[AusNOG] Application Firewall Recommendations

Tony td_miles at yahoo.com
Fri Aug 9 14:54:35 EST 2013



The only issues we've had with pfsense are to do with PPTP. The main issue being that it isn't capable of inspecting outbound PPTP sessions and maintaining a table similar to an outbound NAT table (am I making sense). The problem that occurs is that you can only have ONE PPTP session up between any client on the inside and any server on the outside. So if you have users on the inside of a pfsense box and two of them try to fire up a PPTP session to the SAME remote endpoint, it won't work as it can't identify the two sessions in any way as they have the same source (outside public IP of the firewall) and same remote destination and same protocol (GRE). Even inbound PPTP isn't the easiest either if you want to have outbound at the same time, you need to NAT outbound to a different public IP so it doesn't mess with inbound (which is fine if you have multiple public IP, but a bit harder if you only have a single IP).


Who still uses PPTP you might say ? It's insecure, get rid of it I hear ? The problem is the remote side of things which you don't control and user in dept X absolutely have to connect to vendor Y via PPTP session to do something "really important".


Other than PPTP issues, we have no problems with it and have many pfsense firewalls deployed around the place.



regards,
Tony.






>________________________________
> From: Joshua D'Alton <joshua at railgun.com.au>
>To: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com> 
>Cc: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net> 
>Sent: Friday, 9 August 2013 1:26 PM
>Subject: Re: [AusNOG] Application Firewall Recommendations
> 
>
>
>pfsense is pretty hard to beat as a fairly full-featured firewall, I've used it in a lot of situations that don't warrant the cost of a cisco or similar setup. Works brilliantly in a VM as well.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130808/1576c390/attachment.html>


More information about the AusNOG mailing list