On Jul 30, 2013, at 13:10 , Charles N Wyble <charles-li...@knownelement.com> wrote:
> Not sure how bsd handles ipip connections. If it breaks them out as a > dedicated interface (like it does for openvpn connections) , then rules can > be applied and pfsense would be quite useful. The UI is very simple. That would only work if the firewall were terminating the tunnel instead of passing the tunneled traffic through still inside the tunnel. I believe Bill is looking for DPI on forwarded traffic and not to decapsulate the traffic prior to inspection. Owen > > Warren Bailey <wbai...@satelliteintelligencegroup.com> wrote: >> Look into pfsense. It's rock solid and bad based, and can be purchased >> as an appliance. (both real and vm) >> >> >> Sent from my Mobile Device. >> >> >> -------- Original message -------- >> From: William Herrin <b...@herrin.us> >> Date: 07/30/2013 1:02 PM (GMT-08:00) >> To: nanog@nanog.org >> Subject: which firewall product? >> >> >> Hi folks, >> >> I'm trying to identify a firewall appliance for one of my customers. >> The wrinkle is: it has to be able to inspect packets inside an IPIP >> tunnel and accept/reject based on IP address, TCP port number and >> standard things like that. On the packet carried *inside* the IPIP >> tunnel packet. >> >> >> From what I can tell, the Cisco ASA can't do this. >> >> Linux iptables can (with the u32 match module) but the customer wants >> an appliance, not a server. >> >> What appliances do you know of that can do this? Is there a different >> Cisco box? A Juniper firewall? Anything else? >> >> Thanks in advance, >> Bill Herrin >> >> >> -- >> William D. Herrin ................ her...@dirtside.com b...@herrin.us >> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> >> Falls Church, VA 22042-3004 > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
