Today a default installed VyOS uses "default-action: accept" for INPUT, OUTPUT and FORWARD.
Since VyOS today allow ALL ports for ALL services on ALL interfaces by default the only workaround to this is if the admin dig into which ports each service must be configured with for INPUT and OUTPUT chain and configure this for whatever interface the traffic is expected to exist on.
There is a great risk that admin fails to set proper rules and instead open up to much (or defaults to "default-action: allow" which will allow ALL traffic).
When the VyOS is configured with various services such as NTP, DNS, DHCP, VRRP, BGP etc it would be handy to ease the administration of protecting these services.
Suggestion is to add a "set firewall auto-ruleset" capability to make life easier for the admin.
Something like (default is disable):
set firewall auto-ruleset bgp enable set firewall auto-ruleset dhcp-client enable set firewall auto-ruleset dhcp-server enable set firewall auto-ruleset dns-client enable set firewall auto-ruleset dns-server enable set firewall auto-ruleset ntp-client enable set firewall auto-ruleset ntp-server enable set firewall auto-ruleset ssh-client enable set firewall auto-ruleset ssh-server enable set firewall auto-ruleset vrrp enable
along with (default is none, "any" or "all" should exist as an option aswell):
set firewall auto-ruleset bgp interface 'eth0 eth1' set firewall auto-ruleset dhcp-client interface 'eth0 eth1' set firewall auto-ruleset dhcp-server interface 'eth0 eth1' set firewall auto-ruleset dns-client interface 'eth2 eth3' set firewall auto-ruleset dns-server interface 'eth2 eth3' set firewall auto-ruleset ntp-client interface 'eth0 eth5' set firewall auto-ruleset ntp-server interface 'eth0 eth5' set firewall auto-ruleset ssh-client interface 'eth7 eth8' set firewall auto-ruleset ssh-server interface 'eth7 eth8' set firewall auto-ruleset vrrp enable interface 'eth9'
With the above the admin can set default-action to drop for INPUT and OUTPUT and for the case of bgp the auto-ruleset would allow dstport TCP179 for interface eth0 and eth1 for both INPUT and OUTPUT chain.
While "auto-ruleset dns-server" would in this case allow for dstport TCP53 and UDP53 for interface eth2 and eth3 for INPUT chain.
The above is dependent on that ESTABLISHED and RELATED (which it usually is) is already allowed.
Since this feature is by default disabled the admin can still (as today) configure the needed firewall rules manually (or if the admin for whatever reason want to further limit who can speak to each service other than based on interface).