Date: Fri, 11 Feb 2011 02:38:06 -0500 From: Chris Buechler <cmb@pfsense.org> To: freebsd-net@freebsd.org Subject: Re: Reliable PCI wifi cards, and layer 7 filtering Message-ID: <4D54E75E.1020202@pfsense.org> In-Reply-To: <4D54656A.8080507@rewt.org.uk> References: <20110210155622.GA60117@icarus.home.lan> <4D54656A.8080507@rewt.org.uk>
index | next in thread | previous in thread | raw e-mail
On 2/10/2011 5:23 PM, Joe Holden wrote: > On 10/02/2011 15:56, Jeremy Chadwick wrote: >> (I was considering cross-posting this to freebsd-pf but decided against >> it, instead starting here first. Please keep me CC'd as I'm not >> subscribed to freebsd-net) >> >> I'm looking into the possibility of using my home FreeBSD box as my home >> firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, >> specifically the TomatoUSB firmware). >> >> I plan on using pf for the NAT and firewall layer. ipfw will not be >> used (I have long since moved away from it). I've got solutions for >> everything except two items: >> >> 1) Wireless hardware support >> - What consumer PCI cards are known to be reliable and have good >> support on FreeBSD? It looks like anything that relies on ath(4) >> might be a good choice, but I'm not sure what specific chipset is >> considered decent/worthwhile, or if there's a specific model of >> card from Vendor X(tm) which works great. >> - The card and driver need to support both 802.11b and 802.11g >> simultaneously. 802.11n (for the future) would also be good. >> - Driver or OS needs 128-bit WEP -- this is not a joke, I really do >> have devices which do not do WPA or WPA2. >> - MAC address filtering is needed too, but it looks like that's >> already available (looking at ifconfig(8) man page). >> >> 2) Layer 7 filtering >> - Specifically, the ability to block outbound packets in real-time >> which contain certain data in the TCP data portion of the packet. >> - More details: there are some HTTP-based requests which some >> software I use on XP submits to a server pool to return some ads. >> Filtering by IP address isn't possible since the A records of >> the FQDN often change. The software in question does not honour >> system proxy settings, so use of a proxy (Apache, squid, etc.) >> as a solution will not work. >> - I filter based on GET parameters or the HTTP: Host header. Thus, >> the matching mechanism doesn't need regex; simple substring >> matches >> (e.g. strcasestr()) would work fine. >> - Linux has kernel modules called ipt_web and xt_web which can do >> exactly this. They return TCP RST to the client which submit the >> packet, and never forwarding the original packet out the WAN. >> > There is 'ipfw-classifyd' which has been somewhat improved by the > pfsense team in order to support pf - I don't have the exact url to > hand, but IIRC it is hosted on googlecode somewhere. It's in git at rcs.pfsense.org in the tools repo. Note divert + PF in FreeBSD is also specific to patches we use that aren't in stock FreeBSD yet, you can easily apply those to RELENG_8_1 though. Kernel patches are also in the tools repo. All of it's BSD licensed, you're welcome to grab whatever you want to use.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D54E75E.1020202>