If you have a neighbor that likes to borrow your open wireless access point, you can have some fun with them. Redirect all of their browsing, invert the images, or return blurred images.
The first approach I took was to establish a transparent squid proxy on my FreeBSD firewall that I have providing DHCP and NAT for my internal network. I added a third NIC to provide these services for my untrusted wireless network. This will also help you to segment and protect your wired LAN.
With this in place, I added a stripped-down IPFW ruleset on the wireless link:
allow tcp from 192.168.200.0/24 to 192.168.200.1 dst-port 80 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 via rl0 allow ip from any to 255.255.255.255 dst-port 67,68 in via rl0 allow ip from any 67,68 to any out via rl0 allow ip from 192.168.200.0/24 to XXX.XXX.XXX.XXX dst-port 53 in via rl0 allow ip from any to 192.168.200.0/24 out via rl0 deny ip from any to any via rl0
This will basically allow them to obtain a DHCP lease, access the specified DNS servers that I advertised to them in that DHCP lease, access port 80 on the FreeBSD system (where I have a stripped down Apache install serving up my pages), and blocking everything else.
I then use squidGuard with the following config:
src privleged
{
ip 192.168.200.1
}
acl
{
privleged
{
pass all
}
default
{
pass local none
redirect http://192.168.200.1
}
}
This allows me to redirect all of their browsing to a single page. You could also do some quick perl scripts that can be used to invert, or blur images in all webpages that are returned to the user.