How Can I Check if My IPS is Effectively Dropping Packets?

Hello community,

I’m trying to check if my Intrusion Prevention System is correctly configured and working because it seems that it is not functioning properly. I performed an nmap scan from my green network against the red zone. I received IPS logs, but I could still reach the information with nmap, and I don’t have the monitoring-only option enabled.
Nmap scan from green zone against red zone:


IPS logs:

IPS ruleset:

Thanks for all your help, and sorry if I made any major errors as this is my first time configuring an IPS.

System Specifications:

  • My IPFire is on an RPI 3B+
  • Core Update 185
  • IPFire 2.29 (aarch64)

In direction green → red0 ( → WAN ) traffic is allowed by the firewall. So the ports should be open.

IPS blocks according to its rules distinct connections. How the rules are working isn’t obviously; mainly thresholds, triggering packet contents, …
On the other side it is not obviously which packets are sent by nmap.

To check effeftivity of the IPS in this scenario, you must know the bunch of nmap packets ( can be captured by tcpdump or tshark, f.e. ) and examine the reaction of the IPS to these packets.

If your red IP is 192.168.1.3 the IPS logs show ( some ) of the nmap packets as blocked.

If you want measure effectivity of the IPS ( for the WAN ), a test from LAN isn’t really suitable. On the WAN side the IPS can rely on the general FW rules also. An IPS rule may not match packets caught by a FW rule.

Okey, thanks I will try that!