On 10/02/2011 15:56, Jeremy Chadwick wrote:
(I was considering cross-posting this to freebsd-pf but decided against
it, instead starting here first. Please keep me CC'd as I'm not
subscribed to freebsd-net)
I'm looking into the possibility of using my home FreeBSD box as my home
firewall/NAT box, to replace my Linksys E2000 router (which runs Linux,
specifically the TomatoUSB firmware).
I plan on using pf for the NAT and firewall layer. ipfw will not be
used (I have long since moved away from it). I've got solutions for
everything except two items:
1) Wireless hardware support
- What consumer PCI cards are known to be reliable and have good
support on FreeBSD? It looks like anything that relies on ath(4)
might be a good choice, but I'm not sure what specific chipset is
considered decent/worthwhile, or if there's a specific model of
card from Vendor X(tm) which works great.
- The card and driver need to support both 802.11b and 802.11g
simultaneously. 802.11n (for the future) would also be good.
- Driver or OS needs 128-bit WEP -- this is not a joke, I really do
have devices which do not do WPA or WPA2.
- MAC address filtering is needed too, but it looks like that's
already available (looking at ifconfig(8) man page).
2) Layer 7 filtering
- Specifically, the ability to block outbound packets in real-time
which contain certain data in the TCP data portion of the packet.
- More details: there are some HTTP-based requests which some
software I use on XP submits to a server pool to return some ads.
Filtering by IP address isn't possible since the A records of
the FQDN often change. The software in question does not honour
system proxy settings, so use of a proxy (Apache, squid, etc.)
as a solution will not work.
- I filter based on GET parameters or the HTTP: Host header. Thus,
the matching mechanism doesn't need regex; simple substring matches
(e.g. strcasestr()) would work fine.
- Linux has kernel modules called ipt_web and xt_web which can do
exactly this. They return TCP RST to the client which submit the
packet, and never forwarding the original packet out the WAN.
There is 'ipfw-classifyd' which has been somewhat improved by the
pfsense team in order to support pf - I don't have the exact url to
hand, but IIRC it is hosted on googlecode somewhere.
It does what you describe, uses regex to match payload.
HTH
Item #2 above seems to be the kicker. Is there anything in the works
regarding such a capability? I'd be more than happy to test out code or
whatever.
Thanks,
J
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
