Category: Random witterings

The Future

Give me back my broken night,
My mirrored room, my secret life.
It’s lonely here, there’s no one left to torture.
Give me absolute control over every living soul
And lie beside me, baby – that’s an order!

This is an unashamedly technical post. I’ve been playing with internet filtering for a few days and thought that it might be useful to others. If you’re not interested in deep-level home network and server configuration, you probably don’t want to read this; I’ve mostly written this down so I don’t forget it.

The UK government have recently started to pressure ISPs to filter their content by default, so that little Johnny might not see any naked ladies and be upset by it, or somesuch. Of course the filters that have been installed are laughably easy to get around at best (SSL, proxies, VPN, etc, etc). No doubt there will come a time when I’d like to restrict the internet access given to certain members of my own family. I thought I’d have a go at seeing how easy it might be to do. And it turns out it’s really not all that difficult.

I’m using a Linksys E4200 router running Toastman’s custom firmware, including the VLAN support, along with a home server running a Linux installation (currently KnoppMyth, but if I were doing this again it’d be either CentOS or an Ubuntu LSB release).

I want to maintain an unfiltered connection for the grown-ups in the house, too. So the first thing to do is to create a separate network allocation, under the Basic / Network section of the router: is the unfiltered area; is for filtered / guest traffic only.

We then need to associate this new network (br1) with a new VLAN (VLAN1) under the Advanced settings page:

Once this is done, we can add a new virtual network (with a new SSID) for the filtered network, on wl0.1 and wl1.1 (ie, both B and G wireless):

Make sure to go into the network settings for the existing SSID and set the broadcast flag to be off. This will prevent the network showing up when anyone searches for open networks. There’s one last thing to do, which is to allow the hosts on the filtered network to reach the proxy, under Advanced / LAN access:

Now, install Squid and Dansguardian on the server. There should be some OS packages available in your usual repositories. We want to look at what’s inside the SSL connections too so we’ll need to generate an SSL certificate for squid to present:

Generate key:

openssl genrsa -des3 -out server.key 1024 
openssl req -new -key server.key  -out server.csr 
openssl rsa -in server.key -out server.key # strip passphrase from key 
openssl x509 -req -days 3650 -in server.csr -sign server.key -out server.crt 
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Leave the CN for the certificate blank. Fill in the rest of the details with whatever seems reasonable.

We need to configure squid (in /etc/squid/squid.conf) to listen on both HTTP and HTTPS ports, and to use the certificate we just generated as its SSL certificate, so add two lines:

http_port 3129
https_port 3130 cert=/etc/squid/dentrassi.crt key=/etc/squid/dentrassi.key accel

The https_port runs in “accel” mode because we want squid to behave as if it is these websites, with the exception that it can’t talk QUIC and SPDY (experimental protocols used by Facebook and Google among others), so we remove any references to switching protocols. So we need to add an additional configuration line too:

# Remove QUIC / SPDY header:
reply_header_access Alternate-Protocol deny all

I also don’t want details of my internal network to leak out. So I delete the X-Forwarded-For header:

forwarded_for delete

Configuring Dansguardian to talk to squid is straightforward enough:

# the port that DansGuardian listens to.  
filterport = 3128 
# the ip of the proxy (default is the loopback - i.e. this server)  
proxyip = 
# the port DansGuardian connects to proxy on  
proxyport = 3129

I have left configuration of Dansguardian, Squidguard, ClamAV, etc. is left as an exercise for the reader. Everyone’s requirements are different.

Finally, we need to redirect traffic coming out of the untrusted network. Back on the router, go to Administration / Scripts / Firewall. Add the following lines:

iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -s -p tcp --dport 443 -j DNAT --to
iptables -t nat -A PREROUTING -s  -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -s  -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -s  -j DROP

All outbound HTTP and HTTPS connections are redirected to the proxy. DNS connections are allowed so that lookups succeed. Anything at all else coming from the untrusted network is dropped. Of course, for HTTPS connections a certificate error will be displayed. That’s OK; for any computers I control I can add the certificate to the trust store. For others, it’s probably a good thing anyway.

Things to do: There’s a vector of attack here along DNS, which is the only outbound connection I’m allowing. I’ll probably spin up a DNS server that gives the same response for all queries. So long as the response is outside, the request will get bounced to the proxy anyway. Then there’s adding IPv6 support too.


Arthur C. Clarke’s Mysterious World

Do you remember that old T.V. show,
Arthur C. Clarke’s Mysterious World?
Well if ITV make a new series,
They ought to come take a look at my girl.

I don’t understand her,
She doesn’t make any sense to me.
I don’t understand her,
It’s like she’s speaking in Swahili.

Blimey, has it really been six months? Time flies when you’re having a blast, I guess. But what have I actually been doing with my time? To tell the truth I’m not entirely sure. There was NaNoWriMo for a start. That was one of the hardest Novembers I’ve had since, well… ever. At 30,000 words on day 20, I had 7,500 on day 21. Thanks OpenOffice/Ubuntu/Asus, whichever of you conspired to eat my work. I finished on time – day day ahead in fact – which while being bloody amazing, knackered me entirely. Not sure I’m happy with the result, though, which makes the score so far 3 good, 2 need work and 1 failure. Overall, I’m still winning, I think.

I celebrated the win with a trip to IKEA. On what turned out to be one of the snowiest days of the year. It took me 15 minutes to get there, and five hours to get back. I wish I could say that the trip was worth it, but all I bought were a couple of picture frames…

Since then, what’s happened? Work. Then there was work, and work. And did I mention the work? Seems all I’ve done since then is the daily grind. And I’ve decided that that has to end. There is more to life than work, and I intend to swing the balance back into my favour. So here I go. Sleep Away The Afternoon is back. I’ll try to update more often, though I already know that anything approaching regularity is out.

I’ve noticed that Scrivener for Windows is now available for Linux too, so I’ve started work on editing some of my old stuff. It’s so much nicer than a regular word processor – polishing and rearranging each bit at a time seems so much easier and at this rate I might have something I’m happy with by Christmas (though we’ll see).

And finally, and most importantly, I’m planning a holiday. The first proper one in a couple of years. Hopefully with all this, and more stuff that I’ve no doubt not thought of yet, I can stop marking time and get on and do something. Seems like it’s time for something to happen.

Rock Hard Times

They told me that I couldn’t come back here again
Took me for some kind of fool.
Said I was doing things that never should be done
But I don’t care about their rules!

As if I cared ’bout the little minds
In the little heads of the herd-
There’s nothing you could dream
Would be more absurd.

The Apple iPad has been released, to much fanfare, and much derision. Personally I don’t have much interest in the device, but I can see the use. Generally if I want to watch television, I’m doing so on a decent-sized screen in my house. On long journeys I prefer to read books, the paper sort. Yes they’re heavier and they take up much more space, but there’s an emotional component to lugging around a lump of dead tree that just isn’t present in an e-reader.

No sooner had the iPad been announced, though, than the Free Software Foundation weighed in with its “Defective by Design” compaign, compaining that the iPad was DRM-encumbered, wouldn’t allow sharing of media and much more of the kind of FUD that I used to expect from Microsoft ten years ago.

Now, before I go any further: I have nothing against the Free Software Foundation. They have done a great many things I find eminently agreeable. This, however isn’t one of them. The aim is lofty and agreeable, I’ll grant, allow any kind of content to be played on anyone’s device. However…

Society just doesn’t work that way. In an ideal world we would all pay for the digital media we consume, be it music, video, software programs, or anything else. Unfortunately this isn’t an ideal world. The sheer number of people who think they have a right to content for the price of pressing the disc / the bandwidth consumed by downloading it is enormous, and growing. Who’d pay for something they can get (not entirely legally) for free? I know of a large number of people, even those who by rights should be able to pay the asking price easily, who will chip their games consoles to play pirated games, download films off the less legitimate parts of the internet and not think twice about it.

The problem is the relative level of social acceptability of piracy. It’s acceptable to illegally download films, to chip consoles to play copied games, and so on. This is the problem. The DRM is just a symptom of this. It’s unfortunate, but the producers of this content need to provide some sort of mechanism to encourage people to pay for it. If it’s easier (and cheaper) to obtain it without payment to the original distributor, a large proportion of people will do so.

Unfortunately while I have every sympathy for the FSF and their campaign to make information exchange unencumbered, I’m also a realist. At present, in my experience, allowing anyone to exchange content freely will result in the return on the investment in said content to be lowered immensely, probably to the point of content costing more to produce than is returned.

My employer spends a lot of money fighting people who counterfeit its products. These are products that are marketed direct to businesses. Anything that will save a dollar here or there is often jumped upon by the people who buy these counterfeits, even when they know that someone else is not getting paid for the work thas has been put in to generate the product in the first place.

So, FSF and its supporters. I’m sorry, but I agree with DRM, at least until it’s socially unacceptable to take someone else’s work without them or their legitimate distriutor getting anything for it. Once you can assure me that the producer of a given work will get the payment they so richly deserve, I’ll be happy to join the ranks of anti-DRM campaigners. Until then, I’m afraid I have to keep living in a world where we need safeguards to make sure that the content is paid for.

As an aside, I recently bought a film on DVD. Rather than the usual “Piracy is against the law” line, there was a simple, short sequence that simply thanked me for supporting the producers of the film by paying for it. I was very pleasantly surprised. I approve of that message.