After defining firewall instances, you can apply them to interfaces, where the instances act as packet filters. Firewall instances filter packets in one of the following ways, depending on what direction you specify when you apply the firewall instance:

in: If you apply firewall instances with the in direction, the firewall filters packets entering the interface. These packets can be traversing the vRouter or be destined for the router.

out: If you apply instances with the out direction, the firewall filters packets leaving the interface. These packets can be traversing the vRouter or originating on the vRouter.

local: If you apply instances with the local, the firewall filters packets destined for the vRouter. The special interface "lo" can be used to affect packets received on any interface. Note that these instances are run after any "in" instances that may be on the interface.

You can apply many firewall instances to an interface on each direction. They are applied in the order that they are configured on the interface and direction.