the authentication type be configured per area with the ability to configure separate passwords per interface. This has been extended to allow the configuration of different authentication types and keys per interface. In addition it is possible to specify both a primary and a secondary authentication type and key on each interface. Outgoing packets use the primary authentication type, but incoming packets may match either the primary or secondary authentication type and key.

The OSPF Statement

 
 ospf  yes |  no |  on |  off [  {  
      defaults  {  
           preference  preference  ;  
           cost  cost  ;  
           tag [  as ]  tag  ;  
           type  1 |  2  ;  
      }  ;  
      exportlimit  routes  ;  
      exportinterval  time  ;  
      traceoptions  trace_options  ;  
      monitorauthkey  authkey  ;  
      monitorauth  none | ( [  simple |  md5 ]  authkey )  ;  
      backbone | (  area  area )  {  
           authtype  0 |  1 |  none |  simple  ;  
           stub [  cost  cost]  ;  
           networks  {  
                network [  restrict ]  ;  
                network  mask  mask [  restrict ]  ;  
                network  masklen  number [  restrict ]  ;  
                host  host [  restrict ]  ;  
           }  ;  
           stubhosts  {  
                host  cost  cost  ;  
           }  ;  
           interface  interface_list; [ cost  cost ]  {  
                interface_parameters  
           }  ;  
           interface  interface_list  nonbroadcast [ cost  cost ]  {  
                pollinterval  time  ;  
                routers  {  
                     gateway [  eligible ]  ;  
                }  ;  
                interface_parameters  
           }  ;  
           Backbone only:  
           virtuallink  neighborid  router_id  transitarea  area  {  
                interface_parameters  
           }  ;  
      }  ;  
 } ]  ;
The following are the interface_parameters referred to above. They may be specified on any class of interface and are described under the interface clause.
  enable |  disable  ;  
     retransmitinterval  time  ;  
     transitdelay  time  ;  
     priority  priority  ;  
     hellointerval  time  ;  
     routerdeadinterval  time  ;  
    [ secondary]  auth ( none| simple| md5| auth_key)  ;  
     authkey  auth_key  ;

    defaults
    These parameters specify the defaults used when importing OSPF ASE routes into the gated routing table and exporting routes from the gated routing table into OSPF ASEs.
    preference preference
    The preference is used to determine how OSPF routes compete with routes from other protocols in the gated routing table. The default value is 150.
    cost cost
    The cost is used when exporting a non-OSPF route from the GateD routing table into OSPF as an ASE. The default value is 1. This may be explicitly overridden in export policy.
    tag [ as ] tag
    OSPF ASE routes have a 32 bit tag field that is not used by the OSPF protocol, but may be used by export policy to filter routes. When OSPF is interacting with an egp, the tag field may be used to propagate AS path information, in which case the as keyword is specified and the tag is limited to 12 bits of information. If not specified, the tag is set to zero.
    type 1 | 2
    Routes exported from the GateD routing table into OSPF default to becoming type 1 ASEs. This default may be explicitly changed here and overridden in export policy.

    ASE export rate



    Because of the nature of OSPF, the rate at which ASEs are flooded must be limited. These two parameters can be used to adjust those rate limits.
    exportinterval time
    This specifies how often a batch of ASE link state advertisements will be generated and flooded into OSPF. The default is once per second.
    exportlimit routes
    This parameter specifies how many ASEs will be generated and flooded in each batch. The default is 100.

    traceoptions trace_options



    Specifies the tracing options for OSPF. (See Trace Statements and the OSPF specific tracing options below.)

    monitorauthkey authkey



    OSPF state may be queried using the ospf_monitor utility. This utility sends non-standard OSPF packets which generate a text response from OSPF. By default these requests are not authenticated, if an authentication key is configured, the incoming requests must match the specified authentication key. No OSPF state may be changed by these packets, but the act of querying OSPF can utilize system resources.

    backbone


    area area



    Each OSPF router must be configured into at least one OSPF area. If more than one area is configured, at least one must the be backbone. The backbone may only be configured using the backbone keyword, it may not be specified as area 0. The backbone interface may be a virtuallink.
    authtype 0 | 1 | none | simple
    OSPF specifies an authentication scheme per area. Each interface in the area must use this same authentication scheme although it may use a different authenticationkey. The currently valid values are none ( 0) for no authentication, or simple ( 1) for simple password authentication.
    stub [ cost cost]
    A stub area is one in which there are no ASE routes. If a cost is specified, this is used to inject a default route into the area with the specified cost.
    networks
    The networks list describes the scope of an area. Intra-area LSAs that fall within the specified ranges are not advertised into other areas as inter-area routes. Instead, the specified ranges are advertised as summary network LSAs. If restrict is specified, the summary network LSAs are not advertised. Intra-area LSAs that do not fall into any range are also advertised as summary network LSAs. This option is very useful on well designed networks in reducing the amount of routing information propagated between areas. The entries in this list are either networks, or a subnetwork/mask pair. See section 4.25.1 on route filtering for more detail about specifying ranges.
    stubhosts
    This lists specifies directly attached hosts that should be advertised as reachable from this router and the costs they should be advertised with. Point-to-point interfaces on which it is not desirable to run OSPF should be specified here. It is also useful to assign a additional address to the loopback interface (one not on the 127 network) and advertise it as a stub hosts. If this address is the same one used as the router-id it enables routing to OSPF routers by router-id, instead of by interface address. This is more reliable than routing to one of the routers interface addresses which may not always be reachable.

    interface interface_list [ cost cost ]



    This form of the interface clause is used to configure a broadcast (which requires IP multicast support) or a point-to-point interface. See section 4.8.2 on interface list specification for the description of the interface_list. Each interface has a cost. The costs of all interfaces a packet must cross to reach a destination are summed to get the cost to that destination. The default cost is one, but another non-zero value may be specified.
    Interface parameters common to all types of interfaces are:

    retransmitinterval time
    The number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface.
    transitdelay time
    The estimated number of seconds required to transmit a link state update over this interface. Transitdelay takes into account transmission and propagation delays and must be greater than 0.
    priority priority
    A number between 0 and 255 specifying the priority for becoming the designated router on this interface. When two routers attached to a network both attempt to become designated router, the one with the highest priority wins. A router whose router priority is set to 0 is ineligible to become designated router.
    hellointerval time
    The length of time, in seconds, between Hello packets that the router sends on the interface.
    routerdeadinterval time
    The number of seconds not hearing a router's Hello packets before the router's neighbors will declare it down.
    [ secondary] auth ( none| simple| md5| auth_key)
    Specify the type of authentication scheme to use on this interface.
    authkey auth_key
    Used by OSPF authentication to generate and verify the authentication field in the OSPF header. The authentication key can be configured on a per interface basis. It is specified by one to eight decimal digits separated by periods, a one to eight byte hexadecimal string preceded by 0x, or a one to eight character string in double quotes.
    Point-to-point interfaces also support this additional parameter:

    nomulticast
    By default, OSPF packets to neighbors on point-to-point interfaces are sent via the IP multicast mechanism. Although, some implementations of IP multicasting for Unix have a bug that precludes the use of IP multicasting on these interfaces. Gated will detect this condition and fall back to using sending unicast OSPF packets to this point-to-point neighbor. If the use of IP multicasting is not desired because the remote neighbor does not support it, the nomulticast parameter may be specified to force the use of unicast OSPF packets. This option may also be used to eliminate warnings when Gated detects the bug mentioned above.

    interface interface_list nonbroadcast [ cost cost ]



    This form of the interface clause is used to specify a nonbroadcast interface on a non-broadcast multi-access (NBMA) media. Since an OSPF broadcast media must support IP multicasting, a broadcast capable media, such as Ethernet, that does not support IP multicasting must be configured as a non-broadcast interface. A non-broadcast interface supports any of the standard interface clauses listed above, plus the following two that are specific to non-broadcast interfaces:

    pollinterval time
    Before adjacency is established with a neighbor, OSPF packets are sent periodically at the specified pollinterval.
    routers
    By definition it is not possible to send broadcast packets to discover OSPF neighbors on a non-broadcast, so all neighbors must be configured. The list includes one or more neighbors and an indication of their eligibility to become a designated router.

    virtuallink neighborid router_id transitarea area



    Virtual links are used to establish or increase connectivity of the backbone area. The neighborid is the router_id of the other end of the virtual link. The transit area specified must also configured on this system. All standard interface parameters defined by the interface clause above may be specified on a virtual link.

Tracing options

In addition to the following OSPF specific trace flags, OSPF supports the state which traces interface and neighbor state machine transitions.

lsabuild
Link State Advertisement creation
spf
Shortest Path First (SPF) calculations
lsatransmit
Link State Advertisement (LSA) transmission. Non implemented.
lsareceive
LSA reception. Non implemented.
state
State transitions. Non implemented.
Packet tracing options (which may be modified with detail, send and recv):

hello
OSPF HELLO packets which are used to determine neighbor reachability.
dd
OSPF Database Description packets which are used in synchronizing OSPF databases.
request
OSPF Link State Request packets which are used in synchronizing OSPF databases.
lsu
OSPF Link State Update packets which are used in synchronizing OSPF databases.
ack
OSPF Link State Ack packets which are used in synchronizing OSPF databases.

The new OSPF Protocol

  Gated version 3_6Alpha_2 and higher includes a new implemetation of the OSPF protocol. The configuration syntax stays the same except:

  1. The export limit, exportinterval, monitorauthkey, monitorauth, networks, stubhosts statements are no longer available (they may be put back in the future).
  2. The bf simple authentication scheme is not implemented.
  3. The OSPF specific trace options available are: state, drelection, db, spf, flood As for the packet details, are available: hello, dd, lsr, lsu, lsa.

What Is a Subnet Mask?

You learned in Chapter 2, “Introduction to Microsoft Networking,” how the subnet
mask can be used to determine whether a host is a local or remote host. To review,
the IP address is ANDed with the subnet mask to extract the network ID for the local
network on which the host resides. The IP address that IP receives in the pseudo
header is now ANDed with the subnet mask to determine a network ID.
It is important to note that the network ID generated might be incorrect. If the host
attempting to send is a Class C host using 255.255.255.0 as the subnet mask, ANDing
generates an incorrect address if the remote host is a Class B. This does not matter,
however, because the network IDs will not match (remember the first octet differs,
depending on the class of network).
As you can see, therefore, the subnet mask enables you to extract the network ID.
This information is used to see whether the datagram is for the local network. If it is
not, the system needs to look at the remote IP address and use the routing table to
figure out where to send it.
Introduction to Routing
After the network IDs are known, they can be compared. The only case where they
should match is if the two hosts are on the same network. If the host that you are
trying to reach is on the same network, the IP layer finds that host and transmits the
data to it. If not, you need to look for a route to the host. This will be done in the
routing table. All devices that have IP have a routing table. The following is an
example of a routing table from an NT system:
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 206.51.250.69 206.51.250.69 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
206.51.250.0 255.255.255.0 206.51.250.69 206.51.250.69 1
206.51.250.69 255.255.255.255 127.0.0.1 127.0.0.1 1
206.51.250.255 255.255.255.255 206.51.250.69 206.51.250.69 1
224.0.0.0 224.0.0.0 206.51.250.69 206.51.250.69 1
255.255.255.255 255.255.255.255 206.51.250.69 206.51.250.69 1
If you want to look at your routing table, you can use the ROUTE command. The
syntax for the ROUTE command is as follows:

Manipulates network routing tables.
ROUTE [-f] [command [destination] [MASK netmask] [gateway] [METRIC metric]]
-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. When used with the PRINT command,
displays the list of registered persistent routes. Ignored for
all other commands, which always affect the appropriate
persistent routes.
command Specifies one of four commands
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK If the MASK keyword is present, the next parameter is
interpreted as the netmask parameter.
netmask If provided, specifies a sub-net mask value to be associated
with this route entry. If not specified, it defaults to
255.255.255.255.
gateway Specifies gateway.
METRIC specifies the metric/cost for the destination
All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.
If the command is print or delete, wildcards may be used for the destination
and gateway, or the gateway argument may be omitted.
In the case of a host, the routing table generally does not contain actual routing
information, except for the default gateway (router) address. Any packet not on the
local network is normally sent to the default gateway. IP on the gateway then looks in
its routing table for a route to the remote network. Occasions will arise where you
have entries in the local host’s routing table. In those cases, this table is consulted to
find the first hop in the route.
A routing table contains the following five pieces of information:
u Network Address. The actual network ID to which the entry describes a
route. This is the real network ID, not the one generated earlier when checking,
if the host is local or remote.
u Netmask. The subnet mask that can be used to generate the network ID. The
system runs through the table and ANDs the IP address you are trying to reach
with each of the netmasks. Then it can compare the result to the Network
Address to see whether they match. If they match, a route has been found.
u Gateway Address. Where to send the packet if it is a remote network ID to
which the computer is sending.
u Interface. Which network interface to send the packet from. Normally you
only have one network card, and this is the same for all entries. (The exception
here is the loopback and multicasting addresses.)
u Metric. How far away this network is. This is the number of routers (gateways)
that the packet must travel through to get to the remote.
There will often be an entry for network 0.0.0.0 with a netmask of 0.0.0.0. This is the
entry for the default gateway and is checked last. If you work it out in binary, you will
see that all addresses match this one.

Introduction to Microsoft Networking

I f you were to study the internal combustion engine, you would
have to know how that relates to the entire automobile and just
where all the pieces fit together. This sense of proportion helps
to make the learning easier by putting all the pieces together. Just like
the automobile engine, before you can really understand the TCP/IP
protocol stack, you have to understand the way that Microsoft
networking fits together.
This chapter looks at all the parts of Microsoft networking. This is not
specific to the Windows NT product, but generally describes the way
that any Microsoft network operating system works.
The OSI Reference Model
Chapter 1, “Introduction to TCP/IP,” mentioned the Open Systems Interconnection
(OSI) reference model. Every networking model is built on layers. The OSI reference
model was designed as a guide for vendors to use as they built their own networking
architectures. (It is not an actual architecture.) Windows NT networking fits the OSI
model. This discussion uses it as a comparison to the TCP/IP model, which is different,
yet manages to achieve the same purpose (and which NT also fits). The layers in
the OSI model have the following functions:
u Application. Generates the requests and processes the requests that it
receives.
u Presentation. Creates the SMB (Server Message Block) (in NT’s case) that
tells the other system what is requested, or contains the response to the request.
This layer also deals with type conversions when the communicating hosts are
different.
u Session. Provides a method for creating and maintaining a logical connection
between two hosts. It also tracks the resources currently in use.
u Transport. Puts the information into a “language” that the other system
understands.
u Network. Deals with directing which system or systems receive the information
on the other end. In other words, it tracks which MAC (Media Access
Control—the unique number that each network card has) address to send to.
u Data Link Control. Deals with the framing of the information sent on the
wire.
u Physical. Puts the information on to the physical network and receives packets
(or frames) from the network.
A discussion of Microsoft networking architecture should help you understand that
when data is being moved between two systems, the information from each of the
layers becomes the data of the layer that resides below it. In this manner, an SMB
(Server Message Block), which is created by the Application and Presentation layers,
becomes the data for the Session layer (or in NT, the TDI boundary).
What Is Microsoft Networking?
Microsoft provides a great deal of flexibility in networking by providing the layered
approach to the networking components. Primarily, Microsoft uses NetBIOS (Network
Basic Input/Output System) as its internal networking protocol. NetBIOS
provides the following several services essential to networking:
u Name management. In NetBIOS networking, computer names are used to
identify the different systems on a network. This function allows for NetBIOS
names to be registered at a computer and enables the computer to know to
which requests to respond. NetBIOS names are 16 bytes in length with the 16th
byte being used to identify the service that registered the name (for example,
workstation, server, and so on).
u Connection-oriented data transfer. This function enables the transfer of
data from one system to another by using a session, and also enables a series of
checks and balances to ensure that the data being transferred is correct.
u Connectionless data transfer. This part of NetBIOS enables computers to
make announcements and send queries to all computers on the network
without having to create sessions. It is used to locate other computers on the
network, or to let other computers know about this one. This provides a
transport for such purposes as logon validation, server announcements, name
queries, and so on.
u Session management. This service tracks and maintains sessions with other
computers on the network, enabling the system to keep track of other computers
with which you work so that those computers can communicate with each
other more quickly. Rather than having to identify yourself every time you
communicate with another system, you can just use the session.
NetBIOS uses a structure called an SMB (Server Message Block) to communicate
between the system requesting the service and the system that will provide the service.
On the system that generates the request, an SMB is created by the redirector (the
component that gets access to the other computer) that, in Microsoft Windows NT
networking, is the workstation service. The SMB describes what the other system is to
do (put this data on the drive, send some data to the SMB, start a session, and so
forth) and includes that actual data where required.
The redirector and the server services are the Application layer discussed earlier in
relation to the OSI model. These actually create the requests and respond to them.
These services also handle the Presentation layer; they create the SMBs (how requests
are formatted for the other computer).
As figure 2.1 shows, the SMB is a method of communications between a redirector
and a server. No other parts of the network architecture use the SMB. Instead, all the
lower layers carry the data.

Senin, 13 Desember 2010

Open Shortest Path First (OSPF)

Open Shortest Path First (OSPF) is a routing protocol developed for Internet Protocol (IP) networks
by the interior gateway protocol (IGP) working group of the Internet Engineering Task Force
(IETF). The working group was formed in 1988 to design an IGP based on the shortest path first
(SPF) algorithm for use in the Internet. Similar to the Interior Gateway Routing Protocol (IGRP),
OSPF was created because in the mid-1980s, the Routing Information Protocol (RIP) was
increasingly unable to serve large, heterogeneous internetworks. This chapter examines the OSPF
routing environment, underlying routing algorithm and general protocol components.
OSPF was derived from several research efforts, including Bolt, Beranek, Newman’s (BBN’s) SPF
algorithm developed in 1978 for the ARPANET (a landmark packet-switching network developed in
the early 1970s by BBN), Dr. Radia Perlman’s research on fault-tolerant broadcasting of routing
information (1988), BBN’s work on area routing (1986), and an early version of OSI’s Intermediate
System-to-Intermediate System (IS-IS) routing protocol.
OSPF has two primary characteristics. The first is that the protocol is open, which means that its
specification is in the public domain. The OSPF specification is published as Request For Comments
(RFC) 1247. The second principal characteristic is that OSPF is based on the SPF algorithm, which
sometimes is referred to as the Dijkstra algorithm, named for the person credited with its creation.
OSPF is a link-state routing protocol that calls for the sending of link-state advertisements (LSAs)
to all other routers within the same hierarchical area. Information on attached interfaces, metrics
used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state
information, they use the SPF algorithm to calculate the shortest path to each node.
As a link-state routing protocol, OSPF contrasts with RIP and IGRP, which are distance-vector
routing protocols. Routers running the distance-vector algorithm send all or a portion of their routing
tables in routing-update messages to their neighbors.

IP Aliasing



Article Description: Discusses what IP aliasing is, what it is for and how to set it up.

Introduction
IP aliasing is the process of adding more than one IP address to a network interface. Typical uses of IP aliasing are virtual hosting of Web and FTP servers and reorganizing servers without having to update any other machines (this last one is especially useful for nameservers). Think of an IP alias as a little kid piggy-backed on their parent interface (which is has the primary address of the physical interface).

IP aliasing is not concerned with the concept of multi-homing, (a multi-homed machine has more than one network interface active), except where a multi-homed machine provides services such as those listed above. The term multi-homing used to denote IP aliasing is a mistake propagated from the Mac world and you would be wise not to follow in their footsteps.

The two commands essential to creating an IP alias on FreeBSD (and all other Unix systems I've ever used) are ifconfig and route. Correct usage of these commands is described below. For all the exquisite details of using these commands, please refer to the man pages which are linked from the sections below. There are two more commands which are useful for verifying that things are working as they should and for debugging if they aren't. netstat allows you to view the kernel routing table (among many other useful things), and ping is a lovely little tool to test reachability of your new alias (or any IP address, for that matter).

IMPORTANT: You MUST be logged in as root to execute most of the commands described below.

Using ifconfig
ifconfig is used to configure all aspects of a network interface (address, protocol, netmask, etc.). Our concern with ifconfig here is adding (and sometimes deleting) address aliases for interfaces.

For the examples below we will assume our machine has a single 3Com 3C509 Ethernet interface (ep0) with the address 192.168.57.82 and a netmask of 255.255.255.0, in addition to the standard loopback interface (lo0) at 127.0.0.1. You will, of course, need to substitute your own address and netmask for your network interface(s). The address and netmask for the loopback interface are the same on every machine.

To add an alias to ep0, we simply execute a command such as:
ifconfig ep0 inet 192.168.57.10 netmask 255.255.255.255 alias This tells FreeBSD that we are binding an IP (inet) address to the 3Com card (ep0) with an address of 192.168.57.10 and a netmask of 255.255.255.255 (i.e., all 1 bits) to prevent a complaint from the operating system that there is already an address bound to the interface, and that it is an interface alias (alias).

You may also leave off the netmask option (or set it to something else). In FreeBSD 2.1.0 and earlier, however, there is a bug that causes ifconfig alias commands to return an error on the first try, but succeed on the second if you don't specify a netmask of 255.255.255.255. If you do not set the netmask to 255.255.255.255, you will also need to add a route by hand as described below.

To remove an alias, we execute the very similar command:
ifconfig ep0 inet 192.168.57.10 -alias We do not need to include additional parameters, such as netmask, because the alias is uniquely identified by the IP address so FreeBSD can remove all of its resources based on that.

Using route
route is used to manually make changes to the kernel routing table. In our application, once we have told FreeBSD about the alias for the interface, we must specify an IP route to it. If you set the netmask to 255.255.255.255 in your ifconfig command above, you can skip this step.

To add a route to our new interface alias, we execute: route add -host 192.168.57.10 127.0.0.1 0 This tells FreeBSD that to get to single host 192.168.57.10, packets should be sent to the loopback address (127.0.0.1, also called localhost), and the metric (hop count) is 0, meaning it is on the local machine.

To delete this route, we execute: route delete -host 192.168.57.10 Again, since the route can be identified by the given parameters, we can leave off things such as the netmask and metric. See the man page for a full explanation of the route command.

Checking Your Work
Now that we (hopefully) have an alias defined and routable, we need to check that it is working properly. First we'll look at the kernel routing table to verify the route to the alias is in place, then we'll use ping to verify packets can actually reach the interface alias.

To look at the numeric version of the kernel routing table, execute: netstat -nr In our example, the output will look something like this: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.57.1 UGSc 4 964 ep0 127.0.0.1 127.0.0.1 UH 1 39 lo0 192.168.57 link
Once you have established that the route is in the kernel routing table, just do a quick check to be sure routing actually works. Execute a ping like this: ping 192.168.57.10 If things are good, you will see something like this: PING 192.168.57.10 (192.168.57.10): 56 data bytes 64 bytes from 192.168.57.10: icmp_seq=0 ttl=255 time=0.313 ms 64 bytes from 192.168.57.10: icmp_seq=1 ttl=255 time=0.197 ms 64 bytes from 192.168.57.10: icmp_seq=2 ttl=255 time=0.190 ms Just press Ctrl-C to stop the ping if it seems happy. It will then spew some interesting statistics which you can generally just ignore. If none of the pings come back or if there are error messages, something is wrong. Try starting again from the beginning, reading the man pages (no, really, GO READ THE MAN PAGES), and finally, asking on the freebsd-questions list.

Putting it All Together
Now that we understand how to use ifconfig and route commands to add and delete IP aliases, let's make the machine execute the proper commands at startup so the alias will always be active.

Near the end of the file /etc/rc.local, you would add the lines: ifconfig ep0 inet 192.168.57.10 netmask 255.255.255.255 alias If you used a netmask other than 255.255.255.255, then you will also need to use the route command as described above. You can add as many aliases as you like this way (assuming you have enough addresses allocated to you). Simply put several copies of the above commands in /etc/rc.local with the appropriate addresses. You can even have addresses in another IP network aliased onto an interface if that network is also routed to you. This differs from the situation with multiple physical interfaces in a machine which must always have addresses in different IP networks.

There are a couple of issues when dealing with large numbers of aliases (more than ~10) that I'll mention here.

First, there is a bug in all distributions of bind (the named DNS server is part of BIND) that prevents named from starting properly when there are more than 64 aliases on an interface. None of the fixes are particularly simple, so I will skip them all for now.

Second, to prevent cluttering up your /etc/rc.local file with lots of ifconfigs, I suggest you use a seperate file in /etc to hold them. For instance, create a file called ifconfig.ep0 and put all your ifconfig alias commands in there. Then, in /etc/rc.local, add the following: if [ -x /sbin/ifconfig ]; then echo -n 'Adding local ifconfigs ' . /etc/ifconfig.ep0 echo ' done.' fi This script segment is from an rc.local file provided by Neil Fowler Wright. The particularly industrious can find ways to use a loop if there are multiple interfaces with aliases contained in multiple ifconfig.* files.

How to Get More Help
Mailing me directly is probably not the best way to get help with IP aliasing problems. I'm pretty busy most of the time, and often get very grouchy. However, the folks on the freebsd-questions mailing-list are friendly and helpful and will answer your question much more quickly than I.

This page was much improved by suggestions from Neil Fowler Wright, Paul DuBois, Gabe Schuyler, and Brodie the cat.

© 1996 Ben Black black@cypher.net

Sabtu, 11 Desember 2010

INSTALASI VPN GATEWAY 2 GATEWAY

Instalasi vpn menggunakan freeswan versi 2.06 untuk koneksi gateway to
gateway
Catatan: Konfigurasi ini dilakukan pada kedua mesin yang bertindak sebagai
gateway untuk masing-masing jaringan
Kondisi awal, kita memiliki 2 buah mesin yaitu:
- Server A : - memiliki:
- ip publik = 202.155.138.101
- netmask = 255.255.255.240
- ip router = 202.155.138.240
- ip lokal = 172.16.0.49
- netmask = 255.255.252.0
- Server B : - memiliki:
- ip publik = 202.155.100.100
- netmask = 255.255.255.240
- ip router = 202.155.100.101
- ip lokal = 192.168.1.130
- netmask = 255.255.255.0
- Paket Tcpdump terinstall pada masing-masing mesin
Konfigurasi umum untuk Server A dan Server B
1. Mesin linux lengkap dengan iptables, shorewall dan source code kernel
2. Pindah direktori ke direktori /var/tmp
#cd /var/tmp
3. ekstrak file freeswan-2.06.tar.gz
#tar -zxvf secure-linux/source/freeswan-2.06.tar.gz
4. pindah ke direktori freeswan-2.06
#cd freeswan-2.06
5. edit file Makefile.inc
dan baris berikut:
INC_MANDIR=man
Menjadi:
INC_MANDIR=share/man
7. Patch kembali kernel dengan freeswan
#make kpatch
8. konfigurasi ulang kernel dan kompile dengan mengaktifkan modul
IPSEC/Freeswan
#cd /usr/src/linux
#make menuconfig
aktifkan modul IPSEC/Freeswan, kemudian simpan konfigurasi dan keluar
#make dep clean bzImage
#cp arch/i368/boot/bzImage /boot/vmlinuz-2.4.26
#cp System.map /boot/System.map-2.4.26
#lilo
9. Reboot mesin
#reboot
10. Pindah ke direktori freeswan
#cd /var/tmp/freeswan-2.06
11. Compile dan install freeswan
#make program
#make install
12. pindah direktori kerja menjadi /root
#cd /root
Pada server A
13. Buat 2 buah rsa key yang akan di gunakan untuk kedua mesin (key ini hanya
di generate pada satu buah mesin)
#ipsec rsasigkey --verbose 2192 > left-key
#ipsec rsasigkey --verbose 2192 > right-key
14. Copy file left-key menjadi file ipsec.secrets
#cp left-key /etc/ipsec.secrets
15. Edit file /etc/ipsec.secrets, tambahkan parameter berikut:
202.155.138.101 202.155.100.100: RSA { #pada baris awal
} #pada baris akhir
*catatan: ip tersebut merupakan ip publik kedua mesin.
*catatan: ip tersebut merupakan ip publik kedua mesin.
16. dengan menggunakan sftp atau scp copy file right-key ke server B
Pada server B
17. Copy file right-key menjadi file ipsec.secrets
#cp right-key /etc/ipsec.secrets
18. Edit file /etc/ipsec.secrets, tambahkan parameter berikut:
202.155.138.101 202.155.100.100: RSA { #pada baris awal
} #pada baris akhir
*catatan: ip tersebut merupakan ip publik kedua mesin.
Pada Kedua mesin, server A dan server B
19. Edit file /etc/ipsec.conf, kemudian isi dengan konfigurasi berikut:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn a-b
left=202.155.138.101
leftsubnet=172.16.0.0/22
leftnexthop=202.155.138.240
right=202.155.100.100
rightsubnet=192.168.1.0/24
rightnexthop=202.155.100.101
keyingtries=0
auth=esp
authby=rsasig
leftrsasigkey=0sAQNZYi1vkyiJN.......(dipotong, karena terlalu panjang)
rightrsasigkey=0sAQOoYLTSZRvx.......(dipotong, karena terlalu panjang)
auto=start
*Catatan:
- leftrsasigkey= diambil dari file /etc/ipsec.secrets pada server A pada
bagian pubkey=
- righttrsasigkey= diambil dari file /etc/ipsec.secrets pada server B pada
bagian pubkey=
20. Edit file /etc/shorewall/tunnels
#vi /etc/shorewall/tunnels
kemudian isi dengan parameter berikut:
Untuk server A
ipsec net 202.155.100.100
Untuk server B
ipsec net 202.155.138.101
21. Edit file /etc/shorewall/zones
#vi /etc/shorewall/zones
kemudian isi dengan parameter berikut:
Pada Server A dan Server B
vpn VPN VPN Euuuyyyyy
22. Edit file /etc/shorewallinterface
#vi /etc/shorewall/interfaces
kemudian isi dengan parameter berikut:
Pada Server A dan Server B
vpn ipsec0
23. Edit file /etc/shorewall/hosts
# vi /etc/shorewall/hosts
kemudian isi dengan parameter berikut:
Pada Server A
vpn eth0:192.18.1.0/24
Pada Server B
vpn eth0:172.16.0.0/22
24. Edit file /etc/shorewall/masq
#vi /etc/shorewall/masq
kemudian isi ubah parameter yang ada menjadi:
Pada Server A
eth0:!192.168.1.0/24 172.16.0.0/22
Pada Server B
eth0:!172.16.0.0/22 192.168.1.0/24
25. Edit file /etc/shorewall/policy
#vi /etc/shorewall/policy
kemudian isi dengan parameter berikut:
Pada Server A dan Server B
loc vpn ACCEPT
vpn loc ACCEPT
26. Restart service shorewall pada kedua server
#/etc/init.d/shorewall restart
27. Jalankan ipsec pada kedua server
#/etc/init.d/ipsec start
28. Lihat log pada file /var/log/secure
#tail -f /var/log/secure
Jika hasil log menunjukan hasil seperti di bawah:
ipsec__plutorun: Starting Pluto subsystem...
pluto[14479]: Starting Pluto (FreeS/WAN Version 2.06 PLUTO_USES_KEYRR)
pluto[14479]: Using KLIPS IPsec interface code
pluto[14479]: added connection description "servera-serverb"
pluto[14479]: listening for IKE messages
pluto[14479]: adding interface ipsec0/eth0 202.155.100.100
pluto[14479]: loading secrets from "/etc/ipsec.secrets"
pluto[14479]: "a-b" #1: initiating Main Mode
pluto[14479]: "a-b" #1: ISAKMP SA established
pluto[14479]: "a-b" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP
{using isakmp#1}
pluto[14479]: "a-b" #2: sent QI2, IPsec SA established {ESP=>0x2dfcd977
<0xada21f1a}
pluto[14479]: "a-b" #3: responding to Main Mode
pluto[14479]: "a-b" #3: sent MR3, ISAKMP SA established
pluto[14479]: "a-b" #3: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
pluto[14479]: "a-b" #4: responding to Quick Mode
maka koneksi vpn telah berhasil, dan tinggal melakukan pengetesan serta
sniffing paket untuk pembuktian.
jika hasil output log tidak seperti di atas, maka terjadi kesalahan pada
konfigurasi ipsec atau pun kernel. lihat error message dan perbaiki kembali
konfigurasi tersebut.
29. Jalankan tcpdump pada server B
#tcpdump -n -i eth0
30. Lakukan ping dari salah satu ip di jaringan lokal B (192.168.1.14) ke salah satu
ip jaringan lokal A (172.16.0.3)
#ping 172.16.0.3
31. Lihat output dari tcpdump pada server Jika hasil output tcpdump pada
server B seperti di bawah:
14:39:28.504834 IP 202.155.100.100 > 202.155.138.101:
ESP(spi=0x2dfcd978,seq=0x36c)
14:39:29.644717 IP 202.155.138.101 > 202.155.100.100:
ESP(spi=0xada21f1b,seq=0x38e)
14:39:29.645521 IP 202.155.100.100 > 202.155.138.101:
ESP(spi=0x2dfcd978,seq=0x36d)
maka koneksi vpn telah benar-benar berhasil.

Koneksi dengan Wvdial (SuSE)

Jika saat instalasi menggunakan pilihan SuSE default, seharusnya wvdial telah terinstal. Untuk memanggilnya lewat dua cara (keduanya dengan user root) :

  • Lewat yast -system administration -configure PPP network
  • Langsung mengetikkan wvdial.lxdialog di prompt shell. # wvdial.lxdialog
Segera akan muncul layar WvDial V 1.20 Configuration. Berikut review dari menu yang ada :
  1. Change the language of SuSE WvDial
    Memilih bahasa konfigurasi WvDial. Bahasa yang tersedia adalah Bahasa Inggris, Jerman dan Spanyol.
  2. Configure the current profile
    Seting utama untuk melakukan hubungan ke ISP. Terdiri atas :
    a. Phone number : 1234567 (isikan nomor telepon Anda)

    b. Account Name : fade (user name di ISP)

    c. Password : linuxispower (password untuk menghubungi ISP)

    d. Automatic DNS (Pilih ini jika ISP Anda mendukung DNS otomatis.  
       Jika tidak, Anda bisa isi langsung /etc/resolv.conf lewat YaST  
       atau manual)

    e. Dial method (Metode menelepon, menggunakan tone dial atau pulse dial)

    f. PAP/CHAP authentification (Metode otentikasi. Pilihan lainnya adalah  
       Compuserve, Germany T-online dan Non Standard Login untuk ISP  
       yang tidak mendukung model PAP/CHAP).
  3. Autodetectmodem
    WvDial akan mencoba deteksi semua port serial untuk menemukan modem.
  4. Configure DNS with YaST
    Jika pada pilihan sebelumnya Anda tidak mengaktifkan DNS (dalam kasus ISP tidak mendukung DNS secara otomatis), maka Anda dapat mengkonfigurasikan di sini. Intinya adalah menuliskan name server pada file /etc/resolv.conf
  5. Run WvDial
    Menghubungi internet untuk mencoba konfigurasi yang baru saja dibuat.
Sebagai tambahan, SuSE WvDial menyertakan beberapa dokumentasi yang dapat dibaca langsung lewat menunya :
  1. Show the README.SuSE for WvDial
    Pernyataan dan beberapa petunjuk ringkas dari SuSE tentang penggunaan WvDial for SuSE.
  2. Show the trouble shooting file
    Beberapa contoh kemungkinan pesan kesalahan / error message
  3. Show the original WvDial README
    README asli yang disertakan dalam file sumber WvDial.
  4. Load an alternatif profile
    Memanfaatkan wvdial.conf yang sudah diseting oleh pihak lain

Jumat, 10 Desember 2010

NetBIOS Name Resolution

A s you have seen, there are really two different ways that
computers will be communicating over Microsoft TCP/IP.
This book has already discussed WinSock and NetBIOS, and
hopefully you are understanding the differences. One of the main
differences is that NetBIOS networking requires the use of NetBIOS
computer names. This chapter is going to provide you with the details
on name resolution.
Name resolution is quite simply the process of taking a NetBIOS name
and providing the underlying transport (TCP or UDP) with the TCP/
IP addresses for that name. The tricky part is that you must use the
underlying transport to find out what the name is.
When you work with Microsoft networking, each computer and each
user has a name, and so will the users. The names that can be used are
15 characters in length with an additional character that defines the
type of name, making the total 16 characters. Just as you use port
numbers when working with the WinSock interface, you use this
sixteenth character to provide an end point for the communication.
Table 12.1 summarizes some of the common name types showing what
the sixteenth character would be for these services—the values are in
hex.

Rabu, 08 Desember 2010

PF: Scrub (Packet Normalization)

"Scrubbing" is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations. A simple form of the scrub directive:
scrub in all
This will scrub all incoming packets on all interfaces.
One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the "do not fragment" bit set, which are (properly) rejected by scrub. This can be resolved by use of the no-df option. Another reason is some multi-player games have connection problems passing through PF with scrub enabled. Other than these somewhat unusual cases, scrubbing all packets is highly recommended practice.
The scrub directive syntax is very similar to the filtering syntax which makes it easy to selectively scrub certain packets and not others. The no keyword can be used in front of scrub to specify packets that will not be scrubbed. Just as with nat rules, the first matching rule wins.
More on the principle and concepts of scrubbing can be found in the paper Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics.

Options

Scrub has the following options:
no-df
Clears the don't fragment bit from the IP packet header. Some operating systems are known to generate fragmented packets with the don't fragment bit set. This is particularly true with NFS. Scrub will drop such packets unless the no-df option is specified. Because some operating systems generate don't fragment packets with a zero IP identification header field, using no-df in conjunction with random-id is recommended.
random-id
Replaces the IP identification field of outgoing packets with random values to compensate for operating systems that use predictable values. This option only applies to outgoing packets that are not fragmented after the optional packet reassembly.
min-ttl num
Enforces a minimum Time To Live (TTL) in IP packet headers.
max-mss num
Enforces a maximum Maximum Segment Size (MSS) in TCP packet headers.
fragment reassemble
Buffers incoming packet fragments and reassembles them into a complete packet before passing them to the filter engine. The advantage is that filter rules only have to deal with complete packets and can ignore fragments. The drawback is the increased memory needed to buffer packet fragments. This is the default behavior when no fragment option is specified. This is also the only fragment option that works with NAT.
fragment crop
Causes duplicate fragments to be dropped and any overlaps to be cropped. Unlike fragment reassemble, fragments are not buffered but are passed on as soon as they arrive.
fragment drop-ovl
Similar to fragment crop except that all duplicate or overlapping fragments will be dropped as well as any further corresponding fragments.
reassemble tcp
Statefully normalizes TCP connections. When using scrub reassemble tcp, a direction (in/out) may not be specified. The following normalizations are performed:
  • Neither side of the connection is allowed to reduce their IP TTL. This is done to protect against an attacker sending a packet such that it reaches the firewall, affects the held state information for the connection, and expires before reaching the destination host. The TTL of all packets is raised to the highest value seen for the connection.
  • Modulate RFC1323 timestamps in TCP packet headers with a random number. This can prevent an observer from deducing the uptime of the host or from guessing how many hosts are behind a NAT gateway.
Examples:
scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
scrub in on fxp0 all no-df
scrub    on fxp0 all reassemble tcp

Rabu, 01 Desember 2010

Koneksi dengan menggunakan pppsetup (Slackware)

Skrip ppp setup merupakan skrip yang dibuat oleh ROBERT S. LIESENFELD dan disertakan hampir di setiap distribusi Slackware. Untuk memanggilnya cukup ketikkan pppsetup dengan account root.
$ su #pindah ke account root 
password: 
# pppsetup

Segera akan muncul layar pppsetup Versi 1.98, informasi pembuatnya dan kegunaannya. Tekan Enter. Pertama kali adalah permintaan untuk mengetikkan nomor telepon ISP yang akan dihubungi. Misalnya :
atdt3524001 <- untuk menelpon dengan tone 
atdp3524001 <- untuk menelpon denga pulse

Selanjutnya tekan enter, dan masuk ke penentuan modem.
Pilih ttys0 jika modem Anda disambungkan ke port Com1 
Pilih ttys1 jika modem Anda disambungkan ke port Com2 
Pilih ttys2 jika modem Anda disambungkan ke port Com3 
Pilih ttys3 jika modem Anda disambungkan ke port Com4

Setelah menentukan modem, dilanjutkan dengan menentukan baudrate dari modem.
460800 untuk modem dengan kecepatan 460KBps - Modem ISDN 
230400 untuk modem dengan kecepatan 230KBps - Modem 56KBps atau ISDN 
115200 untuk modem dengan kecepatan 115KBps - Modem 56KBps atau 33.6 atau 28.8 
57600 untuk modem dengan kecepatan 57.6KBps - Modem 56KBps atau 33.6 atau 28.8 
38400 untuk modem dengan kecepatan 38.4KBps - Modem 56KBps atau 33.6 atau 28.8 
19200 untuk modem dengan kecepatan 19.2KBps - Modem ISDN 
57600 untuk modem dengan kecepatan 9.6KBps - Modem ISDN

Pilih sesuai konfigurasi modem Anda. Selanjutnya akan muncul pertanyaan :
Does your service provider provide call back?

Jawab no. Call back adalah fasilitas yang memungkinkan server untuk menelepon kembali beberapa saat setelah login. Pertanyaan selanjutnya adalah tentang init string dari modem. Tekan enter langsung dan biarkan pppsetup memasukkan nilai standar.
Konfigurasi selanjutnya adalah nama domain dari ISP. Misal; indosat.net.id, telkom.net.id dan sebagainya. Isikan nama domain ini, diikuti dengan nomor IP dari DNS Name Server ISP. Jika Anda tidak yakin, tanyakanlah pada ISP Anda. Lalu akan ditanyakan metode autentikasi, pilih PAP. Dua konfigurasi terakhir adalah username dan password Anda untuk login ke ISP. Semua input yang diisikan selama setup ini akan disimpan dalam satu file yang berada di /etc/ppp/pppsetup.txt (minus username dan password untuk login ke ISP). Berikut contoh filenya :
===============================================================

PPPSETUP 1.98 on SLACKWARE.

Written by Robert S. Liesenfeld <xunil@bitstream.net> <IRC:Xunil>

Changes for 1.98 by Kent Robotti <robotti@erols.com>

Patched for Slackware by Patrick Volkerding <volkerdi@slackware.com>

You should get these docs if you don't already have them:

ftp://metalab.unc.edu/pub/Linux/docs/howto/PPP-HOWTO

ftp://metalab.unc.edu/pub/Linux/docs/faqs/PPP-FAQ

Press [Enter] to continue with pppsetup...

===============================================================

These are your PPP configuration files and instructions...

===============================================================

# This is your /etc/ppp/pppscript.

TIMEOUT 60

ABORT ERROR

ABORT BUSY

ABORT "NO CARRIER"

ABORT "NO DIALTONE"

"" "AT&FH0"

OK "atdt3524001"

TIMEOUT 75

CONNECT

# This is your /etc/ppp/options file.

# General configuration options for PPPD:

lock

defaultroute

noipdefault

modem

/dev/ttyS1

57600

crtscts

# Uncomment the line below for more verbose error reporting:

#debug

# If you have a default route already, pppd may require the other side

# to authenticate itself, which most ISPs will not do. To work around this,

# uncomment the line below. Note that this may have negative side effects

# on system security if you allow PPP dialins. See the docs in /usr/doc/ppp*

# for more information.

#noauth

passive

asyncmap 0

name "fade"


I created the symbolic link: /dev/modem -> /dev/ttyS1
# This is your /etc/ppp/options.demand dialing file.

# General configuration options for PPPD:

lock

defaultroute

noipdefault

modem

/dev/ttyS1

57600

crtscts

# Uncomment the line below for more verbose error reporting:

#debug

# If you have a default route already, pppd may require the other side

# to authenticate itself, which most ISPs will not do. To work around this,

# uncomment the line below. Note that this may have negative side effects

# on system security if you allow PPP dialins. See the docs in /usr/doc/ppp*

# for more information.

#noauth

passive

asyncmap 0

name "fade"

ipcp-accept-local

ipcp-accept-remote

0.0.0.0:10.10.10.10

demand

connect "/usr/sbin/chat -v -f /etc/ppp/pppscript"

If you have a ethernet connection you should change the local:remote

IP addresses in the options.demand file, to your actual local and

remote address. Example: 215.346.117.89:312.217.187.96

# This in your /etc/resolv.conf file.

search cbn.net.id

nameserver 202.158.3.7

202.158.3.7 <-IMPORTANT: This should be the IP address of

your service providers nameserver.

# This is your /etc/ppp/pap-secrets file.

Look at /etc/ppp/pap-secrets.

Does everything look correct? if not, run 'pppsetup' again...

===============================================================

To connect to your service provider.

===============================================================

# ppp-go <-Make PPP connection.)


You'll hear and see the modem dialing then once connected,
logging you in Username: or Login: and Password: etc.

You won't see a Username or Login: and Password: prompt

if they're using PAP or CHAP to authenticate you.

If they use PAP or CHAP you'll just see CONNECT - got it.

If the connection was successful you'll see the Local IP and

Remote IP address printed to the screen, you can press [Enter].

If you run ppp-go in X windows you probably won't see a Local

and Remote IP address printed to the screen, you'll just see

the connection process come to a end, wait a few seconds and

press [Enter] at that point.

If you don't connect for whatever reason e.g. Failed No

Dialtone, Busy, No Carrier, Whatever, Exit, just press

[Enter] at that point.

if you have syslogd running, you can see the output messages

from pppd and chat in the /var/log/messages and or debug file.

Sample /var/log/messages file.


spawn pppd[562]: Serial connection established.
spawn pppd[562]: Using interface ppp0

spawn pppd[562]: Connect: ppp0 <-> /dev/modem

spawn pppd[562]: local IP address 215.87.78.18

spawn pppd[562]: remote IP address 205.94.97.35

You don't have a successful PPP connection until you

receive a local & remote IP address like above.

If you have the X window system, you could connect in a Xterm.

spawn # startx

spawn # ppp-go

spawn # netscape mosaic etc.

# ppp-off <-To end the ppp connection.)

# ppp-go -h <-For help.)

There is no support in linux for "WinModems", if you have a

WinModem you will not be able to use it in linux.

There is support for plug n play modems, if you have a pnp

modem you may need "isapnptools" to get it recognized.

===============================================================

#### Look at the /usr/doc/pppsetup/pppsetup-1.98.README. ####

#### A copy of this text can be found in: /etc/ppp/pppsetup.txt ####

===============================================================

Done... You can exit now...

End...