IPS NOT working since enabling about a month ago

Hi guys

Summary: IPS has been enabled on my Red (internet facing) and Orange interfaces for the last month or so BUT it does not seem to work in that there is NO IPS logs ever recorded, AND I see lots of connection drops on the apps server logs in my Orange DMZ - drops that are from hackers and scanners and intruders from the Internet! So, I have to manually (and laboriously) add each and every one of these bad IPs to a group and get the FW to block them - but this is labour intensive and is something that an IPS should be able to handled
HAS ANYONE experienced this issue ? and if so could I get some urgent help PLEASE

Am running IPFire 2.29 (x86_64) - Core-Update 191 on a PC at home for the last three months or so
Firewall has been working fine - I have got 4 interfaces (Green, Red, Orange, and Blue) configure and rulesets configured for them and the firewall is enforcing the rules I have set up, BUT IPS does not seem to be working!

Can you confirm that the IPS is showing that it is running.

If yes, then which ruleset provider(s) did you select?

and for each ruleset provider, which rulesets did you select?

THANK YOU very much Adolf for a very quick reply

Pls see captures below

Did I configure IPS correctly ?

and pls see below

sorry I had to post two captures separately - the system says I am a new user and does not allow me to post two captures in one reply

As a general note IPS can be very resource intensive so be careful about just selecting every provider and every ruleset that they provide.

Some of these rulesets can cause your system to stop allowing OS updates for your PC’s.

For example there is a policy rulseset which blocks all apt updates that debian or ubuntu use. This ruleset is intended for business that want to control all OS updates centrally.

In terms of your setup, the IPS is physically running so that is good.

You have selected a big range of providers.

Did you then press the Customize ruleset button and select some of the available rulesets from those providers?

This shows an example for the Emerging Threats rulesets. The default for all the rulesets when first installed is for none to be enabled as the choice to be made is dependant on each users specific situation and requirements.

The wiki gives some guidance on how to figure out for your setup the best providers to consider and how to figure out which rulesets make sense for your requirements.
https://www.ipfire.org/docs/configuration/firewall/ips/rulesets
https://www.ipfire.org/docs/configuration/firewall/ips/rule-selection

Thank you very much again Adolf - it is my bad ! I did not press the “Customize ruleset” button and select some of the rulesets from those providers. Am going to read the wiki pointers you gave and go from there

You said
“For example there is a policy rulseset which blocks all apt updates that debian or ubuntu use. This ruleset is intended for business that want to control all OS updates centrally.”

Could I ask what that ruleset is so I dont accidentally enable it

Thank you Adolf

This post will help you with that.

https://community.ipfire.org/t/the-ips-blocking-all-linux-mint-update-repositories-including-mirrors-solved/13289

Very grateful for your kind help Adolf ! it is much appreciated !