Date: Thu, 10 Feb 2011 22:23:38 +0000 From: Joe Holden <lists@rewt.org.uk> To: freebsd-net@freebsd.org Cc: freebsd@jdc.parodius.com Subject: Re: Reliable PCI wifi cards, and layer 7 filtering Message-ID: <4D54656A.8080507@rewt.org.uk> In-Reply-To: <20110210155622.GA60117@icarus.home.lan> References: <20110210155622.GA60117@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/02/2011 15:56, Jeremy Chadwick wrote: > (I was considering cross-posting this to freebsd-pf but decided against > it, instead starting here first. Please keep me CC'd as I'm not > subscribed to freebsd-net) > > I'm looking into the possibility of using my home FreeBSD box as my home > firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, > specifically the TomatoUSB firmware). > > I plan on using pf for the NAT and firewall layer. ipfw will not be > used (I have long since moved away from it). I've got solutions for > everything except two items: > > 1) Wireless hardware support > - What consumer PCI cards are known to be reliable and have good > support on FreeBSD? It looks like anything that relies on ath(4) > might be a good choice, but I'm not sure what specific chipset is > considered decent/worthwhile, or if there's a specific model of > card from Vendor X(tm) which works great. > - The card and driver need to support both 802.11b and 802.11g > simultaneously. 802.11n (for the future) would also be good. > - Driver or OS needs 128-bit WEP -- this is not a joke, I really do > have devices which do not do WPA or WPA2. > - MAC address filtering is needed too, but it looks like that's > already available (looking at ifconfig(8) man page). > > 2) Layer 7 filtering > - Specifically, the ability to block outbound packets in real-time > which contain certain data in the TCP data portion of the packet. > - More details: there are some HTTP-based requests which some > software I use on XP submits to a server pool to return some ads. > Filtering by IP address isn't possible since the A records of > the FQDN often change. The software in question does not honour > system proxy settings, so use of a proxy (Apache, squid, etc.) > as a solution will not work. > - I filter based on GET parameters or the HTTP: Host header. Thus, > the matching mechanism doesn't need regex; simple substring matches > (e.g. strcasestr()) would work fine. > - Linux has kernel modules called ipt_web and xt_web which can do > exactly this. They return TCP RST to the client which submit the > packet, and never forwarding the original packet out the WAN. > There is 'ipfw-classifyd' which has been somewhat improved by the pfsense team in order to support pf - I don't have the exact url to hand, but IIRC it is hosted on googlecode somewhere. It does what you describe, uses regex to match payload. HTH > Item #2 above seems to be the kicker. Is there anything in the works > regarding such a capability? I'd be more than happy to test out code or > whatever. > Thanks, J
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D54656A.8080507>