• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Linux apt update/upgrade stopped working

Scheduled Pinned Locked Moved General pfSense Questions
25 Posts 7 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stephenw10 Netgate Administrator
    last edited by May 3, 2022, 4:02 PM

    But is the block still in the table?

    M 1 Reply Last reply May 4, 2022, 3:18 AM Reply Quote 0
    • B
      bmeeks @maddy_in65
      last edited by bmeeks May 4, 2022, 12:44 AM May 4, 2022, 12:36 AM

      @maddy_in65 said in Linux apt update/upgrade stopped working:

      @stephenw10
      Tested apt updates by disabling & uninstalling Snort but no luck 😞

      Snort (and Suricata), when running in Legacy Mode Blocking, utilizes the pfSense firewall engine for blocking an IP address. It does so by making a system call that results in placing the IP to be blocked into a pre-defined pf table called snort2c. This is the table @stephenw10 is asking you about. Even when you disable the Snort service, or if you remove the package, any IP addresses that have been previously added to that snort2c pf table remain there and the blocks will persist.

      You can clear the table three ways: (1) when Snort is installed, go to the BLOCKS tab and click the button to remove all blocked hosts; (2) use the option under DIAGNOSTICS > TABLES in pfSense to display the snort2c table and remove any resident IP addresses; or (3) by rebooting the firewall. Rebooting clears the table of IP addresses because the table is purely a RAM construct.

      BUT, I don't think Snort is your problem here. Way back up you showed a screenshot of the BLOCKS tab from Snort, and there were zero blocked hosts displayed. That means Snort is not blocking anything. It reads the snort2c table contents directly and displays them on that tab, so if the tab shows no blocks then the table is empty.

      1 Reply Last reply Reply Quote 0
      • M
        maddy_in65 @stephenw10
        last edited by May 4, 2022, 3:18 AM

        @stephenw10
        There is no host entry in snort2c table.

        2f56b4eb-9359-4a3b-a292-3d22a16db004-image.png

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by May 4, 2022, 10:23 AM

          Mmm, not Snort then. It sure 'feels' like Snort though because it definitely blocks apt update traffic if you just enable all the signatures. I've seen that myself.

          Something else is preventing it on that VLAN then. Is there anything else the traffic passes through? Filtering on an access point or similar?

          Otherwise I would be looking at states and running packet captures to see what's actually happening.

          Steve

          1 Reply Last reply Reply Quote 1
          • D
            dem
            last edited by May 5, 2022, 4:50 PM

            @maddy_in65 From what you've posted it seems like only outbound traffic to port 80 from the problem VLAN is failing. Maybe run grep ' 80 ' /tmp/rules.debug and look for something other than the standard "anti-lockout rule"?

            1 Reply Last reply Reply Quote 0
            21 out of 25
            • First post
              21/25
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received