Hi!
In firewall configuration exist state option, that allow matching packets by theirs states in conntrack. It have disable suboption:
[edit] vyos@vyos# set firewall name TESTFW1 rule 10 state established Possible completions: <text> Established state disable enable
As I can understand it must be used for inverse state value: ! --state established. I don't see any other application for it. But this suboption don't work at all. Also, when user create rules, we must check that they don't add enabled and disabled options in the same rule, as iptables can use only one --state in single rule.