which firewall product?

Hi folks,

I'm trying to identify a firewall appliance for one of my customers.
The wrinkle is: it has to be able to inspect packets inside an IPIP
tunnel and accept/reject based on IP address, TCP port number and
standard things like that. On the packet carried *inside* the IPIP
tunnel packet.

From what I can tell, the Cisco ASA can't do this.

Linux iptables can (with the u32 match module) but the customer wants
an appliance, not a server.

What appliances do you know of that can do this? Is there a different
Cisco box? A Juniper firewall? Anything else?

Thanks in advance,
Bill Herrin

Look into pfsense. It's rock solid and bad based, and can be purchased as an appliance. (both real and vm)

Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.

In the pfSense UI, you create the physical interface as a GRE tunnel
then assign it to a logical interface against which you can apply the
firewall rules:

The screenshot is a GIF IPv6 he.net tunnel (this is 2.1RC0) but it works
the same way on 2.0.1.

Works great!


Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
packets. Linux LVS emits IPIP encapsulated packets when the target
server is non-local. I have no option to emit GRE or another kind of
tunnel packet.

Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
can, but I'd prefer not to. What I want to do is look inside at the
packet encapsulated by IPIP. Even if I have to hand-crank the rules in
terms of byte X inside the packet should be value Y.

Thanks again,
Bill Herrin

Well, I guess my first question is: Is this a design you are stuck with for
some reason or alternately, is there a good reason for it, and I need to be
educated as to real world design? It seems rather odd to put a firewall
boundry between a LB and its associated cluster as opposed to in front of
the LB.

I've looked into something like this before for unrelated issues, and never
really was very happy with the results.


Hi Bill,

I found nDPI (http://www.ntop.org/products/ndpi/) lists IP in IP as a
supported protocol. That doesn't fit your requirement that it be an
appliance but maybe it gets you going in the right direction.



Paperwork. The customer owns 3 servers in a system of a consisting of
a hundred or so. He wants his security people to accredit it. They
won't accredit individual servers, so his options were: duplicate the
full system just for him (very expensive) or create a security
boundary where he can say, "This is my enclave. Accredit my enclave."

Naturally his security people decide that they don't want the
firewalls to be additional servers running Linux. That would make it
far too easy to secure his system. I don't yet know if they'd accept
an appliance running Linux underneath. :confused:


Aren't there appliance versions that are just iptables/linux under the hood?

For example, IPCop, IPFire, Smoothwall, Untangle, and Vyatta should fit the bill.


Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.

That would only work if the firewall were terminating the tunnel instead of passing the tunneled traffic through still inside the tunnel.

I believe Bill is looking for DPI on forwarded traffic and not to decapsulate the traffic prior to inspection.


Hi folks,

I don't know about IPIP tunnel inspection; it seems like an odd
requirement to me, unless you mean _preventing_ IPIP tunnels from
being established, in that case a non-appliance solution may be
necessary. Is the IPIP tunnel supposed to land on the firewall; or
to traverse it? I would encourage looking at Checkpoint / Palo
Alto / Stonegate / Sonicwall / some others.

I think LAN "firewall products" that cannot do SSL decryption
and application identification (regardless of TCP port number) have
begun to outlive their usefulness; the ASA pretty much falls in
that category unless you bought lots of expensive addons, and unless
Cisco finally fixed all the nasty bugs that occur if you actually
attempted to use the deep protocol inspection features?

If this were me, I would give Stonegate a call and explain what I
wanted to have happen. They are knowledgeable and kind folks.
  I can't speculate about the IPIP tunnels, but they will be able to give
you an answer.
  I have used their products and found them to be very good.
  Then again, this is just me. Good luck solving your problem.

Understood. I expected as much but thought I'd ask. Most of my suggestions
would require more knowledge of the layout to be filtered out.

I really don't know what you'd find that would do what you want in this
case, based on the requirements stated previously. Sorry =/

I'd look more to finding a way to make it a truly isolated unit that they
could audit personally, instead of a distributed zone with boundaries in
the middle.


oh! dpi? just use sandvine? comcast says that the work well...

If the tunnel is to be terminated on this firewall device I would say look into a Mikrotik box. Alternatively you could make Cisco's IOS firewall / zone based firewall do this. So look into an ISR?

I'm pretty sure you can do this with any modern firewall... An ASA5505 is
always a good bet.

You'd just have to route the IPIP packets to a hairpin interface on the
firewall, then create a policy that handles packets coming inbound from the
hairpin. Policies for handling traffic with that as the source interface
would be able to filter based on layer-3 info as normal.

The trick is, as mentioned, to route the de-encapsulated traffic back into
the firewall. A quick googling shows a related example of this for the ASA
here: http://nat0.net/cisco-asa-hairpinning/

   *Jason Pack*
Network Security Engineer - SevOne
4550 New Linden Hill Rd, Wilmington, DE, 19808
> p: 302-319-5400 | m: 302-464-0253 |
e: jpack@sevone.com | w: www.SevOne.com

Hi Jason,

Hairpinning. So, set a router in there with a policy set on the
inbound ipip tunnel to forward all traffic out an ethernet to the ASA.
Then once I get it back on another ethernet from the ASA, use another
policy route to push it all to an outbound tunnel interface.

I hadn't considered that. Yikes, I'm not sure I want to. :slight_smile:

Bill Herrin