[AusNOG] Application Firewall Recommendations
Damien Gardner Jnr
rendrag at rendrag.net
Fri Aug 9 15:33:34 EST 2013
We've seen the same thing. That said, I haven't worked with a firewall
product which DID allow this, since it's the GRE component which would
need to be inspected.. We've gotten around this by NATTING each client
internally onto their own public IP address for outbound TCP port 1723,
and outbound GRE.
We're also have a lot of issues with gateway groups, NOT failing over
for existing stateful sessions, when the default gateway goes down. We
have a symetrical link plus a bunch of ADSL links at each of our
offices, and the config should be that if one ADSL link goes down, we
don't care, we just start sending traffic out the next. Except that
does not happen if someone has already accessed a specific website via
the ADSL link which went down - they can no longer access that website,
unless we do a full state reset on the firewall.
I thought it was just one 'bad' pfsense install, but we have three sites
showing the same issue.
--DG
On 9/08/2013 2:54 PM, Tony wrote:
>
> The only issues we've had with pfsense are to do with PPTP. The main
> issue being that it isn't capable of inspecting outbound PPTP sessions
> and maintaining a table similar to an outbound NAT table (am I making
> sense). The problem that occurs is that you can only have ONE PPTP
> session up between any client on the inside and any server on the
> outside. So if you have users on the inside of a pfsense box and two
> of them try to fire up a PPTP session to the SAME remote endpoint, it
> won't work as it can't identify the two sessions in any way as they
> have the same source (outside public IP of the firewall) and same
> remote destination and same protocol (GRE). Even inbound PPTP isn't
> the easiest either if you want to have outbound at the same time, you
> need to NAT outbound to a different public IP so it doesn't mess with
> inbound (which is fine if you have multiple public IP, but a bit
> harder if you only have a single IP).
>
> Who still uses PPTP you might say ? It's insecure, get rid of it I
> hear ? The problem is the remote side of things which you don't
> control and user in dept X absolutely have to connect to vendor Y via
> PPTP session to do something "really important".
>
> Other than PPTP issues, we have no problems with it and have many
> pfsense firewalls deployed around the place.
>
>
> regards,
> Tony.
>
>
>
> ------------------------------------------------------------------------
> *From:* Joshua D'Alton <joshua at railgun.com.au>
> *To:* Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com>
> *Cc:* "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> *Sent:* Friday, 9 August 2013 1:26 PM
> *Subject:* Re: [AusNOG] Application Firewall Recommendations
>
> pfsense is pretty hard to beat as a fairly full-featured firewall,
> I've used it in a lot of situations that don't warrant the cost of
> a cisco or similar setup. Works brilliantly in a VM as well.
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130809/644fd5b1/attachment.html>
More information about the AusNOG
mailing list