Reliable PCI wifi cards, and layer 7 filtering

Joe Holden lists at rewt.org.uk
Thu Feb 10 22:23:41 UTC 2011 

On 10/02/2011 15:56, Jeremy Chadwick wrote:
> (I was considering cross-posting this to freebsd-pf but decided against
> it, instead starting here first.  Please keep me CC'd as I'm not
> subscribed to freebsd-net)
>
> I'm looking into the possibility of using my home FreeBSD box as my home
> firewall/NAT box, to replace my Linksys E2000 router (which runs Linux,
> specifically the TomatoUSB firmware).
>
> I plan on using pf for the NAT and firewall layer.  ipfw will not be
> used (I have long since moved away from it).  I've got solutions for
> everything except two items:
>
> 1) Wireless hardware support
>     - What consumer PCI cards are known to be reliable and have good
>       support on FreeBSD?  It looks like anything that relies on ath(4)
>       might be a good choice, but I'm not sure what specific chipset is
>       considered decent/worthwhile, or if there's a specific model of
>       card from Vendor X(tm) which works great.
>     - The card and driver need to support both 802.11b and 802.11g
>       simultaneously.  802.11n (for the future) would also be good.
>     - Driver or OS needs 128-bit WEP -- this is not a joke, I really do
>       have devices which do not do WPA or WPA2.
>     - MAC address filtering is needed too, but it looks like that's
>       already available (looking at ifconfig(8) man page).
>
> 2) Layer 7 filtering
>     - Specifically, the ability to block outbound packets in real-time
>       which contain certain data in the TCP data portion of the packet.
>     - More details: there are some HTTP-based requests which some
>       software I use on XP submits to a server pool to return some ads.
>       Filtering by IP address isn't possible since the A records of
>       the FQDN often change.  The software in question does not honour
>       system proxy settings, so use of a proxy (Apache, squid, etc.)
>       as a solution will not work.
>     - I filter based on GET parameters or the HTTP: Host header.  Thus,
>       the matching mechanism doesn't need regex; simple substring matches
>       (e.g. strcasestr()) would work fine.
>     - Linux has kernel modules called ipt_web and xt_web which can do
>       exactly this.  They return TCP RST to the client which submit the
>       packet, and never forwarding the original packet out the WAN.
>
There is 'ipfw-classifyd' which has been somewhat improved by the 
pfsense team in order to support pf - I don't have the exact url to 
hand, but IIRC it is hosted on googlecode somewhere.

It does what you describe, uses regex to match payload.

HTH
> Item #2 above seems to be the kicker.  Is there anything in the works
> regarding such a capability?  I'd be more than happy to test out code or
> whatever.
>
Thanks,
J

More information about the freebsd-net mailing list