which firewall product?

Charles N Wyble charles-lists at knownelement.com
Tue Jul 30 20:10:23 UTC 2013

Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple. 

Warren Bailey <wbailey at satelliteintelligencegroup.com> wrote:
>Look into pfsense. It's rock solid and bad based, and can be purchased
>as an appliance. (both real and vm)
>Sent from my Mobile Device.
>-------- Original message --------
>From: William Herrin <bill at herrin.us>
>Date: 07/30/2013 1:02 PM (GMT-08:00)
>To: nanog at nanog.org
>Subject: which firewall product?
>Hi folks,
>I'm trying to identify a firewall appliance for one of my customers.
>The wrinkle is: it has to be able to inspect packets inside an IPIP
>tunnel and accept/reject based on IP address, TCP port number and
>standard things like that. On the packet carried *inside* the IPIP
>tunnel packet.
>From what I can tell, the Cisco ASA can't do this.
>Linux iptables can (with the u32 match module) but the customer wants
>an appliance, not a server.
>What appliances do you know of that can do this? Is there a different
>Cisco box? A Juniper firewall? Anything else?
>Thanks in advance,
>Bill Herrin
>William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
>3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>Falls Church, VA 22042-3004

Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the NANOG mailing list