I was having a strange issue with some firewall rules earlier today, so on this box I just wanted to remove all firewalling until I could figure out what was going on.
So:
$ show configuration commands | grep zone set system time-zone 'UTC' set zone-policy zone DMZ default-action 'drop' set zone-policy zone DMZ from LAN firewall name 'LAN-LOCAL' set zone-policy zone DMZ interface 'eth0.6' set zone-policy zone LAN default-action 'drop' set zone-policy zone LAN from DMZ firewall name 'DMZ-LAN' set zone-policy zone LAN from LOCAL firewall ipv6-name 'LOCAL-LAN-6' set zone-policy zone LAN from LOCAL firewall name 'LOCAL-LAN' set zone-policy zone LAN from WAN firewall ipv6-name 'WAN-LAN-6' set zone-policy zone LAN from WAN firewall name 'WAN-LAN' set zone-policy zone LAN interface 'eth0.2' set zone-policy zone LAN interface 'eth0.10' set zone-policy zone LAN interface 'eth0.50' set zone-policy zone LAN interface 'eth0' set zone-policy zone LAN interface 'l2tp+' set zone-policy zone LAN interface 'eth1' set zone-policy zone LAN interface 'wg0' set zone-policy zone LAN interface 'wg3' set zone-policy zone LOCAL default-action 'drop' set zone-policy zone LOCAL from LAN firewall ipv6-name 'LAN-LOCAL-6' set zone-policy zone LOCAL from LAN firewall name 'LAN-LOCAL' set zone-policy zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-6' set zone-policy zone LOCAL from WAN firewall name 'WAN-LOCAL' set zone-policy zone LOCAL local-zone set zone-policy zone WAN default-action 'drop' set zone-policy zone WAN from DMZ firewall name 'LAN-WAN' set zone-policy zone WAN from LAN firewall ipv6-name 'LAN-WAN-6' set zone-policy zone WAN from LAN firewall name 'LAN-WAN' set zone-policy zone WAN from LOCAL firewall ipv6-name 'LOCAL-WAN-6' set zone-policy zone WAN from LOCAL firewall name 'LOCAL-WAN' set zone-policy zone WAN interface 'eth0.7' set zone-policy zone WAN interface 'tun1' set zone-policy zone WAN interface 'vtun1' set zone-policy zone WAN interface 'wg1' set zone-policy zone WAN interface 'wg2' [email protected]:~$ conf [edit] [email protected]# delete zone-policy [edit] [email protected]# commit save [ zone-policy zone LAN interface wg3 ] ip6tables: Bad rule (does a matching rule exist in that chain?). Error: call to delete interface wg3 from zone-chain VZONE_LAN with failed [256] delete [ zone-policy ] failed Commit failed client_loop: send disconnect: Broken pipe
This resulted a zone-policy where all the interfaces still existed, but all the from ... were deleted as such:
set system time-zone 'UTC' set zone-policy zone DMZ default-action 'drop' set zone-policy zone DMZ interface 'eth0.6' set zone-policy zone LAN default-action 'drop' set zone-policy zone LAN interface 'eth0.2' set zone-policy zone LAN interface 'eth0.10' set zone-policy zone LAN interface 'eth0.50' set zone-policy zone LAN interface 'eth0' set zone-policy zone LAN interface 'l2tp+' set zone-policy zone LAN interface 'eth1' set zone-policy zone LAN interface 'wg0' set zone-policy zone LAN interface 'wg3' set zone-policy zone LOCAL default-action 'drop' set zone-policy zone LOCAL local-zone set zone-policy zone WAN default-action 'drop' set zone-policy zone WAN interface 'eth0.7' set zone-policy zone WAN interface 'tun1' set zone-policy zone WAN interface 'vtun1' set zone-policy zone WAN interface 'wg1' set zone-policy zone WAN interface 'wg2'
Which essentially killed the networking on the server.