Date: Fri, 11 Feb 2011 02:38:06 -0500 From: Chris Buechler <cmb@pfsense.org> To: freebsd-net@freebsd.org Subject: Re: Reliable PCI wifi cards, and layer 7 filtering Message-ID: <4D54E75E.1020202@pfsense.org> In-Reply-To: <4D54656A.8080507@rewt.org.uk> References: <20110210155622.GA60117@icarus.home.lan> <4D54656A.8080507@rewt.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/10/2011 5:23 PM, Joe Holden wrote: > On 10/02/2011 15:56, Jeremy Chadwick wrote: >> (I was considering cross-posting this to freebsd-pf but decided against >> it, instead starting here first. Please keep me CC'd as I'm not >> subscribed to freebsd-net) >> >> I'm looking into the possibility of using my home FreeBSD box as my home >> firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, >> specifically the TomatoUSB firmware). >> >> I plan on using pf for the NAT and firewall layer. ipfw will not be >> used (I have long since moved away from it). I've got solutions for >> everything except two items: >> >> 1) Wireless hardware support >> - What consumer PCI cards are known to be reliable and have good >> support on FreeBSD? It looks like anything that relies on ath(4) >> might be a good choice, but I'm not sure what specific chipset is >> considered decent/worthwhile, or if there's a specific model of >> card from Vendor X(tm) which works great. >> - The card and driver need to support both 802.11b and 802.11g >> simultaneously. 802.11n (for the future) would also be good. >> - Driver or OS needs 128-bit WEP -- this is not a joke, I really do >> have devices which do not do WPA or WPA2. >> - MAC address filtering is needed too, but it looks like that's >> already available (looking at ifconfig(8) man page). >> >> 2) Layer 7 filtering >> - Specifically, the ability to block outbound packets in real-time >> which contain certain data in the TCP data portion of the packet. >> - More details: there are some HTTP-based requests which some >> software I use on XP submits to a server pool to return some ads. >> Filtering by IP address isn't possible since the A records of >> the FQDN often change. The software in question does not honour >> system proxy settings, so use of a proxy (Apache, squid, etc.) >> as a solution will not work. >> - I filter based on GET parameters or the HTTP: Host header. Thus, >> the matching mechanism doesn't need regex; simple substring >> matches >> (e.g. strcasestr()) would work fine. >> - Linux has kernel modules called ipt_web and xt_web which can do >> exactly this. They return TCP RST to the client which submit the >> packet, and never forwarding the original packet out the WAN. >> > There is 'ipfw-classifyd' which has been somewhat improved by the > pfsense team in order to support pf - I don't have the exact url to > hand, but IIRC it is hosted on googlecode somewhere. It's in git at rcs.pfsense.org in the tools repo. Note divert + PF in FreeBSD is also specific to patches we use that aren't in stock FreeBSD yet, you can easily apply those to RELENG_8_1 though. Kernel patches are also in the tools repo. All of it's BSD licensed, you're welcome to grab whatever you want to use.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D54E75E.1020202>