Hello ,
I want to ask if I have some rules saying accept or drop and I didn’t delete it completely , is it affection the rules after ?
Best Regards,
You may want to check firewall documentation
check this link
https://docs.vyos.io/en/sagitta/configuration/firewall/index.html
Nftables which VyOS currently use (older iptables and ipchains from the Linux kernel works the same) are “top-down” aka “first-match” firewall.
Meaning the first rule that matches the current packet (when read top-down) and its action is what will happen to this packet and no other rules will be processed (compared to pf and ipf from the FreeBSD world who is “best-match” where a later rule can overrule previous rules because the later rule is more specific).
This behaviour of “top-down”/“first-match” is the same as you will have when using ACL’s in a Cisco, Arista etc switch/router.
Example:
Rule 10: src=10.0.0.0/24, action=drop
Rule 20: src=10.0.0.1/32, action=accept
With VyOS (that is nftables, iptables and ipchains in Linux kernels) a packet that arrives that have srcip=10.0.0.1 will match on rule 10 (since 10.0.0.1 is within 10.0.0.0/24) and no other rules will be evaluated. Meaning the packet will be dorpped.
While with FreeBSD (pf and ipf) a packet that arrives with srcip=10.0.0.1 will be evaluated against all rules and rule20 who is more specific (defines /32 instead of /24) will win and the packet will be accepted.