Great in theory. In practice: 1) You'd have to crack the shops WI-FI encryption (automatic/before setup ?) Not insurmountable. 2) Work out how to tunnel through the shop's network firewall. Any sys-admin worth his salt would spot the extra traffic and lock-out the devices by their MAC address once they were identified as the source. Game Over

This comment is more aimed at the 'here in the UK we use huge mains plugs' part of the post. Sure I've always thought our stuff a bit over-engineered. But recently I was staying in a biz-hotel in the States and I couldn't believe the problems I had with the mains plugs & sockets out there. The 2-pin plugs were very loose & floppy in their sockets, sometimes not even making contact. Suddenly I found myself missing our over-engineered clunkiness! Having said that, I'm looking forward to the productionization of that clever folding 13A plug design which was doing the rounds a couple of years ago...

Congrats on reaching the Arthur Clarke award shortlist with RUle 34... on an even playing field that means a 1 in 6 chance of actually winning the award! Good luck!

I don't think you got the posting... 1) Charlie is talking about the --public-- store WiFi network, therefore no cracking is required. 2) And therefore the second is just as disconnected from the posting, given that it's the non-firewalled --public--- network.

The issues is one of routing --- are these shops wifi networks designed to block everything but http over port 80, initiated from the inside and connecting to the outside? It could be imagined --- but I'm not sure why anyone would bother, given that this is a network intended to be public.

I suppose the US equivalent would be one of those multiple, 3-pin, outlet strips. Plenty of room for the Pi and equally ubiquitous for hiding in plain site.

You mean you're waiting for this?

And US mains plugs are fragile, too. I service commercial line-powered equipment and I buy replacement plugs by the dozen. When the cord is pulled sideways the hot and neutral pins bend and the ground pin snaps off in the socket. Regarding hiding a RF transmitter in a mains socket, there may be some interference problems. Mains power at the wall is far from pure 50/60 hz. Linear power supplies and especially switching power supplies (laptop bricks) dump a huge amount of high frequency harmonics back down the cord. This could interfere with the operation of the computer or with the broadcast signal. It's a very electrically and magnetically noisy environment.

It's not an even playing field: China is on it. There's some small print in the Clarke Award rules that says "if China Mieville has a book out, he wins by default". It's a fact!

Nice idea, except some little details:

1) Public wifi is likely to be behind NAT, which afaik makes it worthless for torrent hosting. Sure, you can tunnel through that but that makes endpoint a major weakness.

2) Store admin will see loads of strange ip connections and can block them easily. Decent torrent traffic can even shoot through masquerading table, thus alerting admin of its presence.

3) Once traffic is found, there is no need to actually find the brick, except to get rid of power leecher. Traffic itself will be blocked on firewall in notime. And I expect such "commercial" public wifi like these to deploy massive filtering in near future to prevent suits, block competition, inject ads et ceterea...

I was thinking of using one of these: which would avoid the space hassles (to say the least), and which seem to be more common here.

And you can also buy those in "add the cable yourself" state - i.e. able to be opened up without using anything sharper than a Phillips screwdriver.

So just put a wi-fi access point in it; have it tunnel out to pick up updates in the database, and then have it serve that database locally over a globally-known "pirate stuff here" ssid. Once you've got the torrent details for the files you want, you go home and open with your Bittorrent client, and you're away. There's a lot of solutions to these kinds of problems; literature on botnet command and control systems are eye-opening. ",)

Good point. Many businesses have their networks serviced by outside contractors. They pay no attention unless something breaks. A foreign device would be spotted in, say, an insurance company home office where security is actively pursued. But most small businesses have no reason to audit for illicit activity.

Personally, I'd argue that the best thing to do, in the US, is to put it on the roof of such a store. This goes double if the owner of the building decides to put in solar panels, because it gives more places to install it.

Basically, big box stores are big, hollow boxes, and it's not clear how much metal there is between the rooftop and the customers below. Put up a solar powered station, and it can broadcast down to part of the store, and out to another unit nearby.

This is where your quad-rotor installation system might come in handy.

Chain stores' networks are generally sysadmined from head office, often by competent people (the tale of the manager answering the phone to the network ops to have them tell him his warehouse guy was looking at porn was part of the history of one of my places of teenage employment). Bitbuzz-alikes (providing free or near free wi-fi access on a contract basis with the premises), however, seem to be pretty much fire and forget.

Edit inline:- "Chain stores' business networks are generally sysadmined... "

I'm less convinced about customer facing wifi, azure dentition and the like.

Unless I've misunderstood OGH's intention, the wifi network doesn't need to be connected to the Internet at all.

The brick is hosting a dead-drop for the 90MB Pirate Bay database of magnet links (not torrents nor torrent files); anyone walking past can connect and grab a complete copy then look through it at their leisure to find magnet links corresponding to the files they want. It could be updated by someone with an authorised MAC address similarly walking past.

It's slow, but it would work...

How much file storage would one of these things need? or are they just providing storage reflectors for some hidden large server?

It seems to me that the best plan would be to make these radio plugs very cheap and plug them in everywhere. Currently the biggest obstacle to cheapness is file storage since solid state storage is still pretty expensive if we are talking 10s of gigs.

See also the Pwn Plug (which amused several of us at the RSA conference show floor to no end) and was written up by the folks at Ars.

http://arstechnica.com/business/news/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network.ars

Congrats on the nomination Charlie. Whether or not you win it, congrats! For the first time in a while I've read all the nominees this year - and I'm glad I'm not a judge.

As for the main thrust though - the thing that occurs to me as the biggest hazard will not be over-eager sys admins in general, but I can't help what will happen when the H&S people come round to check for earthing and the like. I bet Raspberry Pi boards don't like having current shoved the wrong way through them.

Such a scheme is certainly possible, but not relevant to "TPB problem". Original idea was to move TPB content to some untraceable "cloud" (quite literally in it's first iteration) accessible from anywhere, anonymously. Limiting access to store premises is not only step back, its truly dangerous for this purpose. Just think about all those cams around.

It sure can be usefull for other stuff (and i thnk I've seen powerplug computer on /. some time ago)

The entire point of doing it this way is undetectability - all the cameras could tell anyone is that you were in the shop. Walk in, pick up a couple of things, check your phone once or twice, walk out. Unless there's a wi-fi sniffer logging every packet sent on every open network in the area, there's nothing to say you've done anything piratical.

(posting from work again, not read all comments yet.)

The problem here, is one of addressing. This device will likely get a dynamic IP address handed out by the store's DHCP server, same as any other client able to connect to the open wifi. So, how do our wouldbe Pirates find it, with out it making itself glaringly obvious to anyone caring to audit. People could ping sweep and pick up some false name it had been configured with, John Smiths Iphone e.g. But as soon as that's public knowledge, it will be denied access. (Assuming a reasonable compitent netadmin.)

Again assuming someone who knows what they're doing. And decent business class kit. Rogue access points should be picked up and blocked at layer 2 AFAIK. no routing ever gets done.

Mind you, I'm surprised how many small businesses such as pubs, don't even have an admin password set on their access points...

...are these shops wifi networks designed to block everything but http over port 80, initiated from the inside and connecting to the outside? It could be imagined --- but I'm not sure why anyone would bother, given that this is a network intended to be public.

I'd block everything but http over port 80 exactly because the wifi is in use by the public. What else do they need for anything I'm likely to allow over my very public, very undefended network?

I think your chances are pretty good. Rule 34 has the exact feeling of a book that critics will acclaim as a major classic.

Seems to me that competent management of a free public wifi hotspot in a business is primarily a matter of setting it up so that you don't need to pay significant attention to it.

Goals and means:

Not a security problem for you: --Put it outside all your security.

Available to customers but not others: --Get a pretty weak transmitter. --Consider disabling outside business hours. --Password protection is a backup plan due to customer annoyance, but if you must stick the password on a big sign.

Reliably functioning: --Leave it open for everything (who knows what customers might want to do? When they can't they will ask staff questions.). --Leave it unsecured other than admin (any security means people will fail to connect and ask staff questions).

Not too much bandwidth: --Throttle it if necessary.

If, however, content pirates started parasitizing such networks on a large scale this could change.

Most likely result would simply be that free wifi would go away. The customers with money will all have cellular network access anyway.

However I've never run a public hotspot so perhaps I would be surprised? Certainly hard to imagine that all the coffee shops, restaurants, and bars are doing more than this.

I meant that it could impersonate a standard client, wget the database diff, merge, then serve that on its own, completely separate wi-fi network. No routing required - you know its address (if worse comes to worst you can open your network manager and find out who's sending the DHCP ACK). Basically, combined-arms TPB and sneakernet. ",)

Some places contract their wi-fi provision; they usually have some sort of login system (the library where you needed to type your library card number - i.e. the 12-digit barcode number - and a password was a favourite) and firewall off one thing or another. So they do exist.

Mostly less.

If you're providing free wifi as a selling point/service then you don't password protect it (at least very few do in the UK).

They do maintain it outside their firewalls and their own systems. In quite a few shops etc. with free wifi they do that in the simplest possible way - they don't have a work wifi, everyone plugs in on a wire. Antiquated maybe, but secure. But tills have to be plugged in anyway, adding an extra cable isn't a problem. Even in branches of shops that are large enough to have wifi stock-taking they actually don't - they take the stock on hand-held devices and dump off them when recharging through a hard-wired connection.

I'm sure it varies with your industry but at least in the UK retail doesn't have a huge amount of wifi going on - wired systems work and are still easy to do after all. Plus they make it harder to hack into since there's no wifi access as a weak point.

RaspberryPi can be run off of a small solar panel. It doesn't need to run all the time (which also makes it harder to find). It charges the battery until the battery is full, to ensure that some devices are always on at any time of day it waits a random number of hours and then turns on for 10 hours. Throw a motion detector on it, so it turns off if anyone comes near.

Use cognitive radio or mesh networks to grow a nice network of these hidden file caches across a large number of public wifi APs. Have geocaching contests to plant these in really hard to reach, hard to find places (say antenna of a sky scraper). I propose the term Graffiti net.

I thought most of the comments had misunderstood Charlie's idea, but on re-reading his post, it turns out it was me who missed something, and Charlie actually did suggest using the store's public wifi. I missed that on first reading, and I'm not sure why he thought that was a good approach. It seems obvious to me that the plug should be its own wifi hub, running an autonomous public network of its own.

If it can contact plugs in neighbouring shops, some of which might have access to public wifi, they might even be able to act as servers for torrent seeds. It certainly has access to plenty of electricity for a nice powerful signal.

I dont think LOSS is a red herring. The PirateBay folks love to provoke (ie http://thepiratebay.se/legal ) and a highly visible router is a lot more provocative than an invisible one.

Part of PirateBays popularity is probably that they do provoke, and in a competitive market with several different torrent-sites it might be economically viable to use LOSS for that reason alone.

It seems obvious to me that the plug should be its own wifi hub, running an autonomous public network of its own.

That makes it stick out like a sore thumb: the presence of a Pirate Bay network tells anyone with a working brain cell that there's an imposter in the store.

Whereas if the goal is simply to distribute a big database of magnet files, which the punter can take home and use for BT access from home, you don't need public access to the internet. All you need is a network to latch onto and some way of indicating your presence. Right now, the routers on retail free networks only allow traffic on port 80 to go in and out of the store, but they're not usually configured to block file sharing between shoppers' machines on the same network ...

"It's not an even playing field: China is on it."

If the reviews on Amazon.co.uk were used, you would win on ratings. Is CM really that good...?

Shame they've gone with that, i thought the original concept was more elegant. Perhaps they couldn't fit the usb gubbins into it.

http://www.engadget.com/2009/06/23/uk-folding-plug-concept-could-flatten-that-bulky-british-adapter/

Where UK retail does use a significant amount of WiFi, at least the grocery stores, is in the hand held terminals being carried by those people going around doing stock checking and marking down food nearing its sell-by date. They've tried using cables for those guys, but they end up getting tangled round customers like dogs led on overly long leads.

Also in the warehouses behind, but those networks would be out of range of anyone posing as a customer.

The RPi hype annoys me. Charlie's use, like most, doesn't use video; it probably doesn't need 256M of DRAM either. The GPU (and in fact datasheet) is about as NDA'd as you'd expect in a Broadcom marketing special.

If you don't need mass storage, there are lots of tiny $20 routers out there now running Linux. If you do need more storage, http://wiki.daviddarts.com/PirateBox_DIY_OpenWrt is a file server on a mainstream $40 TP-Link MR3020; should draw half a watt.

My ZuniDigital ZR301R would definitely fit in a wall socket, but OpenWRT support isn't there yet and the USB pins on the CPU aren't connected to anything. :-/

If you don't need public internet access, life becomes much easier.

So a SPOOKS player gets instructed to plug the stealth double-adapter into a shop power socket. The device hidden in the adapter scans the wifi spectrum and finds an unencrypted wireless link (as is usual for pay-access public internet). It joins the network, but doesn't broadcast a DHCP request.

Now a member of the Illuminati enters the shop. Their cell phone scans the wifi spectrum looking for unencrypted wireless links. When it finds one, it sends out a broadcast packet on a well-known port and address and with a key in the payload. Our stealth device sees this, wakes up and sends a packet back saying 'hi there!' Now the devices communicate using a non-IP protocol, MAC address to MAC address. Files are transferred.

As the device is totally passive on every level except the bottom-layer stuff of wireless network negotiation, it's really hard to detect using conventional network analysis tools. It can be detected by analysis on the wireless network level; but there are various tricks you can do here, such as spoofing innocent customer's MAC addresses...

Somewhat off topic, but a real Halting State moment with the headline in the Business Section of this morning's newspaper here in New Zealand.

It seems the Authorities in Australia are more concerned about China than we are.

A Chinese company involved in our future ultra-fast broadband initiatives has been banned from doing something similar in in Australia.

"it has been revealed Huawei was advised late last year that it could not tender for Australian national broadband network (NBN) contracts because of concerns about cyber attacks emanating from China."

The original report seems to have been in an Australian newspaper, but that appears to be a pay to subscribe one.

The report here in NZ "Broadband-plan telco banned in Oz"

http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10794816

Martin.

Allowing a potentially hostile foreign state to supply all your critical infostructure needs is probably not a good idea. I hope some body in the security services gets to check the code in things like routers and firewalls, and at least demands open source from the suppliers that can be checked.

"There's some small print in the Clarke Award rules that says "if China Mieville has a book out, he wins by default". It's a fact!"

China was on the shortlist for the Clarke Award in 2002 and did NOT win the award. So there's hope for you yet!

Much more likely that if this sort of thing gained any traction, people would just get "malware serving plugs" that pwned your computer when you connected to the network.

Just like you wouldn't pick up and eat something you found lying on the road - don't load data that you find just lying about on some scungy wifi access point.

Dirk @ 42: This is the Australian government we're talking about. The body which was seriously proposing a filter on all traffic through port 80 as a means of stopping fiendish internet paedophiles from preying on helpless Australian children. The mob which decided to deal with problem sites online by asking people to write in to the Australian Broadcasting Authority and letting them know, so they could create a blacklist.

I'm just hoping they managed to employ someone, somewhere in the relevant department who can pick an internet-connected PC out of a line-up (consisting of said PC, three bananas and an apple) best of three.

Here's an alternative to the RaspberryPi which is a little cheaper, has wifi onboard (and doesn't have the unneccessary video/hdmi gubbins)

http://www.dealextreme.com/p/tp-link-703n-ultra-mini-portable-3g-802-11b-g-n-150mbps-wifi-wireless-router-light-blue-white-102903

I think the idea of putting in a stealth network in a public place is a fun mental exercise, but I'm a bit confused as to why it would have to be physically attached with a separate, devoted device when everyone using it would be carrying their own little computer that is much more powerful than any hidden piece that could be graffitied into the background. If cell phones are being used to pick up the data packets from the ghost network, could they not also be used to transmit them as well? If the issue is the files being traded raising red flags when flying through internet filters looking for this kind of stuff, could it be possible for phones to have an app that used bluetooth and searched for other users in close proximity who had the same app to trade and spread the files without having to dip their toes in the big, ole world wide web? If bringing people into close proximity is the issue, a store or club or part of town could become a known area to congregate to increase your chances of finding what you were looking for, but installing rogue computers would be unnecessary. They would already be on your person. Imbedded inside another proximity app (like Grindr or Skout or even Google Maps), it would easy to hide the offending software from even fairly intense scrutiny if someone official became suspicious.

“I'd block everything but http over port 80 exactly because the wifi is in use by the public. What else do they need for anything I'm likely to allow over my very public, very undefended network?”

Well, it all depends on your supported uses. If you want to let them do email, opening ports 25, 110, 143, 465, 587, 993, and 995 would be a good start. It might also be nice to open port 22 for ssh.

I can’t tell you how many times I’ve come across a coffee shop or public library setup that allows only ports 25 and 80, meaning that unless you’ve already set up a tunnel over one of those two ports you’re SOL for encrypted mail.

Its a neat idea, but needed or worth doing?
For what its worth I've read you 230 home power lines are better that our 110. And almost all our parts are made in China and junk now. Like it falls apart many times faster.

Mentioned this on the other thread. http://wiki.daviddarts.com/PirateBox_DIY_OpenWrt#Tutorial_A:_TP-Link_MR3020 Its not clear if the 703n has a working USB port or if it's just a convenient socket for power. So perhaps the 3020 would work better. The 700n looks interesting as it's got a built in (US 110v) PSU but that doesn't appear to have a USB port at all. I bet though that all three devices have exactly the same circuit board so once you've gutted them, adding a missing USB socket and support is probably trivial.

Bluetooth for anonymous phone to phone data transfer?

Aside from bandwidth limitation you're almost a decade late.

Pre smartphone era this trick was reported as a method of bypassing state censorship and surveillance in the middle and far east. Wander into a shopping mall with phone set to auto accept. Do your normal shopping and leave.No dead drops, slip passes or furtive meetings.

I was thinking about the use of kits like Raspberry Pi for DIY espionage and, topically, the impact on lobbying and party funding if party fundraisers had to assume that everything they said would be on YouTube within the hour.

Charlie & others EVEN BETTER Many of our newer trains now have public WiFi, AND standard 3-pin sockets - for people to plug their lap-tops into. Use what looks like a "blanking plug" (a standard 3-pin plug with no outlet - & nowhere nearly as chunky as Charlie's picture) and insert one or two of those into every train. BINGO!

Reminds me very much of Julian Oliver and his Newstweek neo-situationist art project: http://newstweek.com/overview - Oliver's an interesting, quietly been pushing the hacker as artist concept further and further in recent years, yet somehow manages to keep coming up with something fresh and interesting.

Whats really needed is the Freedom Box being designed/refined at the moment; you are welcome to submit your idea! Its Free Software and anyone can help.

--> http://www.youtube.com/watch?v=gORNmfpD0ak

---> https://freedomboxfoundation.org/learn/

Cheers.

That's arguable. I certainly prefer Charlie's work, but CM seems to be very popular with "the critics".

Find me an objective measure of the quality of an author and I'll tell you!

Despite them both writing stuff eligible for Arthur C. Clarke awards it's like comparing chalk and cheese. I assume since you read this blog you don't read Twilight, but trying to compare Dracula and the Twilight books is less of a difference between them than Charlie and China.

I read them when I'm in very different head spaces, they appeal to very different parts of me but I like them both very much.

Now that; that I like. Port knocking-ish. ",)

Dirk @ 42: the problem there is you have to validate from the silicon up; the US Army has discussed this before, and "non-trivial inspections needed at every level", and "ridiculous man-hours" captures the flavour of the problems.

China's got a 75% record though. If you're going by form, then lay your money on him winning unless something astonishing turns up.

And the year he didn't win? I'd rate that as his one of his weakest works to date. On the other hand, I've yet to read Embassytown, so it's possible it'll be less to the panel's taste. It's also possible that they'll end up giving someone else the chance, all else being equal.

Is distribution of the magnet file bundle even illegal? The torrent site defense was always they're not hosting or linking to the pirated content, that still applies but the top100, ad monetized website they run can fall under piracy promotion statutes. Still, owning and sharing a magnet bundle is not in itself illegal, is it?

A simpler approach would be to order a couple million cheap pen drives with a few hundred megabytes storage, businesses have been giving those away as branded gifts for almost a decade now. Then let the sneakernet do it's work.

Have the Chinese actually been caught trying to sneak anything nasty piggybacked on their commercial products?

According to 5 minutes' Google, no, but the US DoD is terrified of it - mainly because the lowest bidder on some Pentagon network upgrade work a few years ago could afford to be the lowest bid by using counterfeit Cisco gear...

As far as I know, no.

On the other hand, absence of evidence isn't evidence of absence, and the nightmare scenario could make Stuxnet look like penny-ante stuff.

Not in real life that we know of, but it's a plot point in Travis Taylor's "Back to the Moon".

I would also imagine that if something was found Chinese imports across the board in that area of electronics would be banned outright. It would be very costly for the Chinese if they tried and failed.

Perhaps they have tried X times and succeeded X -1 times and when the US threatened to expose them and ban their kit they pointed out how bad it would be the Chinese did nasty things with all the compromised kit they had already installed.

As someone who is employed doing a lot of public wifi stuff, absolutely not.

What everyone needs to assume for the purposes of this discussion is that (at least in the US) nobody is doing public wifi by the "leave my D-Link on and let people use it" method, with the possible exception of some mom and pop businesses.

Free public wifi is big business and it is provided and run by big businesses. Assume high-end professional gear loaded with a very secure configuration. Assume a large back-end operation run by smart people who have read cyberpunk and singularity science fiction, ranging from Neuromancer to Rule 34. Assume that someone is thinking clearly and cold-heartedly about the security implications of works by Stross and Gibson. Assume that the ports you want to use for anything other than http will be closed. Assume a lot of automation alerting professional paranoids to odd types of traffic. Assume that once one wall-wart has been detected, some good programmers will stay up all night to write a script that kicks wall-warts off the network automatically.

That's what it looks like from my side of the fence. You'll find that this is the case at any major chain in the US that offers free wifi.

I know of very few shops that even have "shop admins". I very much doubt anybody will notice or look at the IP traffic over a public store network. Why bother? It's a public convenience. It's not the company's problem unless it becomes part of a criminal investigation.

This is the attitude I've generally seen here in the American midwest regarding public wifi.

In this context I feel moved to note that Apple have a backup/airport device which is intended to mediate an ethernet broadband connection for a local network. Unless I am mistaken, it relies solely on NAT for security, and has no provision for firewalling: certainly the manual had no instructions to configure any firewalling last time I looked (for a potential client).

So your small intellectual property type business might well be an easy target, as well as a juicy one, for data theft. They often shove huge files around too, and so frequently have a good net connection.

The worrying thing is, I could believe this might represent an improvement in security for a percentage of users, maybe even a significant or [sigh] majority percentage for the target market.

But then again, I hear horror stories all the time about people running really old MS software in sensitive places IP-wise or privacy-wise.

Over the years I have finally come to a personal belief that serious net abuse is limited by the number of competant people wanting to do it, rather than the opportunities available. Maybe this is just a necessary age related attitude adjustment: an evolutionary mechanism to stop me attempting to autodarwinate of apoplexy on a weekly basis.

yes, they have. I remembered this one from a few years ago with viruses in digital picture frames (which I had at the time thought a delightful product and almost gave as a wedding gift...):

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/14/BU47V0VOH.DTL

I have vague recollections of other similar incidents, but none are bubbling to the surface at the moment.

On the subject of plugs, the UK has some pretty good ones (240V, built in fuses, etc.) but is big and clunky, and has a tendency to lie prongs upwards on the floor, posing a hazard to unshod feet. Instead I prefer the Danish design, mainly because SMILEY FACES!.

Unless I am mistaken, it relies solely on NAT for security, and has no provision for firewalling:

If you're talking about a Time Capsule, you're mistaken. I'm currently running mine in bridge mode (using a different router for firewalling and internal DHCP) but last time I looked the TC's actual routing capabilities included options for firewalling and running a DMZ. (Alas, the new version of the Airport Utility for OSX, while vastly more user friendly than the previous version, doesn't let you dink around in settings that don't do anything when you're running it in bridge mode, so I can't confirm this.)

The picture frames were infected, but I don't think the manufacturers were in on it

For the mobile unit, perhaps adding a few pieces of kit to the Sand Flea's descendants? No word on endurance or top speed, but the 5kg ROV has a nine meter jump ability and can (sometimes) enter a house through an upper-level window. Any stupid tricks involving a jumping robot and a webcam are your problem.

I was indeed talking about the Time Capsule. I had no idea you had one. I am unsurprised you decided not to use it in a border router role, but I am somewhat curious to know if it performs in a suitably seamless and invisible manner as a backup server/local airport?

What you say about the capabilities is interesting. I saw provision in the docs for fronting a DMZ by port forwarding through the NAT, but absolutely nothing about firewalling - and I looked pretty hard. But I'll take your word as trumping mine: you have the actual kit running current software; and I lack the will to go find and check mere PDFs again. Especially as, judging by recent trends, Mac/iCloud land is continuing progress away from prioritising the serious local server support I want.

[Which is a pity, evaluating the alternatives: linux has always had unacceptable documentation issues; Solaris is now owned by an outfit whose main business used to charge top dollar: for a really great support line, without quite matching that standard in security, and anyway I'm too skint to play that game; so ... which BSD - again.]

The putative client? Of course bolted when the subject of realistic remuneration arose.