Incoming traffic is not filtered firewall on the eth0 interface if vrf is used. This example does not block ssh access to the router. Configuration:
```
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group MGT-IP address '192.168.122.220'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name MGT-LOCAL default-action 'drop'
set firewall name MGT-LOCAL description 'MGT-LOCAL'
set firewall name MGT-LOCAL rule 910 action 'accept'
set firewall name MGT-LOCAL rule 910 description 'Allow SSH Login'
set firewall name MGT-LOCAL rule 910 destination port '22'
set firewall name MGT-LOCAL rule 910 log 'enable'
set firewall name MGT-LOCAL rule 910 protocol 'tcp'
set firewall name MGT-LOCAL rule 910 source group address-group 'MGT-IP'
set firewall name MGT-LOCAL rule 910 state established 'enable'
set firewall name MGT-LOCAL rule 910 state new 'enable'
set firewall name MGT-LOCAL rule 910 state related 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '192.168.122.100/24'
set interfaces ethernet eth0 firewall local name 'MGT-LOCAL'
set interfaces ethernet eth0 vrf 'MGT'
set service ssh listen-address '192.168.122.100'
set service ssh port '22'
set service ssh vrf 'MGT'
set vrf name MGT table '200'
```
The problem is that vrf changes the name of the interface "eth0" to "MGT" and the rule does not filtering incoming packets:
```
trace id ce7870ee ip filter VYATTA_FW_LOCAL_HOOK packet: iif "MGT" ether saddr 0c:50:ab:54:00:00 ether daddr 0c:33:f8:61:00:00 ip saddr 192.168.122.220 ip daddr 192.168.122.100 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 10429 ip length 52 tcp sport 49263 tcp dport 22 tcp flags == syn tcp window 8192
```
If you change the configuration:
```
set interfaces ethernet eth0 firewall in name 'MGT-LOCAL'
```
The firewall rule does not filter incoming traffic. The input interface "eth0" still name "MGT":
```
The firewall rule does not filter incoming traffic.trace id db39c263 ip filter VYATTA_FW_IN_HOOK packet: iif "MGT" oif "eth1" ether saddr 0c:50:ab:54:00:00 ether daddr 0c:33:f8:61:00:00 ip saddr 192.168.122.220 ip daddr 192.168.123.2 ip dscp cs0 ip ecn not-ect ip ttl 127 ip id 17604 ip length 52 tcp sport 49274 tcp dport 22 tcp flags == syn tcp window 8192
```