I enabled Intrusion Prevention System on all interfaces and it shows alerts from attacks, but I noticed that IPFire is not blocking them as aspected. I disabled "Monitor traffic only
What can I do to block detected attacks? I’m sure IPFire is not blocking the attacks because I run a sniffer in the target machine.
Images showing my configurations:
I disabled “Monitor traffic only” but it keeps not blocking attacks.
Welcome to the ipfire community.
Did you press the customise ruleset button and select the rules you want to have activated?
Yes, they are activated. I see alerts in IPS Log Viewer. But it keeps not blocking attacks.
Should I do anything more?
Why do you think things aren’t being blocked.
I performed a telnet brute force attack to test it.
Then, with wireshark in the target machine, I saw that I was receiving Telnet attempts.
It might be worth going to the Emerging Threats site and look up what the telnet rules are expected to do. Should they block or only alert. What types of traffic will trigger them to block.
I had a look through the telnet rule definitions. They were defined back in 2016 and are all alert only, so nothing will be blocked in any situation.
This confirms that when selecting rule sets it is worthwhile to look up what they are actually doing to ensure the result will be as expected.