Say a user created a firewall rule to allow all access to port 22 from 172.16.40.0/24 it would be correctly processed by the VRouter and stored in the database. If the Vrouter instance would be stopped and started, the source cidr (172.16.40.0/24) would become null and consequently set to 0.0.0.0/0. Allowing free access to this port from the internet when the router finished restarting. Changing a rule on the firewall would send the correct information again including the sourceCids until the next stop start.
This behavior was observed in version 4.1.1 and confirmed to still exist in the current master build.
Considering that a stop/start of the router vms is part of our standard upgrade procedure, this is a serious issue.