which firewall product?

Blake Dunlap ikiris at gmail.com
Tue Jul 30 21:36:38 UTC 2013

Well, I guess my first question is: Is this a design you are stuck with for
some reason or alternately, is there a good reason for it, and I need to be
educated as to real world design? It seems rather odd to put a firewall
boundry between a LB and its associated cluster as opposed to in front of
the LB.

I've looked into something like this before for unrelated issues, and never
really was very happy with the results.


On Tue, Jul 30, 2013 at 3:38 PM, William Herrin <bill at herrin.us> wrote:

> On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown <michael at supermathie.net>
> wrote:
> > In the pfSense UI, you create the physical interface as a GRE tunnel
> > then assign it to a logical interface against which you can apply the
> firewall rules:
> Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
> packets. Linux LVS emits IPIP encapsulated packets when the target
> server is non-local. I have no option to emit GRE or another kind of
> tunnel packet.
> Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
> can, but I'd prefer not to. What I want to do is look inside at the
> packet encapsulated by IPIP. Even if I have to hand-crank the rules in
> terms of byte X inside the packet should be value Y.
> Thanks again,
> Bill Herrin
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004

More information about the NANOG mailing list