
Cheshire v0.01			(

An open gateway implementation using (more or less) standard system tools
(no perl), in 64k.  Allright, 88k if you count the netpipes binaries.

Requirements:

  * NetPipes, http://freshmeat.net/projects/netpipes/

    Specifically, only getpeername is required.  You can also optionally 
      use faucet to run cheshire as a standalone daemon, if you don't want
      to use your own inetd.

  * sed, awk, tr, cat, and a standard bourne-like shell.

  * cron (any version will do; it will reset the firewall as often as you
      like, typically once per day.)

  Currently, only iptables / Linux is supported, but all NoCat compatible
firewall rules and platforms will be supported in due time.

Installation:

  0) Install the netpipes package above.

  1) Extract this archive in /usr/local (to create /usr/local/cheshire/)

  2) Set up /usr/local/cheshire/cheshire.conf to your liking.

  3) Customize /usr/local/cheshire/htdocs/splash.html if you like.  Note
     that cheshire doesn't serve any documents locally (yet); you'll need to
     put graphics and supplementary HTML on another server somewhere.

  4) Run /usr/local/cheshire/bin/grin -R once to set up the firewall.  You
     probably want to add this to your boot time, in rc.local

  5) You have two options for running the gateway, in inetd or standalone.

  inetd installation:

    * Add this to your /etc/services:

	cheshire		5280/tcp

      ...and this to your /etc/inetd.conf:

	cheshire  stream  tcp  nowait  root  /usr/local/cheshire/bin/grin

  standalone installation:

    * Run this:

	faucet 5280 --in --out --daemon /usr/local/cheshire/bin/grin

  6) To reset clients periodically (say, at 4:00a), put this in your cron:

	0 4 * * *	/usr/local/cheshire/bin/grin -R

     Or maybe every hour, if you're running a cafe node:

	0 * * * *	/usr/local/cheshire/bin/grin -R


You're done.  Test it by trying to browse the Internet from behind your
gateway.  Marvel at the one-time nag screen.  Almost all trouble is due to
failure to read and properly edit cheshire.conf.


BUGS:

  Many, deep, and disturbing.  No bounds checking yet.  grin makes many
assumptions and breaks many standards, but it worked when I tried it.
  
  It must run as root for some reason (the fw-wrap setuid wrapper from
NoCatAuth works just fine, but I've got some sort of filesystem permissions
problem on here documents when running non-root...)

  No per-client expiration yet, but that will come soon, if there's any
interest in this project.


Explanation:

  I more or less built this in two nights on a bet.  It's intended as a stop
gap to shut people up who want the C version of NoCat...  ;)  

If anybody is seriously interested in developing this, drop me a line and
I'll spend some time on it.  With a little work, I think it could be made
robust and even support Passive mode eventually.  Patches welcome.


For more information:  http://nocat.net/

--Rob Flickenger
rob@nocat.net
