Is it possible to use both zone-based and interface-based firewall on same interface?
My guess is no, but VyOS apply config without error when I assign interface to a zone, commit and then assign firewall to the interface. (case#1)
And if I enter all configuration and then commit, VyOS will return error that “interface eth1 has firewall rule-set configured, cannot be defined under a zone”.
Case#1 : no error
set firewall name internet_to_global
set zone-policy zone global interface ‘eth1’
commit
set interfaces ethernet eth1 firewall local name ‘internet_to_global’
commit
(no error)
Case#2 : error
set firewall name internet_to_global
set zone-policy zone global interface ‘eth1’
set interfaces ethernet eth1 firewall local name ‘internet_to_global’
commit
interface eth1 has firewall rule-set configured, cannot be defined under a zone