It is possible to create a firewall name with no rules other than the default-action:
[edit] vyos@vyos# set firewall name TEST default-action accept [edit] vyos@vyos# set interfaces ethernet eth0 firewall in name 'TEST' [edit] vyos@vyos# commit [edit] vyos@vyos#
It is possible to go from an empty firewall to one with rules:
[edit] vyos@vyos# set firewall name TEST rule 1 action accept [edit] vyos@vyos# commit [edit] vyos@vyos#
However the operation is not reversable:
[edit] vyos@vyos# delete firewall name TEST rule 1 [edit] vyos@vyos# commit [ firewall name TEST ] Firewall configuration error: Cannot delete rule set "TEST" (still in use) [[firewall name TEST]] failed Commit failed [edit] vyos@vyos#
The also seems to be a race condition/improper order of operations when simultaneously removing both the firewall and the places it is used:
[edit] vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST' [edit] vyos@vyos# delete firewall name TEST [edit] vyos@vyos# commit [ firewall name TEST ] Firewall configuration error: Cannot delete rule set "TEST" (still in use) delete [ firewall name TEST ] failed Commit failed [edit] vyos@vyos#
This needs two commits to succeed:
[edit] vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST' [edit] vyos@vyos# commit [edit] vyos@vyos# delete firewall name TEST [edit] vyos@vyos# commit [edit] vyos@vyos#