Date: Thu, 10 Feb 2011 07:56:22 -0800 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: freebsd-net@freebsd.org Subject: Reliable PCI wifi cards, and layer 7 filtering Message-ID: <20110210155622.GA60117@icarus.home.lan>
next in thread | raw e-mail | index | archive | help
(I was considering cross-posting this to freebsd-pf but decided against it, instead starting here first. Please keep me CC'd as I'm not subscribed to freebsd-net) I'm looking into the possibility of using my home FreeBSD box as my home firewall/NAT box, to replace my Linksys E2000 router (which runs Linux, specifically the TomatoUSB firmware). I plan on using pf for the NAT and firewall layer. ipfw will not be used (I have long since moved away from it). I've got solutions for everything except two items: 1) Wireless hardware support - What consumer PCI cards are known to be reliable and have good support on FreeBSD? It looks like anything that relies on ath(4) might be a good choice, but I'm not sure what specific chipset is considered decent/worthwhile, or if there's a specific model of card from Vendor X(tm) which works great. - The card and driver need to support both 802.11b and 802.11g simultaneously. 802.11n (for the future) would also be good. - Driver or OS needs 128-bit WEP -- this is not a joke, I really do have devices which do not do WPA or WPA2. - MAC address filtering is needed too, but it looks like that's already available (looking at ifconfig(8) man page). 2) Layer 7 filtering - Specifically, the ability to block outbound packets in real-time which contain certain data in the TCP data portion of the packet. - More details: there are some HTTP-based requests which some software I use on XP submits to a server pool to return some ads. Filtering by IP address isn't possible since the A records of the FQDN often change. The software in question does not honour system proxy settings, so use of a proxy (Apache, squid, etc.) as a solution will not work. - I filter based on GET parameters or the HTTP: Host header. Thus, the matching mechanism doesn't need regex; simple substring matches (e.g. strcasestr()) would work fine. - Linux has kernel modules called ipt_web and xt_web which can do exactly this. They return TCP RST to the client which submit the packet, and never forwarding the original packet out the WAN. Item #2 above seems to be the kicker. Is there anything in the works regarding such a capability? I'd be more than happy to test out code or whatever. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110210155622.GA60117>