Im just a happy community member myself and have nothing to do with whatever decisions the VyOS maintainers make.
For me I prefer the new syntax but thats probably since I have been using iptables since around year 2000. Nowadays nft (nftables) is the userland tool to be used to program the firewall in the Linux kernel.
With that being said I wouldnt be surprised if the zone-based approach would return (but based on the new syntax) in future.
Im currently doing my own template for that where my approach compared to the original zone-based syntax is to only care for traffic towards a zone (fewer zones to keep track of).
Hopefully it will become good enough to become a template for future zone-based syntax if that will return.
Wall of text (note that the below have default drop for FORWARD filter and default allow for INPUT/OUTPUT filter so you will probably need to adjust things if you want to use my template below):
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-source-validation 'strict'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options resolver-cache
set firewall global-options resolver-interval '60'
set firewall global-options send-redirects 'disable'
set firewall global-options source-validation 'strict'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group interface-group DMZ interface 'eth2'
set firewall group interface-group LAN interface 'eth3'
set firewall group interface-group MGMT interface 'eth0'
set firewall group interface-group WAN interface 'eth1'
set firewall group ipv6-network-group V6_DMZ
set firewall group ipv6-network-group V6_LAN
set firewall group ipv6-network-group V6_MGMT
set firewall group ipv6-network-group V6_WAN network '::/0'
set firewall group network-group V4_BOGONS network '0.0.0.0/8'
set firewall group network-group V4_BOGONS network '10.0.0.0/8'
set firewall group network-group V4_BOGONS network '100.64.0.0/10'
set firewall group network-group V4_BOGONS network '127.0.0.0/8'
set firewall group network-group V4_BOGONS network '169.254.0.0/16'
set firewall group network-group V4_BOGONS network '172.16.0.0/12'
set firewall group network-group V4_BOGONS network '192.0.0.0/24'
set firewall group network-group V4_BOGONS network '192.0.2.0/24'
set firewall group network-group V4_BOGONS network '192.168.0.0/16'
set firewall group network-group V4_BOGONS network '198.18.0.0/15'
set firewall group network-group V4_BOGONS network '198.51.100.0/24'
set firewall group network-group V4_BOGONS network '203.0.113.0/24'
set firewall group network-group V4_BOGONS network '224.0.0.0/4'
set firewall group network-group V4_BOGONS network '240.0.0.0/4'
set firewall group network-group V4_DMZ network '192.168.2.0/24'
set firewall group network-group V4_LAN network '192.168.3.0/24'
set firewall group network-group V4_MGMT network '192.168.56.0/24'
set firewall group network-group V4_RFC1918 network '10.0.0.0/8'
set firewall group network-group V4_RFC1918 network '172.16.0.0/12'
set firewall group network-group V4_RFC1918 network '192.168.0.0/16'
set firewall group network-group V4_WAN network '192.168.1.0/24'
set firewall group network-group V4_WAN network '0.0.0.0/0'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'accept'
set firewall ipv4 forward filter rule 10 state established 'enable'
set firewall ipv4 forward filter rule 10 state related 'enable'
set firewall ipv4 forward filter rule 20 action 'drop'
set firewall ipv4 forward filter rule 20 state invalid 'enable'
set firewall ipv4 forward filter rule 30 action 'jump'
set firewall ipv4 forward filter rule 30 jump-target 'V4_TO_WAN'
set firewall ipv4 forward filter rule 30 outbound-interface interface-group 'WAN'
set firewall ipv4 forward filter rule 40 action 'jump'
set firewall ipv4 forward filter rule 40 jump-target 'V4_TO_DMZ'
set firewall ipv4 forward filter rule 40 outbound-interface interface-group 'DMZ'
set firewall ipv4 forward filter rule 50 action 'jump'
set firewall ipv4 forward filter rule 50 jump-target 'V4_TO_LAN'
set firewall ipv4 forward filter rule 50 outbound-interface interface-group 'LAN'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 state established 'enable'
set firewall ipv4 input filter rule 10 state related 'enable'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 state invalid 'enable'
set firewall ipv4 input filter rule 999999 action 'accept'
set firewall ipv4 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 999999 source address '127.0.0.0/8'
set firewall ipv4 name V4_TO_DMZ default-action 'drop'
set firewall ipv4 name V4_TO_LAN default-action 'drop'
set firewall ipv4 name V4_TO_MGMT default-action 'drop'
set firewall ipv4 name V4_TO_WAN default-action 'drop'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 10 action 'accept'
set firewall ipv4 output filter rule 10 state established 'enable'
set firewall ipv4 output filter rule 10 state related 'enable'
set firewall ipv4 output filter rule 20 action 'drop'
set firewall ipv4 output filter rule 20 state invalid 'enable'
set firewall ipv4 output filter rule 999999 action 'accept'
set firewall ipv4 output filter rule 999999 destination address '127.0.0.0/8'
set firewall ipv4 output filter rule 999999 outbound-interface interface-name 'lo'
set firewall ipv6 forward filter default-action 'drop'
set firewall ipv6 forward filter rule 10 action 'accept'
set firewall ipv6 forward filter rule 10 state established 'enable'
set firewall ipv6 forward filter rule 10 state related 'enable'
set firewall ipv6 forward filter rule 20 action 'drop'
set firewall ipv6 forward filter rule 20 state invalid 'enable'
set firewall ipv6 forward filter rule 30 action 'jump'
set firewall ipv6 forward filter rule 30 jump-target 'V6_TO_WAN'
set firewall ipv6 forward filter rule 30 outbound-interface interface-group 'WAN'
set firewall ipv6 forward filter rule 40 action 'jump'
set firewall ipv6 forward filter rule 40 jump-target 'V6_TO_DMZ'
set firewall ipv6 forward filter rule 40 outbound-interface interface-group 'DMZ'
set firewall ipv6 forward filter rule 50 action 'jump'
set firewall ipv6 forward filter rule 50 jump-target 'V6_TO_LAN'
set firewall ipv6 forward filter rule 50 outbound-interface interface-group 'LAN'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter rule 10 action 'accept'
set firewall ipv6 input filter rule 10 state established 'enable'
set firewall ipv6 input filter rule 10 state related 'enable'
set firewall ipv6 input filter rule 20 action 'drop'
set firewall ipv6 input filter rule 20 state invalid 'enable'
set firewall ipv6 input filter rule 999999 action 'accept'
set firewall ipv6 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv6 input filter rule 999999 source address '::1/128'
set firewall ipv6 name V6_TO_DMZ default-action 'drop'
set firewall ipv6 name V6_TO_LAN default-action 'drop'
set firewall ipv6 name V6_TO_MGMT default-action 'drop'
set firewall ipv6 name V6_TO_WAN default-action 'drop'
set firewall ipv6 output filter default-action 'accept'
set firewall ipv6 output filter rule 10 action 'accept'
set firewall ipv6 output filter rule 10 state established 'enable'
set firewall ipv6 output filter rule 10 state related 'enable'
set firewall ipv6 output filter rule 20 action 'drop'
set firewall ipv6 output filter rule 20 state invalid 'enable'
set firewall ipv6 output filter rule 999999 action 'accept'
set firewall ipv6 output filter rule 999999 destination address '::1/128'
set firewall ipv6 output filter rule 999999 outbound-interface interface-name 'lo'
So with the above template stuff that the VyOS runs itself like SSH, VRRP, DHCP-server etc must be allowed for in the INPUT/OUTPUT filters (preferably change the default-action to drop).
But all the regular firewalling (between interfaces/zones) goes into the V4_TO_ / V6_TO_.
Technically zones are just interface-groups.
Edit 230930: Turns out that state established and related can be defined in the same rule nowadays so the above example is now updated for that.
Edit 231007: Added ipv6-source-validation strict so uRPF strict (BCP38) is used for both IPv4 and IPv6. Your usecase might need to change “strict” to “loose”.