nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: which firewall product?

From: Blake Dunlap <ikiris () gmail com>
Date: Tue, 30 Jul 2013 16:36:38 -0500
Well, I guess my first question is: Is this a design you are stuck with for
some reason or alternately, is there a good reason for it, and I need to be
educated as to real world design? It seems rather odd to put a firewall
boundry between a LB and its associated cluster as opposed to in front of
the LB.

I've looked into something like this before for unrelated issues, and never
really was very happy with the results.

-Blake


On Tue, Jul 30, 2013 at 3:38 PM, William Herrin <bill () herrin us> wrote:


On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown <michael () supermathie net>
wrote:

In the pfSense UI, you create the physical interface as a GRE tunnel
then assign it to a logical interface against which you can apply the

firewall rules:

Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
packets. Linux LVS emits IPIP encapsulated packets when the target
server is non-local. I have no option to emit GRE or another kind of
tunnel packet.

Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
can, but I'd prefer not to. What I want to do is look inside at the
packet encapsulated by IPIP. Even if I have to hand-crank the rules in
terms of byte X inside the packet should be value Y.

Thanks again,
Bill Herrin



--
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
Previous By Date Next
Previous By Thread Next

Current thread: