Enabling Talos IPS rules cause trouble after upgrading to Core Update 164

Hey there

After the Update to the newest Version 164 and activating the “Dropping any hostile traffic” as recommended I cannot Access the Webgui anymore.

Also the DNS Name Resolution isnt Working anymore.

I can Ping the Gateway in the Green LAN and also Ping eg, but pinging Google brings me a timeout, No Name Resolution

Rebooting didnt solve the issues.

Amy hints? Thank you.


Just confirmed I’m having a similar issue, I can’t get to the Internet using URL’s. According to the DNS settings, reverse DNS is completely failing on all my configured dns servers.

Not sure if I just found the problem, I changed DNS from TLS to TCP, clicked check DNS servers and then everything came back. Appears that there may be an issue with TLS in DNS. Internet pages are now loading through DNS.

Restarted, change settings, restarted again, still had issues with DNS failure even on TCP. Check the intrusion detection logs and saw a huge amount of outbound blocks due to what appear to be false positives. Disabled IPS and issue went away, unchecked DNS rules restarted IPS, still an issue. Only way it’s functional is with intrusion prevention turned off. Not entirely sure where the issue is coming from, will most likely have to downgrade until all the bugs are figured out in the next version.

The only way to figure this out is to turn off Rulesets and click Apply until you figure out which ruleset is interfering with DNS

What rulesets are currently enabled? (a screenshot is fine)

1 Like

Even after disabling intrusion prevention I was still having problems. Ended up wiping the system and downgrading to 163.


Same here after the upgrade.
DNS down, IPsec not working anymore and I wait now since 15 minutes for the firewall to come up after a reboot command …


The only way I was able to get working was to bypass the DNS Service of IPFire. I can confirm that the DNS Forwarding is not working correctly. First I went from DNS over TLS to DNS over UDP. It helped first but after a few seconds the DNS Queries weren’t able to be answered. Then I looked at this Forum and disabled the IPS but also this wont help (also after a few seconds the DNS Queries haven’t been responded). So I had to bypass the DNS by setting a fixed IP Address and setting the DNS Servers on my Client to Google ( and I also allowed the Traffic for this Client through the Firewall (because before I went through the Squid-Proxy). But it seems that not all services are working correctly on my client. but most of them.

Hi all,
same on my machine here. After Update von 164 everything looked okay initially. But after a few seconds tue web-gui stopped working. Now I am lost at the serial console of my ipfire- Box.
After stopping suricata from the console the web-gui ist accessible again.
Hopefully I can find which rules caused the trouble.
From the suricata log good candidates might be:
Because all of these are generated from 3 different computers in my local Network running 3 different OS.

1 Like


for all those who run into the same problems:

SSH (or via Serial Console as in my case) into the IPFire.

Call elinks (just enter it as command, function see here: Configure firewall rules / NAT from console (no more access to WUI after firewall rule created in WUI))). A kind of GUI appears. Call the firewall options and deactivate the option “Dropping any hostile traffic” (blog.ipfire.org - IPFire 2.27 - Core Update 164 released) which is recommended for release 164 and save it.

In addition, the IPS must be switched off completely (also via elinks). Please also uncheck Red, Green, Blue if necessary and save everything.

Then perform a reboot. Access to the WebGUI will work again, as well as the name resolution.

I have also tried after removing the option “Dropping” to enable the IPS again. Again, no name resolution occurs and the WebGUI is again inaccessible.

Apparently some rule is applied in the background that blocks access (GUI and name resolution).

I also have the following error message at boot time with IPS enabled. This does not appear with IPS disabled. Perhaps this will help narrow down the error:

Bildschirmaufnahme vom 2022-03-11 10:13:41

However, another error at boot always appears regardless if with or without IPS:

Greetings, Mike

The easiest way to turn off the IPS (until the next reboot) is:

/etc/init.d/suricata stop

Could those who are affected provide logs about what specifically is being blocked?

1 Like

I would like to help. Which logs to you need and where to find?


Thanks for the elinks hint.
With my Installation it was enough to disable the registered-malware-cnc.rules in the IDS settings to make the system fully operational again.

Please send /var/log/suricata/fast.log. This file will contain anything the IPS decided to drop.

So instead of a bug, this looks rather that someone pushed a bad ruleset which is now firing around.


That a huge one. more than 32mb.

Can I upload this or should I send it you in another way.

I tried that but disabling the mentioned rule and start IPS again resulted in the same problem (no access to WebGui and no names resolution).


Just gzip it and upload it here. It should be small enough then.

Here we go:

fast.log.tar.gz (1.2 MB)

1 Like

I had the best idea in the morning to update during work, UI died quite soon during the update, checked from terminal that reboot was required, reboots did not help.

Recovered from fresh backup ISO (finally got disaster recovery tested).

I have IPS in use also.

Meanwhile i wiped and reinstalled core update 163. thank’s to the team that there will be made a backup of the system just before any upgrade. that really helps.