?

Log in

openbsd

Previous Entry Share Next Entry
bryanpi @ 11:42 am: Fun with PF, Squid, and ImageMagick

While browsing Slashdot last week, I stumbled upon someone being rather silly with their wireless access point. (For those who'd rather not check the link, he leaves the AP open, then either forwards all port 80 traffic to one particular server or mogrifies any image they view.)

It seemed like a fun way to get my feet wet on a few new tools, so I adapted the instructions to OpenBSD.

I couldn't figure out how to do the redirection to Kittenwar all in PF, so I split it into a redirect statement in pf.conf and nc in inetd.conf. First, the redirect to a local port:

rdr pass on $wireless_if proto tcp from $WIRELESSNET to any port 80 -> \
   127.0.0.1 port 5000
I changed the 5000 to 3128 later when I switched to using Squid.

Then adding this line to /etc/inetd.conf:

127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 64.111.96.38 80
Note that the example given in the PF User's Guide didn't work for me–I had to put it all on one line.

Now anyone trying to browse the 'Web from my wireless network got redirected to kittenwar.com (or more specifically, http://64.111.96.38, which means you can't pick a target on a Virtual Host).

Moving along to the proposed Upside-Down-ter-net, I installed squid and wget from packages. I made some basic configuration settings for Squid (also see below, to include the redirect program). I also needed to start Apache and create a directory for Squid to play with the images it caches. Specifically, create /var/www/htdocs/images and change the ownership to _squid:_squid.

The redirector program I used was just a small change of the perl script on the site linked above. Just change the scratch directory from /space/WebPages/images to /var/www/htdocs/images. I put the script in /usr/local/bin/redirector, and made it executable by all.

The last steps are to fire up squid (remember the -z flag if it's your first time) and change the port listed in the redirect statement to 3128.

If you want to use the alternate Blurry-net option, you need to change the redirector program. Replace both instances of "-flip" with "-blur","4" (yes, you do need to use a separate set of quotes for the numeric argument, that drove me nuts for a while). Though realize that blur takes a bit more processor time, so for those of us running this on a 200 MHz Pentium see a noticeable performance hit.

To get to an actual serious question in this post, Squid seemed to have some problems early on where it was waiting to talk to PF, but since it couldn't get a response, it bottlenecked. I noticed in one of the instructions for using it on OpenBSD, they suggest changing the ownership and permissions of /dev/pf (to :_squid and g+rw, respectively). I was just curious if there are any alternatives that anyone else uses?

For reference, the changes I made to the squid.conf file are:

http_port 127.0.0.1:3128
redirect_program /usr/local/bin/redirector
http_access deny to_localhost
acl our_networks src [my wireless subnet]
http_access allow our_networks
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Thanks!

My sources:

As with many things, I'm sure there's room for improvement. Aside from the permissions change for squid, the first one off the top of my head is using a better tool than wget. I think OpenBSD's built-in ftp command can probably be subbed in, or maybe lynx, to use something that's in the trusted base tree, rather than a package. I should also find a way to clean out the images directory, since that could fill up my /var partition quickly if people actually used the thing. Also of note is that there are more image extensions out there than just .jpg and .gif, so the redirector program could be expanded.



Comments

[User Picture]
From:pereresus_buggy
Date:July 31st, 2006 05:37 pm (UTC)
(Link)
Squid seemed to have some problems early on where it was waiting to talk to PF, but since it couldn't get a response, it bottlenecked.
I use squid as a transparent Web proxy without setting /dev/pf gorup to squid_ for while without problems. All client PCs are running enough modern browsers (IE 6.0, FireFox 1.x, Opera 7.5 or higher, Lynx 2.8…) that send HTTP Host header. If you aren't stucjed with old Web user agent then I recommend you to double check your configuration, if squid doesn't start without such permissions, something is broken obviously.

As with many things, I'm sure there's room for improvement. Aside from the permissions change for squid, the first one off the top of my head is using a better tool than wget.
May be CURL? I remember some OpenBSD developers recommended it as fetaured and, of course, secure alternative, see mail archives.
[User Picture]
From:bryanpi
Date:July 31st, 2006 06:07 pm (UTC)
(Link)
All client PCs are running enough modern browsers (IE 6.0, FireFox 1.x, Opera 7.5 or higher, Lynx 2.8…) that send HTTP Host header.

That's what I thought should be the case, and my test laptop was using IE 6, but I still wound up getting a run of errors in squid's cache.log:
parseHttpRequest: PF open failed: (13) Permission denied

May be CURL?

Thanks! I had that one swimming in my mind, too. I'll check around and see if there's any significant difference between that and just using ftp
[User Picture]
From:pereresus_buggy
Date:July 31st, 2006 07:18 pm (UTC)
(Link)
# ls -l /dev/pf
crw-------  1 root  wheel   73,   0 May  4 19:22 /dev/pf
# grep 'PF open failed' cache.log
I dunno what is broken in your configuration, I'm not squid professional (I just set it up once and it just works;)), but I'll recommend you to return to default squid confugration, and then, if it works OK, make changes one-by-one. If not then… Aren't you mixing STABLE and CURRENT (or different CURRENT system and packages)?
[User Picture]
From:bryanpi
Date:August 6th, 2006 03:15 am (UTC)
(Link)
Oy, not much progress. I went ahead and changed ownership and permissions of /dev/pf back, and things work (aside from the "PF open failed" errors). The only squid.conf lines I could take out without screwing things up were httpd_accel_port and httpd_accel_with_proxy.

But, as I mentioned, still getting errors, despite the fact that the programs are using the Host header (as double-checked by tcpdump -X). But then, it's working, so maybe Squid's just being silly and trying to check pf even though it doesn't need to? I've made some headway into the Squid documentation, but it's getting to be too much work for something like this. ;-)

And for posterity's sake, replacing wget with ftp worked. There's no parallel for the -q flag (ftp is quiet by default in that usage), so remove that and change the case of -O to -o.
Powered by LiveJournal.com