10. 建立名称到位址解析(DNS)
虽然我们人类喜欢给事物取个名称,电脑喜欢数字.在 TCP/IP
网路上(这也就是网际网路),我们藉由特定的名称呼叫某台机器,而且每台机器都存在於一个特定的领域标记里面.举例而言,我的
Linux 工作站称为 archenland 而它是存在於 interweft.com.au
这个领域里.所以它在人们心目中的位址就是 archenland.hedland.edu.au.
(称为 FQDN - fully qualified domain name.)
然而,为了使网际网路上的其它电脑找的到这台机器,事实上电脑在网际网路上沟通时它是藉由其
IP 号码来认知的.
把机器(以及领域)的名称转译(解析)成为在网际网路上所实际使用的
IP 号码是提供领域名称服务之机器的工作.
它是这样子运作的:-
你的机器需要知道某部特定电脑的 IP
位址.需要这项资讯的应用程式向你的 Linux PC 上的'名称解析器'询问此资讯;
名称解析器查询机器内部的主机名称档案(可能是 /etc/hosts 以及/或是知道这项资讯的领域名称伺服器,而名称解析器实际的行为由
/etc/host.conf 档案决定);
如果答案在主机名称档案中,就以此答案回答;
如果是在指定的领域名称伺服器中,你的 PC 就向该机器询问;
如果这部领域名称伺服器已经知道被询问名称的 IP
号码,就以此回答.否则,它会透过网际网路向其它的名称伺服器找寻资讯.最後这部名称伺服器会将资讯传回给原来询问的名称解析器,然後传给要求此资讯的应用程式.
当你创造出 PPP 连线时,你需要告诉你的 Linux
机器它可以在哪里找到主机名称对照到 IP
号码(位址解析)的资讯,如此你就可以使用机器的名称而你的电脑可以把这些名称转译成它运作所需的
IP 号码.
一个方法是输入所有你想联络的主机到 /etc/hosts
档案里(如果你是连上网际网路的话这真的是完全不可能的事);另一个方法是使用相对於机器名称的
IP 号码(要记得全部的 IP
位址是不可能的除非在最小的区域网路上).
最好的方法是设定你的 Linux
使它知道该到哪取得这项名称到号码的资讯 -
自动地.这项服务是由领域名称伺服器系统所提供.需要做的全部工作是把
IP 号码输入到你的 /etc/resov.conf 档案里.
10.1. /etc/resolv.conf 档案
你的 PPP 伺服器系统管理/使用者支援人员应该要提供给你两个 DNS
的 IP 号码(只需要一个 - 但是两个在出问题时可以多些帮助).
如前所述,Linux 不能以像 MS Windows 95
一样的方式来设定它的名称伺服器的 IP 号码.所以你必须(有礼貌地)坚持你的
ISP 提供你这项资讯!
你的 /etc/resolv.conf 看起来应该会像这样:
--------------------------------------------------------------------------------
domain your.isp.domain.name
nameserver 10.25.0.1
nameserver 10.25.1.2
--------------------------------------------------------------------------------
编辑这个档案(如果没有的话就建一个新的)以呈现你的 ISP
提供的资讯.它的拥有者以及权限应该像下面这样:-
-rw-r--r-- 1 root root 73 Feb 19 01:46 /etc/resolv.conf
如果你因为本来就在区域网路上所以已经设立 /etc/resolv.conf
档案的话,只要简单的把 PPP 连线的 DNS 伺服器 IP
号码加到你已有的档案里即可.
10.2. /etc/host.conf 档案
你也应该检查你的 /etc/host.conf
档案是否设定正确.它看起来应该像这样
--------------------------------------------------------------------------------
order hosts,bind
multi on
--------------------------------------------------------------------------------
它告诉你的名称解析器在向名称伺服器询问之前先使用主机名称档案中的资讯.
11. 使用 PPP 与 root 权限
因为 PPP
需要设定网路设备,变更核心递送表格以及诸如此类的动作,所以它需要以
root 的权限来做这些事.
如果 root 以外的使用者要能建立 PPP 连线,那麽 pppd 程式应该设为以
root 的身分执行(setuid):-
-rwsr-xr-x 1 root root 95225 Jul 11 00:27 /usr/sbin/pppd
如果 /usr/sbin/ppd 不是设定为这样,那麽以 root 的身分下这个指令:
chmod u+s /usr/sbin/pppd
这样是让 pppd 以 root
的权限执行,即使是由一般使用者所执行的.这能让一般使用者执行的
pppd 具有必要的权限建立网路界面及核心递送表格.
以 root 的身分执行的程式在安全上是潜在的漏洞,所以你对於设定为
'setuid' 的程式必须非常地小心.许多地程式(包括 pppd)已经被小心地撰写以将用
root 的身分执行的危险降到最低,所以这样做应该是安全地(不过不保证).
根据你希望你的系统如何运作而定,特别是如果你希望你系统里的任何使用者都能启始
PPP 连结,你应该把你的 ppp-on/off
指令稿设定为全部的人都可以读取/执行.(如果你的 PC
只由你使用那麽这样大概不错).
然而,如果你不希望任何人都能起始 PPP
连线(例如,你的孩子在你的 Linux PC
上有帐号而你不希望他们在没有你的监督下连上网际网路),你将得建立一个
PPP 群组(编辑 /etc/group 档案)并且:
将 pppd 设定为以 root 的权限执行,拥有者是 root 而群组是 PPP,而其它的权限都关闭.它看起来应该像这样
-rwsr-x--- 1 root PPP 95225 Jul 11 00:27 /usr/sbin/pppd
使 ppp-on/off 指令稿由使用者 root 以及群组 PPP 所拥有
使 ppp-of/off 指令稿能由群组 PPP 读取/执行
-rwxr-x--- 1 root PPP 587 Mar 14 1995 /usr/sbin/ppp-on
-rwxr-x--- 1 root PPP 631 Mar 14 1995 /usr/sbin/ppp-off
关闭其它的存取权限
把能够起动 PPP 的使用者加入 /etc/group 档案的 PPP 群组里
即使如此,一般使用者仍然无法以软体的方式中止连结.执行 ppp-off
指令稿需要 root 的权限.然何,任何使用者都可以关掉数据机(或将电话线由内接式数据机拔下).
另外一种(更好的)办法,允许使用者使用 sudo 来起动 ppp
连结.这样可以提供更佳的安全性并且可以让你设定让任何(可信任的)使用者使用指令稿来启动/结束连结.使用
sudo 可以让一位可信任的使用者乾净而安全地启动/结束 PPP 连结.
12. 设定 PPP 连接档案
你必须以 root 身份签入来建立这些目录并且编辑这些设立 PPP
连线所需的档案,即使你想让所有的使用者都能使用 PPP.
PPP 使用几个档案来建立并设定 PPP 连结.这些档案在 PPP 2.1.2 与 2.2
中的名称与位置都不同.
在 PPP 2.1.2 中这些档案是:-
--------------------------------------------------------------------------------
/usr/sbin/pppd # PPP 执行档
/usr/sbin/ppp-on # 拨号/连线指令稿
/usr/sbin/ppp-off # 断线指令稿
/etc/ppp/options # 所有连线所使用的选项
/etc/ppp/options.ttyXX # 给某一特定通讯埠使用的选项
--------------------------------------------------------------------------------
在 PPP 2.2 中这些档案是:-
--------------------------------------------------------------------------------
/usr/sbin/pppd # PPP 执行档
/etc/ppp/scripts/ppp-on # 拨号/连线指令稿
/etc/ppp/scripts/ppp-on-dialer # 拨号的 chat 指令稿部份
/etc/ppp/scripts/ppp-off # 断线指令稿
/etc/ppp/options # 所有连线所使用的选项
/etc/ppp/options.ttyXX # 给某一特定通讯埠使用的选项
--------------------------------------------------------------------------------
Red Hat Linux 的使用者应注意标准的 Red Hat 4.X 安装将这些指令稿放在
/usr/doc/ppp-2.2.0f-2/scripts.
在你的 /etc 目录里应该要有个目录:
drwxrwxr-x 2 root root 1024 Oct 9 11:01 ppp
如果它不存在的话 - 以这样的权限建立它.
如果这个目录已经存在,它应该会包含一个称为 options.tpl
的选项档案样板.这个档案包括在下面.
因为它包含所有 PPP 选项的解释所以请你把它印出来(配合 pppd
的线上使用手册来阅读将会是很有用的).虽然你可以使用这个档案作为
/etc/ppp/options
档案的基础,但是建立你自己的,没有包含所有在这个样板里的指令的选项档案可能会更好
- 它会短得多而且比较容易阅读/维护.
如果你有多个串列线路/数据机(典型的例子是 PPP
伺服器),那麽建立一个一般化的 /etc/ppp/options
档案,其中包含每个你提供支援拨入的串列埠所使用的共同选项并且为每一个需要个别设定以建立
PPP 连线的串列线路设立个别的选项档案.
这些档案名为 options.ttyx1, options.ttyx2 依此类推(其中 x
是你串列埠的适当代码).
然而,对於单一 PPP 连线,你可以直接使用 /etc/ppp/options
这个档案.另外一种办法,你可以把所有的选项放进 pppd
指令作为参数.
使用 /etc/ppp/options.ttySx
档案的设定方式会比较容易加以维护.如果你使用 PPP
来连线到好几个不同的节点去的话,那麽你就可以在
/etc/ppp/options.site
里面为每个节点建立选项档案然後在你连线时指定选项档案作为 PPP
指令的参数. (使用 file option-file 参数於 pppd 的指令列).
12.1. 替代的 options.tpl 档案
某些个 PPP 的发行套件似乎漏失了 options.tpl
这个档案,所以在这里有个完整的档案.我建议你不要直接编辑这个档案来建立你自己的
/etc/ppp/options.把它拷贝到一个新的档案然後编辑该档案比较好.如果你弄乱了你编辑的档案,你可以回头从原始档案再度开始.
--------------------------------------------------------------------------------
# /etc/ppp/options -*- sh -*- general options for pppd
# created 13-Jul-1995 jmk
# autodate: 01-Aug-1995
# autotime: 19:45
# Use the executable or shell command specified to set up the serial
# line. This script would typically use the "chat" program to dial the
# modem and start the remote ppp session.
#connect "echo You need to install a connect command."
# Run the executable or shell command specified after pppd has
# terminated the link. This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
#disconnect "chat -- \d+++\d\c OK ath0 OK"
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
#asyncmap 0
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
#auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
#crtscts
# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
#xonxoff
# Add a default route to the system routing tables, using the peer as
# the gateway, when IPCP negotiation is successfully completed. This
# entry is removed when the PPP connection is broken.
#defaultroute
# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map). The characters to be escaped are
# specified as a list of hex numbers separated by commas. Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified. The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
#escape 11,13,ff
# Don't use the modem control lines.
#local
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
#lock
# Use the modem control lines. On Ultrix, this option implies hardware
# flow control, as for the crtscts option. (This option is not fully
# implemented.)
#modem
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
#mru 542
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0
# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
#noipdefault
# Enables the "passive" option in the LCP. With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
#passive
# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
#silent
# Don't request or allow negotiation of any options for LCP and IPCP
# (use default values).
#-all
# Disable Address/Control compression negotiation (use default, i.e.
# address/control field disabled).
#-ac
# Disable asyncmap negotiation (use the default asyncmap, i.e. escape
# all control characters).
#-am
# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#-detach
# Disable IP address negotiation (with this option, the remote IP
# address must be specified with an option on the command line or in an
# options file).
#-ip
# Disable magic number negotiation. With this option, pppd cannot
# detect a looped-back line.
#-mn
# Disable MRU [Maximum Receive Unit] negotiation (use default, i.e.
# 1500).
#-mru
# Disable protocol field compression negotiation (use default, i.e.
# protocol field compression disabled).
#-pc
# Require the peer to authenticate itself using PAP.
# This requires TWO WAY authentication - do NOT use this for a standard
# PAP authenticated link to an ISP as this will require the ISP machine
# to authenticate itself to your machine (and it will not be able to).
#+pap
# Don't agree to authenticate using PAP.
#-pap
# Require the peer to authenticate itself using CHAP [Cryptographic
# Handshake Authentication Protocol] authentication.
# This requires TWO WAY authentication - do NOT use this for a standard
# CHAP authenticated link to an ISP as this will require the ISP machine
# to authenticate itself to your machine (and it will not be able to).
#+chap
# Don't agree to authenticate using CHAP.
#-chap
# Disable negotiation of Van Jacobson style IP header compression (use
# default, i.e. no compression).
#-vj
# Increase debugging level (same as -d). If this option is given, pppd
# will log the contents of all control packets sent or received in a
# readable form. The packets are logged through syslog with facility
# daemon and level debug. This information can be directed to a file by
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)). (If
# pppd is compiled with extra debugging enabled, it will log messages
# using facility local2 instead of daemon).
#debug
# Append the domain name <d> to the local host name for authentication
# purposes. For example, if gethostname() returns the name porsche,
# but the fully qualified domain name is porsche.Quotron.COM, you would
# use the domain option to set the domain name to Quotron.COM.
#domain <d>
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n
# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface.
#mtu <n>
# Set the name of the local system for authentication purposes to <n>.
# This will probably have to be set to your ISP user name if you are
# using PAP/CHAP.
#name <n>
# Set the user name to use for authenticating this machine with the peer
# using PAP to <u>.
# Do NOT use this if you are using 'name' above!
#user <u>
# Enforce the use of the host name as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname
# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
#proxyarp
# Use the system password database for authenticating the peer using
# PAP.
#login
# If this option is given, pppd will send an LCP echo-request frame to
# the peer every n seconds. Under Linux, the echo-request is sent when
# no packets have been received from the peer for n seconds. Normally
# the peer should respond to the echo-request by sending an echo-reply.
# This option can be used with the lcp-echo-failure option to detect
# that the peer is no longer connected.
#lcp-echo-interval <n>
# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
#lcp-echo-failure <n>
# Set the LCP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#lcp-restart <n>
# Set the maximum number of LCP terminate-request transmissions to <n>
# (default 3).
#lcp-max-terminate <n>
# Set the maximum number of LCP configure-request transmissions to <n>
# (default 10).
# Some PPP servers are slow to start up. You may need to increase this
# if you keep getting 'serial line looped back' errors and your are SURE
# that you have logged in correctly and PPP should be starting on the server.
#lcp-max-configure <n>
# Set the maximum number of LCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#lcp-max-failure <n>
# Set the IPCP restart interval (retransmission timeout) to <n>
# seconds (default 3).
#ipcp-restart <n>
# Set the maximum number of IPCP terminate-request transmissions to <n>
# (default 3).
#ipcp-max-terminate <n>
# Set the maximum number of IPCP configure-request transmissions to <n>
# (default 10).
#ipcp-max-configure <n>
# Set the maximum number of IPCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#ipcp-max-failure <n>
# Set the PAP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#pap-restart <n>
# Set the maximum number of PAP authenticate-request transmissions to
# <n> (default 10).
#pap-max-authreq <n>
# Set the CHAP restart interval (retransmission timeout for
# challenges) to <n> seconds (default 3).
#chap-restart <n>
# Set the maximum number of CHAP challenge transmissions to <n>
# (default 10).
#chap-max-challenge
# If this option is given, pppd will re-challenge the peer every <n>
# seconds.
#chap-interval <n>
# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local
# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote
--------------------------------------------------------------------------------
12.2. 我应该使用什麽选项? (无 PAP/CHAP)
嗯,完全视情况而定(唉).这里所提供的应该适用於大部份的伺服器.
然而,如果它无法运作的话,阅读样板档(/etc/ppp/options.tpl) 以及 pppd
的线上使用手册并且告诉你所连线之伺服器的系统管理/使用者支援人员.
你还应该注意这里所展示的连结指令稿也使用了一些给 pppd
的命令列选项以便让事情容易调整些.
--------------------------------------------------------------------------------
# /etc/ppp/options (NO PAP/CHAP)
#
# 避免 pppd 进入背景执行
-detach
#
# 使用数据机控制线
modem
# 使用 uucp 形态的锁定档以避免它人取用串列装置
lock
# 使用硬体流量控制
crtscts
# 在递送表格中将此连结建立为预设递送装置
defaultroute
# 不使用任何"逸出"控制序列
asyncmap 0
# 最大传送封包大小为 552 bytes
mtu 552
# 最大接收封包大小为 552 bytes
mru 552
#
#-------END OF SAMPLE /etc/ppp/options (no PAP/CHAP)