Guardian and IPS stopped working as they did before v 2.xx

Several builds ago, various probes of the firewill would ultimately feed from IPS to Guardian. Guardian would proceed to maintain a substantial IP block list. After IPFire went to version 2.xx, this functionality stopped working.

I have done patches and am currently at core update 136. Everything else seems to be working as intended.

What is the recommended fix? I have not done a wipe and reinstall because of the inconvenience this will create for myself and the users.


Can someone take a brief moment to address this? I have 1000+ IPS hits and yet not one banned host in Guardian today. What exactly is Guardian supposed to be doing

As far as I know Guardian is now solely used to block attacks against the WebIF from green network, at least from internal networks and not from source you see in your hardcopies above.

If I remember correctly, Suricata detects those attempts and blocks them instantly but not for a certain timespan.

I may be wrong, but I guess some more experienced users will join the discussion shortly.


Perhaps this helps:
=> One of the biggest changes we are now introducing is that the IDS will no longer just listen to traffic by default. Snort used to analyse a copy of every packet on the network. While it has been scanning it, it was passed on into the network. Any alarms that were raised had to be processed from a log file and potentially created iptables rules that blocked the host where the malicious packet came from.

The corresponding iptable rules were created by ‘guardian’.

‘suricata’ works different:
Suricata takes the packet, analyses it first, and when it has passed all checks, it is being sent onward. Therefore, it is very easy for Suricata to be an Intrusion Prevention System, too. If the packet has failed the tests, it is just being dropped and alert is logged - leaving no chance to even send a single packet to the internal network.

=> The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.


Thank you for the feedback, that is very helpful. I was concerned that there was no operational intrustion prevention