External/WAN Filter Rule Examples¶
Basic Rules for a Strict WAN¶
WAN rules tend to be extremely strict in most environments, as they protect TNSR and hosts behind TNSR from untrusted hosts on remote networks.
Since VPF blocks everything by default, strict WAN rules can be quite short in common environments.
For example, the following ruleset blocks all inbound traffic because it has
no rules for the in direction. The ruleset allows all outbound traffic. This
allows TNSR itself and hosts behind TNSR to make outbound connections through
this interface, but nothing can initiate new inbound connections.
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# description Filter rules for WAN
tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to any destination
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# exit
Allow DHCP Client Traffic¶
If the WAN is configured as a DHCP client, the previous example is not sufficient to allow DHCP server responses back through. This is because the DHCP discovery and request process operates asymmetrically. The client contacts a broadcast address yet the response comes directly from the DHCP server. That response cannot be automatically allowed back through, even though the rule is stateful, because it doesn’t match the initial request.
This rule allows DHCP responses from the upstream server back to TNSR:
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# rule 20
tnsr(config-vpf-filter-rule)# description Allow DHCP responses
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from port 67
tnsr(config-vpf-filter-rule)# to port 68
tnsr(config-vpf-filter-rule)# exit