Not sure how bsd handles ipip connections. If it breaks them out as a dedicated 
interface (like it does for openvpn connections) , then rules can be applied 
and pfsense would be quite useful. The UI is very simple. 

Warren Bailey <wbai...@satelliteintelligencegroup.com> wrote:
>Look into pfsense. It's rock solid and bad based, and can be purchased
>as an appliance. (both real and vm)
>
>
>Sent from my Mobile Device.
>
>
>-------- Original message --------
>From: William Herrin <b...@herrin.us>
>Date: 07/30/2013 1:02 PM (GMT-08:00)
>To: nanog@nanog.org
>Subject: which firewall product?
>
>
>Hi folks,
>
>I'm trying to identify a firewall appliance for one of my customers.
>The wrinkle is: it has to be able to inspect packets inside an IPIP
>tunnel and accept/reject based on IP address, TCP port number and
>standard things like that. On the packet carried *inside* the IPIP
>tunnel packet.
>
>
>From what I can tell, the Cisco ASA can't do this.
>
>Linux iptables can (with the u32 match module) but the customer wants
>an appliance, not a server.
>
>What appliances do you know of that can do this? Is there a different
>Cisco box? A Juniper firewall? Anything else?
>
>Thanks in advance,
>Bill Herrin
>
>
>--
>William D. Herrin ................ her...@dirtside.com  b...@herrin.us
>3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>Falls Church, VA 22042-3004

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Reply via email to