From owner-freebsd-net@FreeBSD.ORG Thu Feb 10 22:23:41 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D420E1065673 for ; Thu, 10 Feb 2011 22:23:41 +0000 (UTC) (envelope-from lists@rewt.org.uk) Received: from frankie.stf.rewt.org.uk (frankie.stf.rewt.org.uk [91.208.177.187]) by mx1.freebsd.org (Postfix) with ESMTP id 88A9A8FC19 for ; Thu, 10 Feb 2011 22:23:41 +0000 (UTC) Received: from [172.16.11.86] (jwh-laptop.barbary [172.16.11.86]) (Authenticated sender: jwh.lists) by frankie.stf.rewt.org.uk (Postfix) with ESMTPA id 47A8950843; Thu, 10 Feb 2011 22:23:06 +0000 (UTC) Message-ID: <4D54656A.8080507@rewt.org.uk> Date: Thu, 10 Feb 2011 22:23:38 +0000 From: Joe Holden User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> In-Reply-To: <20110210155622.GA60117@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd@jdc.parodius.com Subject: Re: Reliable PCI wifi cards, and layer 7 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 22:23:41 -0000 On 10/02/2011 15:56, Jeremy Chadwick wrote: > (I was considering cross-posting this to freebsd-pf but decided against > it, instead starting here first. Please keep me CC'd as I'm not > subscribed to freebsd-net) > > I'm looking into the possibility of using my home FreeBSD box as my home > firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, > specifically the TomatoUSB firmware). > > I plan on using pf for the NAT and firewall layer. ipfw will not be > used (I have long since moved away from it). I've got solutions for > everything except two items: > > 1) Wireless hardware support > - What consumer PCI cards are known to be reliable and have good > support on FreeBSD? It looks like anything that relies on ath(4) > might be a good choice, but I'm not sure what specific chipset is > considered decent/worthwhile, or if there's a specific model of > card from Vendor X(tm) which works great. > - The card and driver need to support both 802.11b and 802.11g > simultaneously. 802.11n (for the future) would also be good. > - Driver or OS needs 128-bit WEP -- this is not a joke, I really do > have devices which do not do WPA or WPA2. > - MAC address filtering is needed too, but it looks like that's > already available (looking at ifconfig(8) man page). > > 2) Layer 7 filtering > - Specifically, the ability to block outbound packets in real-time > which contain certain data in the TCP data portion of the packet. > - More details: there are some HTTP-based requests which some > software I use on XP submits to a server pool to return some ads. > Filtering by IP address isn't possible since the A records of > the FQDN often change. The software in question does not honour > system proxy settings, so use of a proxy (Apache, squid, etc.) > as a solution will not work. > - I filter based on GET parameters or the HTTP: Host header. Thus, > the matching mechanism doesn't need regex; simple substring matches > (e.g. strcasestr()) would work fine. > - Linux has kernel modules called ipt_web and xt_web which can do > exactly this. They return TCP RST to the client which submit the > packet, and never forwarding the original packet out the WAN. > There is 'ipfw-classifyd' which has been somewhat improved by the pfsense team in order to support pf - I don't have the exact url to hand, but IIRC it is hosted on googlecode somewhere. It does what you describe, uses regex to match payload. HTH > Item #2 above seems to be the kicker. Is there anything in the works > regarding such a capability? I'd be more than happy to test out code or > whatever. > Thanks, J