Reorder firewall rules

xTITUS_MAXIMUSx · March 5, 2024, 4:04pm

Is there a way to reorder firewall rules? I have been searching the documentation and I haven’t found a way to do this.

marc_s · March 5, 2024, 4:12pm

I know of no other way than to explicitly rename the rules to change their order, e.g.:

rename rule 11 to rule 12

xTITUS_MAXIMUSx · March 5, 2024, 4:18pm

Hmm ok. This might be problematic if you have a list of rules like 10-15 for example and you need to move rule 13 into rule 10’s place.

Or are you saying by doing this it will reorder the rest of the rules when this command is issued?

marc_s · March 5, 2024, 4:28pm

AFAIK you need to do this manually for every rule, no batch operation supported. There is no intelligence for putting rules “in between”.

It might be a lot faster to copy your current config to a new config file, edit that in place and do a load in config mode.

Something like:

cp /config/config.boot /config/config.boot.new
vi /config/config.boot.new
# do the editing and save
config
load /config/config.boot.new
compare
# if satistied...
commit

Viacheslav · March 5, 2024, 4:50pm

Change one rule number, and then use resequence from op-mode

generate firewall rule-resequence

But still requires copy paste

xTITUS_MAXIMUSx · March 5, 2024, 5:09pm

Sorry I am new to vyos. Do you mean run the “rename rule” and then run “generate firewall rule-resequence”? I basically need to move a rule between other rules. If that makes sense.

L0crian · March 5, 2024, 5:22pm

Imagine this was your rules:

set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 1 action 'offload'
set firewall ipv4 forward filter rule 1 description 'Allow return traffic from inside network'
set firewall ipv4 forward filter rule 1 offload-target 'OFF_FLOW'
set firewall ipv4 forward filter rule 1 state 'established'
set firewall ipv4 forward filter rule 1 state 'related'
set firewall ipv4 forward filter rule 2 action 'accept'
set firewall ipv4 forward filter rule 2 inbound-interface name 'eth0.4040'
set firewall ipv4 forward filter rule 3 action 'drop'
set firewall ipv4 forward filter rule 3 description 'Bogons'
set firewall ipv4 forward filter rule 3 destination group network-group 'BOGONS'
set firewall ipv4 forward filter rule 3 log
set firewall ipv4 forward filter rule 3 outbound-interface name 'eth0.4040'

You would run the command Viacheslav mentioned from op mode (not configure mode):

l0crian@R86S:~$ generate firewall rule-resequence start 10 step 10

It will spit something out like this (rules start at 10, and increment by 10):

set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 description 'Allow return traffic from inside network'
set firewall ipv4 forward filter rule 10 offload-target 'OFF_FLOW'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 inbound-interface name 'eth0.4040'
set firewall ipv4 forward filter rule 30 action 'drop'
set firewall ipv4 forward filter rule 30 description 'Bogons'
set firewall ipv4 forward filter rule 30 destination group network-group 'BOGONS'
set firewall ipv4 forward filter rule 30 log
set firewall ipv4 forward filter rule 30 outbound-interface name 'eth0.4040'

You then would enter configure mode, delete the existing firewall section(s) that you want to renumber, and paste in the new values:

l0crian@R86S:~$ configure 
l0crian@R86S# delete firewall ipv4 forward filter 
l0crian@R86S# set firewall ipv4 forward filter default-action 'drop'
l0crian@R86S# set firewall ipv4 forward filter rule 10 action 'offload'
l0crian@R86S# set firewall ipv4 forward filter rule 10 description 'Allow return traffic from inside network'
l0crian@R86S# set firewall ipv4 forward filter rule 10 offload-target 'OFF_FLOW'
l0crian@R86S# set firewall ipv4 forward filter rule 10 state 'established'
l0crian@R86S# set firewall ipv4 forward filter rule 10 state 'related'
l0crian@R86S# set firewall ipv4 forward filter rule 20 inbound-interface name 'eth0.4040'
l0crian@R86S# set firewall ipv4 forward filter rule 30 action 'drop'
l0crian@R86S# set firewall ipv4 forward filter rule 30 description 'Bogons'
l0crian@R86S# set firewall ipv4 forward filter rule 30 destination group network-group 'BOGONS'
l0crian@R86S# set firewall ipv4 forward filter rule 30 log
l0crian@R86S# set firewall ipv4 forward filter rule 30 outbound-interface name 'eth0.4040'
l0crian@R86S# commit

Then they should all be reordered:

l0crian@R86S# show firewall | commands | match action | no-match default
set ipv4 forward filter rule 10 action 'offload'
set ipv4 forward filter rule 20 action 'accept'
set ipv4 forward filter rule 30 action 'drop'

After you do that, you’ll have room between each rule to do what marc_s mentioned to move a rule before/after another rule:

l0crian@R86S# edit firewall ipv4 forward filter 
l0crian@R86S# rename rule 30 to rule 15
l0crian@R86S# compare commands 
delete firewall ipv4 forward filter rule 30 action 'drop'
delete firewall ipv4 forward filter rule 30 description 'Bogons'
delete firewall ipv4 forward filter rule 30 destination group network-group 'BOGONS'
delete firewall ipv4 forward filter rule 30 log
delete firewall ipv4 forward filter rule 30 outbound-interface name 'eth0.4040'
set firewall ipv4 forward filter rule 15 action 'drop'
set firewall ipv4 forward filter rule 15 description 'Bogons'
set firewall ipv4 forward filter rule 15 destination group network-group 'BOGONS'
set firewall ipv4 forward filter rule 15 log
set firewall ipv4 forward filter rule 15 outbound-interface name 'eth0.4040'
l0crian@R86S# commit

xTITUS_MAXIMUSx · March 6, 2024, 12:55am

Thank you for your answer. I feel like this is a bit much for a simple (maybe not so simple) function. Is there a reason it is built like this? This could possibly be simpler to automate with a python script to pull the current rules, tell it which number to be placed where (before or after destination rule number) and then have it reorder based on rule position.

tjh · March 6, 2024, 2:01am

Damn it, how didn’t I know this command existed until now?

marc_s · March 6, 2024, 6:20am

Same here, no shame on you @tjh

tjh · March 6, 2024, 6:45pm

Ahh it’s not in 1.3 - that’s why I haven’t found it

zarianu · March 12, 2024, 10:06am

Same here! Wouldn’t it be great to have such feature for other rules (NAT, route maps, prefix lists, etc.)?

system · April 11, 2024, 10:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.