Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.
Warren Bailey <wbai...@satelliteintelligencegroup.com> wrote: >Look into pfsense. It's rock solid and bad based, and can be purchased >as an appliance. (both real and vm) > > >Sent from my Mobile Device. > > >-------- Original message -------- >From: William Herrin <b...@herrin.us> >Date: 07/30/2013 1:02 PM (GMT-08:00) >To: nanog@nanog.org >Subject: which firewall product? > > >Hi folks, > >I'm trying to identify a firewall appliance for one of my customers. >The wrinkle is: it has to be able to inspect packets inside an IPIP >tunnel and accept/reject based on IP address, TCP port number and >standard things like that. On the packet carried *inside* the IPIP >tunnel packet. > > >From what I can tell, the Cisco ASA can't do this. > >Linux iptables can (with the u32 match module) but the customer wants >an appliance, not a server. > >What appliances do you know of that can do this? Is there a different >Cisco box? A Juniper firewall? Anything else? > >Thanks in advance, >Bill Herrin > > >-- >William D. Herrin ................ her...@dirtside.com b...@herrin.us >3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> >Falls Church, VA 22042-3004 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.