VPF Filtering

VPF can filter packets similar to traditional ACLs, but with more flexibility in certain areas.

VPF collects rules into groups known as rulesets, and then these rulesets get associated with an interface to activate VPF filtering on that interface.

Behavior Notes

Before proceeding, there are a few important things to note about the behavior of filtering in VPF:

  • VPF processes filtering operations before NAT operations in any direction.

  • Interfaces not associated with an VPF ruleset will pass all traffic, since VPF is not attached to those interfaces.

    This can strike a balance between security and performance. It can reduce the load on VPF since it does not have to process traffic which would all be passed anyhow, though typically the best practice is to perform filtering to ensure packets are only allowed to/from intended networks.

    Traffic which enters TNSR via such an interface would still need to be passed outbound.

  • Interfaces can only have one ruleset, so that ruleset must include both inbound and outbound rules.

  • When VPF is active on an interface, any traffic not passed explicitly is blocked. This includes traffic in both directions.

    This is ideal for external interfaces, since commonly traffic is only allowed outbound and little, if anything, is allowed inbound. However, on internal interfaces most rulesets will need to explicitly allow traffic outbound from TNSR itself.

  • Stateful inspection passes response packets for the same session on the same interface, but it does not pass traffic for that session on other interfaces.