[164731] in North American Network Operators' Group
Re: which firewall product?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jul 30 19:07:14 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <0a63d3fc-4506-41ce-90f5-e38402f68b8a@email.android.com>
Date: Tue, 30 Jul 2013 15:57:41 -0700
To: Charles N Wyble <charles-lists@knownelement.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 30, 2013, at 13:10 , Charles N Wyble =
<charles-lists@knownelement.com> wrote:
> Not sure how bsd handles ipip connections. If it breaks them out as a =
dedicated interface (like it does for openvpn connections) , then rules =
can be applied and pfsense would be quite useful. The UI is very simple.=20=
That would only work if the firewall were terminating the tunnel instead =
of passing the tunneled traffic through still inside the tunnel.
I believe Bill is looking for DPI on forwarded traffic and not to =
decapsulate the traffic prior to inspection.
Owen
>=20
> Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
>> Look into pfsense. It's rock solid and bad based, and can be =
purchased
>> as an appliance. (both real and vm)
>>=20
>>=20
>> Sent from my Mobile Device.
>>=20
>>=20
>> -------- Original message --------
>> From: William Herrin <bill@herrin.us>
>> Date: 07/30/2013 1:02 PM (GMT-08:00)
>> To: nanog@nanog.org
>> Subject: which firewall product?
>>=20
>>=20
>> Hi folks,
>>=20
>> I'm trying to identify a firewall appliance for one of my customers.
>> The wrinkle is: it has to be able to inspect packets inside an IPIP
>> tunnel and accept/reject based on IP address, TCP port number and
>> standard things like that. On the packet carried *inside* the IPIP
>> tunnel packet.
>>=20
>>=20
>> =46rom what I can tell, the Cisco ASA can't do this.
>>=20
>> Linux iptables can (with the u32 match module) but the customer wants
>> an appliance, not a server.
>>=20
>> What appliances do you know of that can do this? Is there a different
>> Cisco box? A Juniper firewall? Anything else?
>>=20
>> Thanks in advance,
>> Bill Herrin
>>=20
>>=20
>> --
>> William D. Herrin ................ herrin@dirtside.com =
bill@herrin.us
>> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>> Falls Church, VA 22042-3004
>=20
> --=20
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
