A question about Vyos firewall rules

Hello ,

I want to ask if I have some rules saying accept or drop and I didn’t delete it completely , is it affection the rules after ?

Best Regards,

You may want to check firewall documentation
check this link

Nftables which VyOS currently use (older iptables and ipchains from the Linux kernel works the same) are “top-down” aka “first-match” firewall.

Meaning the first rule that matches the current packet (when read top-down) and its action is what will happen to this packet and no other rules will be processed (compared to pf and ipf from the FreeBSD world who is “best-match” where a later rule can overrule previous rules because the later rule is more specific).

This behaviour of “top-down”/“first-match” is the same as you will have when using ACL’s in a Cisco, Arista etc switch/router.


Rule 10: src=, action=drop
Rule 20: src=, action=accept

With VyOS (that is nftables, iptables and ipchains in Linux kernels) a packet that arrives that have srcip= will match on rule 10 (since is within and no other rules will be evaluated. Meaning the packet will be dorpped.

While with FreeBSD (pf and ipf) a packet that arrives with srcip= will be evaluated against all rules and rule20 who is more specific (defines /32 instead of /24) will win and the packet will be accepted.