Page MenuHomePhabricator

Deleting all firewall zones failed and locked out box
Open, Requires assessmentPublicBUG

Description

I was having a strange issue with some firewall rules earlier today, so on this box I just wanted to remove all firewalling until I could figure out what was going on.

So:

$ show configuration commands | grep zone
set system time-zone 'UTC'
set zone-policy zone DMZ default-action 'drop'
set zone-policy zone DMZ from LAN firewall name 'LAN-LOCAL'
set zone-policy zone DMZ interface 'eth0.6'
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN from DMZ firewall name 'DMZ-LAN'
set zone-policy zone LAN from LOCAL firewall ipv6-name 'LOCAL-LAN-6'
set zone-policy zone LAN from LOCAL firewall name 'LOCAL-LAN'
set zone-policy zone LAN from WAN firewall ipv6-name 'WAN-LAN-6'
set zone-policy zone LAN from WAN firewall name 'WAN-LAN'
set zone-policy zone LAN interface 'eth0.2'
set zone-policy zone LAN interface 'eth0.10'
set zone-policy zone LAN interface 'eth0.50'
set zone-policy zone LAN interface 'eth0'
set zone-policy zone LAN interface 'l2tp+'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LAN interface 'wg0'
set zone-policy zone LAN interface 'wg3'
set zone-policy zone LOCAL default-action 'drop'
set zone-policy zone LOCAL from LAN firewall ipv6-name 'LAN-LOCAL-6'
set zone-policy zone LOCAL from LAN firewall name 'LAN-LOCAL'
set zone-policy zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-6'
set zone-policy zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone-policy zone LOCAL local-zone
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN from DMZ firewall name 'LAN-WAN'
set zone-policy zone WAN from LAN firewall ipv6-name 'LAN-WAN-6'
set zone-policy zone WAN from LAN firewall name 'LAN-WAN'
set zone-policy zone WAN from LOCAL firewall ipv6-name 'LOCAL-WAN-6'
set zone-policy zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone-policy zone WAN interface 'eth0.7'
set zone-policy zone WAN interface 'tun1'
set zone-policy zone WAN interface 'vtun1'
set zone-policy zone WAN interface 'wg1'
set zone-policy zone WAN interface 'wg2'

admin@edge:~$ conf
[edit]
admin@edge# delete zone-policy
[edit]
admin@edge# commit
save
[ zone-policy zone LAN interface wg3 ]
ip6tables: Bad rule (does a matching rule exist in that chain?).
Error: call to delete interface wg3 from zone-chain
VZONE_LAN with failed [256]

delete [ zone-policy ] failed
Commit failed
client_loop: send disconnect: Broken pipe

This resulted a zone-policy where all the interfaces still existed, but all the from ... were deleted as such:

set system time-zone 'UTC'
set zone-policy zone DMZ default-action 'drop'
set zone-policy zone DMZ interface 'eth0.6'
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN interface 'eth0.2'
set zone-policy zone LAN interface 'eth0.10'
set zone-policy zone LAN interface 'eth0.50'
set zone-policy zone LAN interface 'eth0'
set zone-policy zone LAN interface 'l2tp+'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LAN interface 'wg0'
set zone-policy zone LAN interface 'wg3'
set zone-policy zone LOCAL default-action 'drop'
set zone-policy zone LOCAL local-zone
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN interface 'eth0.7'
set zone-policy zone WAN interface 'tun1'
set zone-policy zone WAN interface 'vtun1'
set zone-policy zone WAN interface 'wg1'
set zone-policy zone WAN interface 'wg2'

Which essentially killed the networking on the server.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

kroy created this task.Sep 9 2019, 6:33 PM
kroy updated the task description. (Show Details)
pasik added a subscriber: pasik.Sep 10 2019, 2:45 PM