1. Главная
  2. Книги
  3. Mas Roland
  4. The Debian Administrator's Handbook
  5. Страница 75
Выбрать главу

Example 10.6. The /etc/pptpd.conf file

# TAG: speed

#

#       Specifies the speed for the PPP daemon to talk at.

#

speed 115200

# TAG: option

#

#       Specifies the location of the PPP options file.

#       By default PPP looks in '/etc/ppp/options'

#

option /etc/ppp/pptpd-options

# TAG: debug

#

#       Turns on (more) debugging to syslog

#

# debug

# TAG: localip

# TAG: remoteip

#

#       Specifies the local and remote IP address ranges.

#

#       You can specify single IP addresses seperated by commas or you can

#       specify ranges, or both. For example:

#

#               192.168.0.234,192.168.0.245-249,192.168.0.254

#

#       IMPORTANT RESTRICTIONS:

#

#       1. No spaces are permitted between commas or within addresses.

#

#       2. If you give more IP addresses than MAX_CONNECTIONS, it will

#          start at the beginning of the list and go until it gets

#          MAX_CONNECTIONS IPs. Others will be ignored.

#

#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

#          you must type 234-238 if you mean this.

#

#       4. If you give a single localIP, that's ok - all local IPs will

#          be set to the given one. You MUST still give at least one remote

#          IP for each simultaneous client.

#

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

#localip 10.0.1.1

#remoteip 10.0.1.2-100

localip 192.168.0.199

remoteip 192.168.0.200-250

The PPP configuration used by the PPTP server also requires a few changes in /etc/ppp/pptpd-options. The important parameters are the server name (pptp), the domain name (falcot.com), and the IP addresses for DNS and WINS servers.

Example 10.7. The /etc/ppp/pptpd-options file

## turn pppd syslog debugging on

#debug

## change 'servername' to whatever you specify as your server name in chap-secrets

name pptp

## change the domainname to your local domain

domain falcot.com

## these are reasonable defaults for WinXXXX clients

## for the security related settings

# The Debian pppd package now supports both MSCHAP and MPPE, so enable them

# here. Please note that the kernel support for MPPE must also be present!

auth

require-chap

require-mschap

require-mschap-v2

require-mppe-128

## Fill in your addresses

ms-dns 192.168.0.1

ms-wins 192.168.0.1

## Fill in your netmask

netmask 255.255.255.0

## some defaults

nodefaultroute

proxyarp

lock

The last step involves registering the vpn user (and the associated password) in the /etc/ppp/chap-secrets file. Contrary to other instances where an asterisk (*) would work, the server name must be filled explicitly here. Furthermore, Windows PPTP clients identify themselves under the DOMAIN\\USER form, instead of only providing a user name. This explains why the file also mentions the FALCOT\\vpn user. It is also possible to specify individual IP addresses for users; an asterisk in this field specifies that dynamic addressing should be used.

Example 10.8. The /etc/ppp/chap-secrets file

# Secrets for authentication using CHAP

# client        server  secret      IP addresses

vpn             pptp    f@Lc3au     *

FALCOT\\vpn     pptp    f@Lc3au     *

SECURITY PPTP vulnerabilities

Microsoft's first PPTP implementation drew severe criticism because it had many security vulnerabilities; most have since then been fixed in more recent versions. The configuration documented in this section uses the latest version of the protocol. Be aware though that removing some options (such as require-mppe-128 and require-mschap-v2) would make the service vulnerable again.

10.3. Quality of Service

10.3.1. Principle and Mechanism

Quality of Service (or QoS for short) refers to a set of techniques that guarantee or improve the quality of the service provided to applications. The most popular such technique involves classifying the network traffic into categories, and differentiating the handling of traffic according to which category it belongs in. The main application of this differentiated services concept is traffic shaping, which limits the data transmission rates for connections related to some services and/or hosts so as not to saturate the available bandwidth and starve important other services. Traffic shaping is a particularly good fit for TCP traffic, since this protocol automatically adapts to available bandwidth.

It is also possible to alter the priorities on traffic, which allows prioritizing packets related to interactive services (such as ssh and telnet) or to services that only deal with small blocks of data.

The Debian kernels include the features required for QoS along with their associated modules. These modules are many, and each of them provides a different service, most notably by way of special schedulers for the queues of IP packets; the wide range of available scheduler behaviors spans the whole range of possible requirements.

CULTURE LARTC — Linux Advanced Routing & Traffic Control

The Linux Advanced Routing & Traffic Control HOWTO is the reference document covering everything there is to know about network quality of service.

→ http://www.linux-france.org/prj/inetdoc/guides/lartc/lartc.html

10.3.2. Configuring and Implementing

QoS parameters are set through the tc command (provided by the iproute package). Since its interface is quite complex, using higher-level tools is recommended.

10.3.2.1. Reducing Latencies: wondershaper

The main purpose of wondershaper (in the similarly-named package) is to minimize latencies independent of network load. This is achieved by limiting total traffic to a value that falls just short of the link saturation value.

~ 75 ~