While browsing Slashdot last week, I stumbled upon someone being rather silly with their wireless access point. (For those who'd rather not check the link, he leaves the AP open, then either forwards all port 80 traffic to one particular server or mogrifies any image they view.)
I couldn't figure out how to do the redirection to Kittenwar all in PF, so I split it into a redirect statement in pf.conf and nc in inetd.conf. First, the redirect to a local port:
I changed the 5000 to 3128 later when I switched to using Squid.rdr pass on $wireless_if proto tcp from $WIRELESSNET to any port 80 -> \ 127.0.0.1 port 5000
Then adding this line to /etc/inetd.conf:
Note that the example given in the PF User's Guide didn't work for me–I had to put it all on one line.127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 188.8.131.52 80
Now anyone trying to browse the 'Web from my wireless network got redirected to kittenwar.com (or more specifically, http://184.108.40.206, which means you can't pick a target on a Virtual Host).
Moving along to the proposed Upside-Down-ter-net, I installed squid and wget from packages. I made some basic configuration settings for Squid (also see below, to include the redirect program). I also needed to start Apache and create a directory for Squid to play with the images it caches. Specifically, create /var/www/htdocs/images and change the ownership to _squid:_squid.
The redirector program I used was just a small change of the perl script on the site linked above. Just change the scratch directory from /space/WebPages/images to /var/www/htdocs/images. I put the script in /usr/local/bin/redirector, and made it executable by all.
The last steps are to fire up squid (remember the -z flag if it's your first time) and change the port listed in the redirect statement to 3128.
If you want to use the alternate Blurry-net option, you need to change the redirector program. Replace both instances of "-flip" with "-blur","4" (yes, you do need to use a separate set of quotes for the numeric argument, that drove me nuts for a while). Though realize that blur takes a bit more processor time, so for those of us running this on a 200 MHz Pentium see a noticeable performance hit.
To get to an actual serious question in this post, Squid seemed to have some problems early on where it was waiting to talk to PF, but since it couldn't get a response, it bottlenecked. I noticed in one of the instructions for using it on OpenBSD, they suggest changing the ownership and permissions of /dev/pf (to :_squid and g+rw, respectively). I was just curious if there are any alternatives that anyone else uses?
For reference, the changes I made to the squid.conf file are:
http_port 127.0.0.1:3128 redirect_program /usr/local/bin/redirector http_access deny to_localhost acl our_networks src [my wireless subnet] http_access allow our_networks httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on
- The original inspiration
- PF User's Guide: Traffic Redirection (Port Forwarding)
- Mogrify's flags
- Transparent proxying with squid and pf
As with many things, I'm sure there's room for improvement. Aside from the permissions change for squid, the first one off the top of my head is using a better tool than wget. I think OpenBSD's built-in ftp command can probably be subbed in, or maybe lynx, to use something that's in the trusted base tree, rather than a package. I should also find a way to clean out the images directory, since that could fill up my /var partition quickly if people actually used the thing. Also of note is that there are more image extensions out there than just .jpg and .gif, so the redirector program could be expanded.