Using both zone and interface-based firewall on same interface


#1

Is it possible to use both zone-based and interface-based firewall on same interface?

My guess is no, but VyOS apply config without error when I assign interface to a zone, commit and then assign firewall to the interface. (case#1)
And if I enter all configuration and then commit, VyOS will return error that “interface eth1 has firewall rule-set configured, cannot be defined under a zone”.

Case#1 : no error

set firewall name internet_to_global

set zone-policy zone global interface ‘eth1’

commit

set interfaces ethernet eth1 firewall local name ‘internet_to_global’

commit

(no error)

Case#2 : error

set firewall name internet_to_global

set zone-policy zone global interface ‘eth1’

set interfaces ethernet eth1 firewall local name ‘internet_to_global’

commit

interface eth1 has firewall rule-set configured, cannot be defined under a zone