From owner-freebsd-net@FreeBSD.ORG Fri Feb 11 07:57:39 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C550E106564A for ; Fri, 11 Feb 2011 07:57:39 +0000 (UTC) (envelope-from cmb@pfsense.org) Received: from mail.pfsense.org (mail.pfsense.org [69.64.6.29]) by mx1.freebsd.org (Postfix) with ESMTP id 8BB2B8FC14 for ; Fri, 11 Feb 2011 07:57:39 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.pfsense.org (Postfix) with ESMTP id 8F81322E35 for ; Fri, 11 Feb 2011 02:40:54 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.pfsense.org Received: from mail.pfsense.org ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehS+EJA6vnlp for ; Fri, 11 Feb 2011 02:40:32 -0500 (EST) Received: from [10.0.64.48] (99-89-64-69.uvs.lsvlky.sbcglobal.net [99.89.64.69]) by mail.pfsense.org (Postfix) with ESMTPSA id DEC9D24F8F for ; Fri, 11 Feb 2011 02:38:08 -0500 (EST) Message-ID: <4D54E75E.1020202@pfsense.org> Date: Fri, 11 Feb 2011 02:38:06 -0500 From: Chris Buechler User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> <4D54656A.8080507@rewt.org.uk> In-Reply-To: <4D54656A.8080507@rewt.org.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Reliable PCI wifi cards, and layer 7 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 07:57:39 -0000 On 2/10/2011 5:23 PM, Joe Holden wrote: > On 10/02/2011 15:56, Jeremy Chadwick wrote: >> (I was considering cross-posting this to freebsd-pf but decided against >> it, instead starting here first. Please keep me CC'd as I'm not >> subscribed to freebsd-net) >> >> I'm looking into the possibility of using my home FreeBSD box as my home >> firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, >> specifically the TomatoUSB firmware). >> >> I plan on using pf for the NAT and firewall layer. ipfw will not be >> used (I have long since moved away from it). I've got solutions for >> everything except two items: >> >> 1) Wireless hardware support >> - What consumer PCI cards are known to be reliable and have good >> support on FreeBSD? It looks like anything that relies on ath(4) >> might be a good choice, but I'm not sure what specific chipset is >> considered decent/worthwhile, or if there's a specific model of >> card from Vendor X(tm) which works great. >> - The card and driver need to support both 802.11b and 802.11g >> simultaneously. 802.11n (for the future) would also be good. >> - Driver or OS needs 128-bit WEP -- this is not a joke, I really do >> have devices which do not do WPA or WPA2. >> - MAC address filtering is needed too, but it looks like that's >> already available (looking at ifconfig(8) man page). >> >> 2) Layer 7 filtering >> - Specifically, the ability to block outbound packets in real-time >> which contain certain data in the TCP data portion of the packet. >> - More details: there are some HTTP-based requests which some >> software I use on XP submits to a server pool to return some ads. >> Filtering by IP address isn't possible since the A records of >> the FQDN often change. The software in question does not honour >> system proxy settings, so use of a proxy (Apache, squid, etc.) >> as a solution will not work. >> - I filter based on GET parameters or the HTTP: Host header. Thus, >> the matching mechanism doesn't need regex; simple substring >> matches >> (e.g. strcasestr()) would work fine. >> - Linux has kernel modules called ipt_web and xt_web which can do >> exactly this. They return TCP RST to the client which submit the >> packet, and never forwarding the original packet out the WAN. >> > There is 'ipfw-classifyd' which has been somewhat improved by the > pfsense team in order to support pf - I don't have the exact url to > hand, but IIRC it is hosted on googlecode somewhere. It's in git at rcs.pfsense.org in the tools repo. Note divert + PF in FreeBSD is also specific to patches we use that aren't in stock FreeBSD yet, you can easily apply those to RELENG_8_1 though. Kernel patches are also in the tools repo. All of it's BSD licensed, you're welcome to grab whatever you want to use.