Discussion:
adsuck
Add Reply
Stefan Wollny
2017-12-28 21:51:08 UTC
Reply
Permalink
Raw Message
Hi there!

I have this little machine which serves as (squid-)proxy for my local net.
$ dmesg | grep Open
OpenBSD 6.2-current (GENERIC.MP) #311: Wed Dec 27 21:49:49 MST 2017

Basically everything is fine - except responses are kind of slow. So I
had the idea to not use squid to filter for unwanted sites but use adsuck.

I followed the advice in /usr/local/share/doc/pkg-readmes/adsuck-2.5.0p4
which now reads:
$ cat /etc/dhclient.conf
send host-name <client-name>;
script "/usr/local/sbin/dhclient-adsuck";

I had to use chflags with 'schg' to make shure that /etc/resolv.conf
only contains one line (neither 'supersede' nor 'prepend' in
dhclient.conf did the job):
$ cat /etc/resolv.conf


nameserver 127.0.0.1

And YES: adsuck is activated via /etc/rc.conf.local (actually it is the
very first one after 'pkg_scripts='). It is up and running:
$ top | grep adsuck
72573 _adsuck 2 0 2260K 4704K idle kqread 0:00 0.00% adsuck

Now: If I run 'sh /etc/netstart' on the console or an xterm I see the
following:

$ doas sh /etc/netstart
em1: /etc/dhclient.conf line 2: expecting statement.
em1: script
em1: ^
em1: DHCPREQUEST to 255.255.255.255
em1: DHCPACK from a.b.c.d (aa:bb:cc:dd:ee:ff)
em1: bound to a.b.d.e -- renewal in 432000 seconds

I am kind of stuck: What might I have been doing wrong here???

Some kind soul around to give me a clue?

THX in advance!

Best,
STEFAN
e***@pettijohn-web.com
2017-12-28 22:34:00 UTC
Reply
Permalink
Raw Message
You need dhcpcd from ports. I don't think the base client supports scripts.
Post by Stefan Wollny
Hi there!
I have this little machine which serves as (squid-)proxy for my local net.
$ dmesg | grep Open
OpenBSD 6.2-current (GENERIC.MP) #311: Wed Dec 27 21:49:49 MST 2017
Basically everything is fine - except responses are kind of slow. So I
had the idea to not use squid to filter for unwanted sites but use adsuck.
I followed the advice in /usr/local/share/doc/pkg-readmes/adsuck-2.5.0p4
$ cat /etc/dhclient.conf
send host-name <client-name>;
script "/usr/local/sbin/dhclient-adsuck";
I had to use chflags with 'schg' to make shure that /etc/resolv.conf
only contains one line (neither 'supersede' nor 'prepend' in
$ cat /etc/resolv.conf
nameserver 127.0.0.1
And YES: adsuck is activated via /etc/rc.conf.local (actually it is the
$ top | grep adsuck
72573 _adsuck    2    0 2260K 4704K idle      kqread    0:00  0.00% adsuck
Now: If I run 'sh /etc/netstart' on the console or an xterm I see the
$ doas sh /etc/netstart
em1: /etc/dhclient.conf line 2: expecting statement.
em1: script
em1: ^
em1: DHCPREQUEST to 255.255.255.255
em1: DHCPACK from a.b.c.d (aa:bb:cc:dd:ee:ff)
em1: bound to a.b.d.e -- renewal in 432000 seconds
I am kind of stuck: What might I have been doing wrong here???
Some kind soul around to give me a clue?
Rupert Gallagher
2017-12-28 22:58:28 UTC
Reply
Permalink
Raw Message
The last update is 5 years old, and its blacklists are obsolete.

https://github.com/conformal/adsuck/tree/master/files

Sent from ProtonMail Mobile
Hi there! I have this little machine which serves as (squid-)proxy for my local net. $ dmesg | grep Open OpenBSD 6.2-current (GENERIC.MP) #311: Wed Dec 27 21:49:49 MST 2017 Basically everything is fine - except responses are kind of slow. So I had the idea to not use squid to filter for unwanted sites but use adsuck. I followed the advice in /usr/local/share/doc/pkg-readmes/adsuck-2.5.0p4 which now reads: $ cat /etc/dhclient.conf send host-name ; script "/usr/local/sbin/dhclient-adsuck"; I had to use chflags with 'schg' to make shure that /etc/resolv.conf only contains one line (neither 'supersede' nor 'prepend' in dhclient.conf did the job): $ cat /etc/resolv.conf nameserver 127.0.0.1 And YES: adsuck is activated via /etc/rc.conf.local (actually it is the very first one after 'pkg_scripts='). It is up and running: $ top | grep adsuck 72573 _adsuck 2 0 2260K 4704K idle kqread 0:00 0.00% adsuck Now: If I run 'sh /etc/netstart' on the console or an xterm I see the following: $ doas sh /etc/netstart em1: /etc/dhclient.conf line 2: expecting statement. em1: script em1: ^ em1: DHCPREQUEST to 255.255.255.255 em1: DHCPACK from a.b.c.d (aa:bb:cc:dd:ee:ff) em1: bound to a.b.d.e -- renewal in 432000 seconds I am kind of stuck: What might I have been doing wrong here??? Some kind soul around to give me a clue? THX in advance! Best, STEF
Stefan Wollny
2017-12-31 12:45:20 UTC
Reply
Permalink
Raw Message
Post by Rupert Gallagher
The last update is 5 years old, and its blacklists are obsolete.
https://github.com/conformal/adsuck/tree/master/files
Sent from ProtonMail Mobile
Hi Rupert,

you are quite right - the default blacklist from mvps is outdated. This
is why I weekly do the following (serves my requirements and speed is no
priority):

#!/bin/sh
#
# /home/<user>/Downloads/mvps must exist!
#
# clean up first:
rm -f /home/<user>/Downloads/mvps/*
#
cd /home/<user>/Downloads/mvps
wget -4 -nc --no-proxy --no-cache --no-cookies
http://winhelp2002.mvps.org/hosts.zip
unzip hosts.zip
#
dos2unix HOSTS
#
# no comments
egrep -v '^#' HOSTS > Hosts
#
# no empty lines
sed -n -i '/0\.0\.0\.0 /,$p' Hosts
#
# check if anything does _not_ go to 0.0.0.0
if [[ $(awk '{print $1}' Hosts | uniq) != '0.0.0.0' ]]; then
printf "mvps-hosts-File manipulated! Bye, bye! \n";
exit 1
fi
#
# Show the date of update in /etc/hosts
echo "## Updated: `date +%Y-%m-%d`" > hosts_date
#
# Replace all 0.0.0.0 with 127.0.0.1 (aka 'localhost')
sed 's/0.0.0.0/127.0.0.1/' Hosts > hosts.tmp
#
# build new hosts-file
cat hosts_date /home/<user>/hosts_private hosts.tmp > hosts
#
# Keep last hosts-file
doas cp /etc/hosts /etc/hosts.last
#
# Replace old with new hosts-file
doas cp hosts /etc/hosts
#
# Back to home
cd /home/<user>
# reconnect with new hosts-file
print "reconnect NOW "
doas sh /etc/netstart



As I will give Jordan's solution a go I will check other blacklists as well.

Best,
STEFAN
Rupert Gallagher
2017-12-31 14:43:15 UTC
Reply
Permalink
Raw Message
You will be happier by simply feeding the bla

Jordan Geoghegan
2017-12-28 23:40:34 UTC
Reply
Permalink
Raw Message
Have you considered using DNS addblocking via unbound(8)? I wrote a
little script using a bit of awk and grep that automatically pulls a
collection of different blocklists I like, and then parses them into an
unbound friendly conf file. I also employ IP filtering as well via
similar means. I have a script pull some of my preferred IP blocklists
(from github et al, such as the StevenBlack host files etc) and then
load them into a pf anchor rule.

Every night at midnight my machine will run the scripts, download a new
blocklist, parse it, and reload the designated pf anchor and/or reload
unbound to update the ruleset. This setup has the added benefit of using
only the base system, and it also prevents the advertisements from being
loaded in the first place. I have seen battery life increase
dramatically on my mobile devices as well as increased browsing speed
across the board on all devices. There is a modest RAM requirement due
to having to keep thousands of addresses / CIDR blocks in memory, but it
should never exceed 350MB usage. I have this setup running on some
Octeon machines ( both Edgerouter Pro and lite) and they hold up just
fine. On a nearly decade old amd64 machine I have yet to see this
filtering setup crack 15% cpu usage excepts when the script parses the
files.

I also usually add some rules to redirect outgoing DNS traffic to my own
local DNS server to prevent media devices (chromecast etc ) from phoning
home for adds, instead forcing all their dns traffic to the local server
where the requests are then filtered. This can also be useful for
filtering in the workplace, as there are plenty of lists out there to
block NSFW or otherwise inappropriate content for the workplace. I have
used it in this capacity with great success. This can be circumvented
obviously with any sort of tunnelling or proxy, but when your dealing
with an office full of Windows gomers, it tends to suffice.

Let me know if your interested in a copy of the script and I'll send it
off.
Post by Stefan Wollny
Hi there!
I have this little machine which serves as (squid-)proxy for my local net.
$ dmesg | grep Open
OpenBSD 6.2-current (GENERIC.MP) #311: Wed Dec 27 21:49:49 MST 2017
Basically everything is fine - except responses are kind of slow. So I
had the idea to not use squid to filter for unwanted sites but use adsuck.
I followed the advice in /usr/local/share/doc/pkg-readmes/adsuck-2.5.0p4
$ cat /etc/dhclient.conf
send host-name <client-name>;
script "/usr/local/sbin/dhclient-adsuck";
I had to use chflags with 'schg' to make shure that /etc/resolv.conf
only contains one line (neither 'supersede' nor 'prepend' in
$ cat /etc/resolv.conf
nameserver 127.0.0.1
And YES: adsuck is activated via /etc/rc.conf.local (actually it is the
$ top | grep adsuck
72573 _adsuck 2 0 2260K 4704K idle kqread 0:00 0.00% adsuck
Now: If I run 'sh /etc/netstart' on the console or an xterm I see the
$ doas sh /etc/netstart
em1: /etc/dhclient.conf line 2: expecting statement.
em1: script
em1: ^
em1: DHCPREQUEST to 255.255.255.255
em1: DHCPACK from a.b.c.d (aa:bb:cc:dd:ee:ff)
em1: bound to a.b.d.e -- renewal in 432000 seconds
I am kind of stuck: What might I have been doing wrong here???
Some kind soul around to give me a clue?
THX in advance!
Best,
STEFAN
Stefan Wollny
2017-12-31 00:31:50 UTC
Reply
Permalink
Raw Message
Post by e***@pettijohn-web.com
You need dhcpcd from ports. I don't think the base client supports scripts.
Ah - I see.

So it should be safe to delete that very line in dhclient.conf - if
base's dhclient doesn't support scripts and yet everything is running
fine this should not do any harm.

Thank you for pointing this out.

Beside Jordan Geoghegan's suggestion I received a similar solution in
PM. I vaguely remember Stuart Henderson having suggested this kind of
setup as it only uses what comes with base. Will do my homework of
reading the man pages (in particular a.th. related to 'unbound') first.

Thank you all!

All the best for 2018!

STEFAN
Loading...