IPS Whitelist not working again - core 178-180

Previously, a whitelist bug was detected and fixed on an older version of the ipfire kernel - IPS Whitelist not working.
Now the problem is repeated on version 178. I tried to upgrade to 179, 180 - the problem is not fixed.

I add the ip to the whitelist, apply the settings. Traffic does not pass. Message from logs:
Oct 17 11:33:02 hostname kernel: DROP_NEWNOTSYN IN=red0 OUT= MAC=*** SRC=...119 DST=...* LEN=83 TOS=0x00 PREC=0x00 TTL=58 ID=16156 DF PROTO=TCP SPT=53072 DPT=443 WINDOW=343 RES=0x00 ACK PSH URGP=0

DROP_NEWNOTSYN was not generated by the IPS so the IPS Whitelist has nothing to do with it.

DROP_NEWNOTSYN is generated if the firewall recieve a packet that has no matching connection and is no SYN packet. Such packets can dropped because the reciever will also only drop it. Often this was created by bad TCP implementations or if a connection with high latency was closed by the other peer and the sender has not recieved the RST packet yet.

2 Likes

Strange, the address of the resource I need is added to the firewall as allowed by the required protocol, port. I noticed that traffic gets to the target device if disable IPS. That’s why I decided it was her.
Thank you for your quick response.

Then you have to check the IPS Logs not the firewall. I’m also not sure if all IPS rules can skipped via the whitelist.