Best Practices for Configuring TNSR ACLs to Secure a Containerized Webserver

davidjames78

Hi TNSR Community,
I’m exploring the best ways to configure Access Control Lists (ACLs) in TNSR to secure a containerized webserver exposed through the dataplane, and I’d love to hear your approaches for robust setups.

Details:

Setup: TNSR (v25.02, Home+Lab ISO), Ubuntu 22.04, deployed on bare metal with VPP and DPDK, running a containerized nginx webserver (port 80) via Docker.
Context: I’m exposing the webserver through the TNSR dataplane, following the VPP nginx example (https://docs.netgate.com/tnsr/en/latest/usecases/nginx.html).
Observation: The ACL allows HTTP traffic, but I’m concerned about potential vulnerabilities like packet fragmentation attacks or unintended access from other ports. The TNSR ACL docs (https://docs.netgate.com/tnsr/en/latest/acl/index.html) mention basic filtering but lack details on advanced protections.

Steps Tried:
Applied the ACL to the dataplane interface (GigabitEthernet0/0/0) via TNSR CLI and verified with show acl.
Tested connectivity with curl from an external client, confirming HTTP access.
Checked /var/log/vnet.log for ACL drops, but no clear indicators of fragmentation issues.
Reserved CPU cores for TNSR/DPDK to avoid resource contention with Docker, per community suggestions.

Goal: Secure the webserver with a robust ACL setup that minimizes attack surfaces while maintaining performance.

Questions:

What are your recommended best practices for configuring TNSR ACLs to secure containerized apps (e.g., nginx) on the dataplane?
How do you handle protection against packet fragmentation attacks or other advanced threats with TNSR ACLs? Are they equivalent to VPP ACLs?
Any tips for logging or debugging ACL rules to ensure only intended traffic is allowed?
For those running similar setups, how do you balance ACL granularity with TNSR’s high-performance routing?

I’d appreciate any insights or configurations you’ve found effective for securing webserver traffic! Thanks in advance.

Tyronejackson839

Hi,
For securing your nginx webserver with TNSR ACLs, I recommend:

ACL Best Practices: Use specific rules to allow TCP port 80/443, deny all else on GigabitEthernet0/0/0. Apply permit tcp src any dst <webserver-ip> 80 and 443 via TNSR CLI.
Fragmentation Attacks: Enable fragment-checking in VPP ACLs (TNSR ACLs use VPP) to drop malformed fragments.
Logging/Debugging: Enable ACL logging with set acl <acl-name> log and check /var/log/vnet.log for drops. Use vppctl show acl-plugin acl for detailed rule stats.
Performance Balance: Keep ACLs lean (e.g., <100 rules) to maintain VPP/DPDK throughput. Group rules by protocol/port for efficiency.

This setup minimized attack surfaces while keeping my TNSR setup performant. Hope it helps!

Cheers,
Tryrone Jackson

davidjames78

Hi @Tyronejackson839,
Thanks for the awesome advice! Your ACL tips worked perfectly—enabling fragment-checking and lean rules secured my nginx webserver without sacrificing performance. Really appreciate your detailed help!

Best,
David James | Founder of The Yes No Button!