Best way to organise firewall rules

WanWizard · May 12, 2026, 1:59pm

As the avid reader will know, I’m working on automated migration of Sophos UTM firewalls to VyOS.

Sophos UTM is object based, so you have a firewall rule that says “traffic from these objects to these objects using these protocols and these ports is allowed”.

So say I have a rule that defines:
source objects: NETWORKGROUP1, NETWORKGROUP2, NETWORKADDRESS1
destination objects: NETWORKGROUP3,NETWORKADDRESS1,NETWORKADDRESS2
service objects: 80-tcp, 443-tcp, 22-tcp, 143-udp, 445-tcp

As I understand, a VyOS firewall (I assume the underlying nftables) can only have once source, one destination, one protocol and one port or port-range per rule.

Does this mean I have to do something like
set firewall ipv4 forward filter rule 1 description ‘TEST’
set firewall ipv4 forward filter rule 1 action jump
set firewall ipv4 forward filter rule 1 jump-target FWR000001
set firewall ipv4 name FWR000001 default-action return
set firewall ipv4 name FWR000001 rule 1 source group network-group NETWORKGROUP1
set firewall ipv4 name FWR000001 rule 1 destination group network-group NETWORKGROUP3
set firewall ipv4 name FWR000001 rule 1 protocol tcp
set firewall ipv4 name FWR000001 rule 1 destination port 80
set firewall ipv4 name FWR000001 rule 1 action accept

And so on, for every possible combination of source, destination and service (so 3 x 3 x 5 = 45 seperate rules for FWR000001) ? Times 2 if all source and destination objects define both IPv4 and IPv6 addresses?

Or can this be done a lot smarter and compacter than this?

tjh · May 12, 2026, 9:54pm

You can do this with VyOS:

         network-group SOURCEGROUPS {
             description "All My Source Groups"
             include NETWORKGROUP1
             include NETWORKGROUP2
             include NETWORKGROUP3
         }
         network-group DESTGROUPS {
             description "All My Destination Groups"
             include NETWORKGROUP3
             include NETWORKGROUP2
             include NETWORKGROUP1
         }

Then you can do

name test {
    rule 10 {
        action accept
        destination {
            group {
                address-group DESTGROUPS
            }
            port 80,443,22,143,445
        }
        source {
            group {
                address-group SOURCEGROUPS
            }
        }
    }

etc etc.

Hope this helps.

WanWizard · May 13, 2026, 8:39am

Thanks,

I’ve found this yesterday in the source, the docs are severely lacking in some area’s.

I’ve already started coding for this consolidation. I’ve consolidated protocol and ports, I now have to do the same for addresses and network groups.

And then I should have it reduced to a still very large number of maximum 32 rules:

1 x UDP + all ports
1 x TCP + all ports
4 x IPv4 (address groups + network groups, source and destination)
4 x IPv6 (address groups + network groups, source and destination)

I have a feeling this can still be improved?