It appears that the IPFire Intrusion Protection System (IPS) is blocking access to all of the primary Linux Mint update Repositories and all of the Mirror sites.
If the IPFire IPS is turned OFF entirely (or just the RED network), there are no Linux Mint update issues at all.
The IPFire IPS seems to resolve to Securi.net for all the pass-through site/IP checks, so I’m guessing the issue is with their database.
There seems to be far too many resolved IP addresses associated with all of the various Linux Mint update Repository site combinations, making it quite difficult to add a consistent list of exclusions worth adding to the IPFire IPS.
Does anyone have suggestions on how to solve this, or is the problem somewhere else (eg. PEBKAC) that I’m not aware of?
Linux Mint uses apt-get for its updates. If the IPS is blocking the updates then you will likely have installed the Emergingthreats.net Community Rules.
Have you then selected the emerging-policy.rules rule
By default this rule is defined to block all APT traffic, including outgoing requests.
There are two APT rules, one of which is selected by default and is intended for IT policy requirements that want to control package updates via a centralised package update system and stop users updating their systems themselves.
Either you should deselect the overall emerging-policy.rules entry or if you need some of the other policy rules to be in place then you should deselect the ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
rule within that rule collection.
When digging into the ‘Emergingthreats,net Community Rules’ with the ‘Customize ruleset’ button, there are enough ‘ET POLICY xxxxxx’ conditions tucked away under that little ‘Show’ link, associated with the ‘emerging-policy.rules’, to make a Security Admin’s head spin like Regan MacNeil’s, for at least a week.
This ET POLICY was Enabled, so I’ve now Disabled it, and hit the ‘Apply’ button at the bottom of page:
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
This ET POLICY was already Disabled, so left as is:
ET POLICY APT User-Agent to BackTrack Repository
This small change has instantly [SOLVED] this issue with blocking of the Linux Mint update Repositories and Mirrors.
I would NEVER have found these settings without your assistance.
