which firewall product?
owen at delong.com
Tue Jul 30 22:57:41 UTC 2013
On Jul 30, 2013, at 13:10 , Charles N Wyble <charles-lists at knownelement.com> wrote:
> Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.
That would only work if the firewall were terminating the tunnel instead of passing the tunneled traffic through still inside the tunnel.
I believe Bill is looking for DPI on forwarded traffic and not to decapsulate the traffic prior to inspection.
> Warren Bailey <wbailey at satelliteintelligencegroup.com> wrote:
>> Look into pfsense. It's rock solid and bad based, and can be purchased
>> as an appliance. (both real and vm)
>> Sent from my Mobile Device.
>> -------- Original message --------
>> From: William Herrin <bill at herrin.us>
>> Date: 07/30/2013 1:02 PM (GMT-08:00)
>> To: nanog at nanog.org
>> Subject: which firewall product?
>> Hi folks,
>> I'm trying to identify a firewall appliance for one of my customers.
>> The wrinkle is: it has to be able to inspect packets inside an IPIP
>> tunnel and accept/reject based on IP address, TCP port number and
>> standard things like that. On the packet carried *inside* the IPIP
>> tunnel packet.
>> From what I can tell, the Cisco ASA can't do this.
>> Linux iptables can (with the u32 match module) but the customer wants
>> an appliance, not a server.
>> What appliances do you know of that can do this? Is there a different
>> Cisco box? A Juniper firewall? Anything else?
>> Thanks in advance,
>> Bill Herrin
>> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
>> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>> Falls Church, VA 22042-3004
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the NANOG