Reliable PCI wifi cards, and layer 7 filtering

Fri Feb 11 07:57:39 UTC 2011

On 2/10/2011 5:23 PM, Joe Holden wrote:
> On 10/02/2011 15:56, Jeremy Chadwick wrote:
>> (I was considering cross-posting this to freebsd-pf but decided against
>> it, instead starting here first.  Please keep me CC'd as I'm not
>> subscribed to freebsd-net)
>>
>> I'm looking into the possibility of using my home FreeBSD box as my home
>> firewall/NAT box, to replace my Linksys E2000 router (which runs Linux,
>> specifically the TomatoUSB firmware).
>>
>> I plan on using pf for the NAT and firewall layer.  ipfw will not be
>> used (I have long since moved away from it).  I've got solutions for
>> everything except two items:
>>
>> 1) Wireless hardware support
>>     - What consumer PCI cards are known to be reliable and have good
>>       support on FreeBSD?  It looks like anything that relies on ath(4)
>>       might be a good choice, but I'm not sure what specific chipset is
>>       considered decent/worthwhile, or if there's a specific model of
>>       card from Vendor X(tm) which works great.
>>     - The card and driver need to support both 802.11b and 802.11g
>>       simultaneously.  802.11n (for the future) would also be good.
>>     - Driver or OS needs 128-bit WEP -- this is not a joke, I really do
>>       have devices which do not do WPA or WPA2.
>>     - MAC address filtering is needed too, but it looks like that's
>>       already available (looking at ifconfig(8) man page).
>>
>> 2) Layer 7 filtering
>>     - Specifically, the ability to block outbound packets in real-time
>>       which contain certain data in the TCP data portion of the packet.
>>     - More details: there are some HTTP-based requests which some
>>       software I use on XP submits to a server pool to return some ads.
>>       Filtering by IP address isn't possible since the A records of
>>       the FQDN often change.  The software in question does not honour
>>       system proxy settings, so use of a proxy (Apache, squid, etc.)
>>       as a solution will not work.
>>     - I filter based on GET parameters or the HTTP: Host header.  Thus,
>>       the matching mechanism doesn't need regex; simple substring 
>> matches
>>       (e.g. strcasestr()) would work fine.
>>     - Linux has kernel modules called ipt_web and xt_web which can do
>>       exactly this.  They return TCP RST to the client which submit the
>>       packet, and never forwarding the original packet out the WAN.
>>
> There is 'ipfw-classifyd' which has been somewhat improved by the 
> pfsense team in order to support pf - I don't have the exact url to 
> hand, but IIRC it is hosted on googlecode somewhere.
It's in git at rcs.pfsense.org in the tools repo.

Note divert + PF in FreeBSD is also specific to patches we use that 
aren't in stock FreeBSD yet, you can easily apply those to RELENG_8_1 
though. Kernel patches are also in the tools repo.

All of it's BSD licensed, you're welcome to grab whatever you want to use.