Hi there,
After I enabled IPS using the “Emergingthreaths.net Community Rules,” simple commands such as “apt update” had failed. Dropbox services might also have impacted…
Understanding the various Internet threats is very intimidating to me, but not turning on IPS makes me vulnerable. Wonder if there are some recipes we can use to know what specific rulesets are more relevant and would not cause any unintended side effects.
Thanks!
Bo
There may be too many IPS rules turned on. I ran into a similar issue with one IPS Rule:
https://forum.ipfire.org/viewtopic.php?f=27&t=22848&p=124976&hilit=apt
PS - sorry I don’t have recommendation of what should be on or off
It’s a 5 year old post, but in case someone else has the same issue:
It is the policy subpacket (as also mentioned here)
Click on “customize ruleset” and find the policy rule
And the use ctrl+F to find the two “APT” entries.
deselect both. Click Apply!
Now “apt update” should work again as expected.
(Tested in Debian 12 behind IPfire. - Although the IPS is only running on the RED interface and none of the internal ones.)
Is it still the case that changes to individual entries in each rule will be undone during the next ruleset update? If so, then your instructions above will only work temporarily.
No, that isn‘t the fact. Individual changes remain as set.
Hey Tim,
interesting comment. I’ll observe it.
If that would really be the case, we need to find another solution.
One could try to deselect the entire ‘emerging_policy.rules’ box then, however, chances are that it would then also be reset after an update.
Let’s find out…
This was my experience in the past. You could deslect the entire .rules file and that would stay deselected. But changing an individual rule within the .rules file would get undone at the next ruleset update. Maybe that has changed since my last experience.
To be more precise: I assumed that it was about switching one of the rules on/off. As far as I know, this remains the same even after updating the rulesets. A change as a new or modified existing rule will probably not actually be retained after an update.
So, some good news, and some bad news.
Good news: It seem the setting persists after rule-updates. So far APT is working fine on all my machines so far.
Bad News: Same problem now appeared for background updates of the Arduino IDE. Any download of board-JSON files for example from arcuino.cc throws an error.
So, I’ll search now for the interfering rule… Hint’s are appreciated. If I find something I’ll share it here.
EDIT: also reported here - it seems to be DNS related.
Which I can confirm already: ping arduino.cc fails with a “name resolution failed”. IDS disabled, it immediately works.
Though, I am not really sure why the other thread is considered as “solved”.
