Disabling Intrusion Prevention System solves the problem. Problem returns if IPS is enabled.
All rulesets enabled.
So all boxes are having problems reaching www.arduino.cc
As Peter hinted at, it would be good to eliminate some other aspects. Do you have IPS running and blocking failed rules that it finds? If IPS is enabled then try disabling it and then see if you can access www.arduino.cc
See previous post, Peter was right.
Everything works, updates of Ubuntu x86_64 and SBC’s.
ping www.arduino.cc on IPFire box works.
It could be one of the enabled rulesets.
I may have a play later by disabling all and enabling one at a time to see if one or more causes it.
2 Likes
I disabled all the rulesets, enabled and applied 6 at a time. Now with all enabled there is no problem.
If it returns I know where to look.
Hi,
glad to have helped. 
Yes, this is a good idea.
Such a procedure is called “baselining”, and especially important prior to running an IPS in a corporate network. First, you try to find out which IPS rules normally trigger (for example, by enabling the “monitor only mode”), to get an idea which ones will cause false positives, and which ones won’t. Simultaneously, you gradually enable try to get a feeling on what is “normal” in your network.
Second, you gradually enable the rulesets you want, going from those likely not to cause any issues to the more delicate ones. Depending on the network’s size and how well everything is documented, even middle-sized companies can need months until they got their IPS fully operational in production.
Hm, interesting. This might be due to DNS caching issues…
Thanks, and best regards,
Peter Müller
2 Likes
Most likely. When all rulesets are eventually enabled and applied everything is fine for a matter of minutes before reverting to be a problem.
Hi,
well, considering the TTL of 300 seconds (= 5 minutes), this does not come at a surprise:
$ dig a www.arduino.cc
; <<>> DiG 9.16.22-Debian <<>> a www.arduino.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3795
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.arduino.cc. IN A
;; ANSWER SECTION:
www.arduino.cc. 300 IN CNAME www.arduino.cc.cdn.cloudflare.net.
www.arduino.cc.cdn.cloudflare.net. 300 IN A 104.18.28.45
www.arduino.cc.cdn.cloudflare.net. 300 IN A 104.18.29.45
;; Query time: 124 msec
;; SERVER: 172.28.1.1#53(172.28.1.1)
;; WHEN: Wed Feb 23 16:13:17 UTC 2022
;; MSG SIZE rcvd: 122
To reflect the actual issue better, I will rename this thread. Also, I consider it solved unless there are some aspects not being clarified yet.
Thanks, and best regards,
Peter Müller
1 Like