Hi,
unfortunately, there is no general answer to your question.
Looking at the screenshots you provided, two aspects come to my mind:
- Enable the IPS on all interfaces, not just the RED one.
That way, you gain additional coverage on internal network traffic, and get better information on rules applying on outgoing traffic, since you will have the client’s IP address logged, not just the external IP address on your RED interface. - Personally, I’d enable the following rulesets in addition:
-
drop.rules(contains hostile networks safe to drop) -
emerging-dns.rules(since you are using DNS, and it is an important, yet often underestimated attack vector) -
emerging-exploit_kits.rules(in addition toemerging-exploit.rules) -
emerging-voip.rules(if you have VoIP clients behind your IPFire) -
emerging-web_clients.rules(applies to attacks against web browsers)
-
Please refer to this blog post for a more general advice.
Thanks, and best regards,
Peter Müller