Not sure why the web proxy is blocking services like “apt”
Web Proxy is enabled on Green, Transparent proxy is disabled.
Can’t update a linux box doing sudo apt updateget blocked
- connect (111: Connection refused) Cannot initiate the connection
Could not connect to archive.raspberrypi.org:80 (46.235.231.151). - connect (111: Connection refused) Cannot initiate the connection to archive.raspberrypi.org:80
When I shutdown Web proxy service, issues resolve immediately.,
URL Filter Log is completely empty so not sure why this happens
apparently, apt continues to try to establish direct internet connections (though I am surprised to see these attempts ending in an ICMP reject rather than being silently dropped - did you configure your IPFire according to that?).
Please double-check that apt is really using the configured proxy.
I think you have a rule that blocks all the traffic on the red interface that is not directed to the proxy. Setting squid to cache traffic on other ports has no effect on that rule. Hence when APT try to connect directly (because it was not being configured to use the proxy) your firewall intercept that traffic and rejects it. You either configure apt to use the proxy, or you need to create an allow rule in your firewall for the debian machine, coming before the deny rule.
EDIT: on a second thought, my hypothesis is not supported by the fact that shutting down the proxy is sufficient to remove the problem. If APT tries to connect directly, why shutting down the proxy alone would fix the problem? Are you sure the transparent option is not active?
Do you have IPS running?
I ran ET emerging-policy rules and had to deactivate "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management" which showed up in IPS logs.
That was my suspicion too, In Firewall options, but I don’t think it will apply on Green.
Firewall options for BLUE interface
Drop all packets not addressed to proxy
Transparent on Green is Unchecked. So I assume it was not active.
I tried that but no luck.
Yes, IPS is running, but I disabled that rule long time ago. Good point.
At the end I think it was the Proxy service blocking APT, I tried changing to a different mirror, but got blocked too.
I shutdown the proxy and have no issues anymore.
This is what I do not understand, if your Debian machine is not set to use the proxy, and there is no transparent proxy, it should connect directly to the Debian repository. Then, if all these premises are correct, why shutting down the proxy solves the problem?
Yes, I agree, not just a single Debian machine but all the machines that I tried were doing it, which were Raspberry OS, and a few Ubuntu…
When I get time, I will turn the Proxy back and try more ideas.