Thursday, December 6, 2007, 12:38 AMI think a nerd is a person who uses the telephone to talk to other people about telephones. And a computer nerd therefore is somebody who uses a computer in order to use a computer. - Douglas Adams
Posted by Administrator
Lets say you're staying at my neighbor's house and you fire up your laptop and jump on the wireless. Oops, you got my wireless, and why not? It's completely insecure after all. You check your gmail and check yahoo news, but then you try to go to myspace.com and you get some other page instead! Yes, my temporary neighbor, you're being blocked. My wireless now allows anybody on, and allows surfing to a list of pre-approved sites, but those sites until you perform some other authentication. If you should happen to try to access something not white listed, you get a friendly replacement page with a handy list of pre-approved sites.
Its magic! Actually, it's a combination of OpenVPN with squid proxy and some pretty complex IP Tables firewall settings. Essentially it works this way, the wireless router will let anybody on, but the firewall machine assigns the DHCP with itself as the default route. Of course, you might be able to route yourself through the wireless router, but it makes no difference. Once you are connected, all traffic on port 80 is redirected through a transparent squid proxy, which allows traffic monitoring and more particularly allows only browsing to a specific list of domains. If you try to access something not in that list, you get the squid error message, the custom one that frames a page presented by my second http server. I'm running two because there is significant work on the main one, and only minimal interaction on the second so the first is Apache and the second is thttpd (tiny httpd.)
Periodically a cron job runs to update the list of sites in a file available to the thttpd server. It presents an error when you hit anything that doesn't exist, and the only other pages are one that builds the list (cgi written in C) and the index, which frames the error.
Its all invisible to the end user of course, as far as they see, they can only browse my approved sites through my wireless network, as a guest might expect, and they don't have to know anything at all to use it.
Next on the agenda is to set up a mailing system so that guests can request openvpn encryption keys or addition of whitelisted sites. I of course, already have an encrypted tunnel and therefore I can do pretty much anything I feel like on it.
"What really is the point of trying to teach anything to anybody?"
This question seemed to provoke a murmur of sympathetic approval from up and down the table.
Richard continued, "What I mean is that if you really want to understand something, the best way is to try and explain it to someone else. That forces you to sort it out in your mind. And the more slow and dim-witted your pupil, the more you have to break things down into more and more simple ideas. And that's really the essence of programming. By the time you've sorted out a complicated idea into little steps that even a stupid machine can deal with, you've learned something about it yourself. - Douglas Adams