Re: which firewall product?

[Owen DeLong <owen () delong com>]

On Jul 30, 2013, at 13:10 , Charles N Wyble <charles-lists () knownelement com> wrote:

> Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn 
> connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple. 

That would only work if the firewall were terminating the tunnel instead of passing the tunneled traffic through still 
inside the tunnel.

I believe Bill is looking for DPI on forwarded traffic and not to decapsulate the traffic prior to inspection.

Owen

> Warren Bailey <wbailey () satelliteintelligencegroup com> wrote:
> > Look into pfsense. It's rock solid and bad based, and can be purchased
> > as an appliance. (both real and vm)
> >
> >
> > Sent from my Mobile Device.
> >
> >
> > -------- Original message --------
> > From: William Herrin <bill () herrin us>
> > Date: 07/30/2013 1:02 PM (GMT-08:00)
> > To: nanog () nanog org
> > Subject: which firewall product?
> >
> >
> > Hi folks,
> >
> > I'm trying to identify a firewall appliance for one of my customers.
> > The wrinkle is: it has to be able to inspect packets inside an IPIP
> > tunnel and accept/reject based on IP address, TCP port number and
> > standard things like that. On the packet carried *inside* the IPIP
> > tunnel packet.
> >
> >
> > From what I can tell, the Cisco ASA can't do this.
> >
> > Linux iptables can (with the u32 match module) but the customer wants
> > an appliance, not a server.
> >
> > What appliances do you know of that can do this? Is there a different
> > Cisco box? A Juniper firewall? Anything else?
> >
> > Thanks in advance,
> > Bill Herrin
> >
> >
> > --
> > William D. Herrin ................ herrin () dirtside com  bill () herrin us
> > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> > Falls Church, VA 22042-3004
>
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.