Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Linux apt update/upgrade stopped working

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 7 Posters 3.0k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Online
      stephenw10 Netgate Administrator
      last edited by

      But is the block still in the table?

      M 1 Reply Last reply Reply Quote 0
      • bmeeksB Online
        bmeeks @maddy_in65
        last edited by bmeeks

        @maddy_in65 said in Linux apt update/upgrade stopped working:

        @stephenw10
        Tested apt updates by disabling & uninstalling Snort but no luck 😞

        Snort (and Suricata), when running in Legacy Mode Blocking, utilizes the pfSense firewall engine for blocking an IP address. It does so by making a system call that results in placing the IP to be blocked into a pre-defined pf table called snort2c. This is the table @stephenw10 is asking you about. Even when you disable the Snort service, or if you remove the package, any IP addresses that have been previously added to that snort2c pf table remain there and the blocks will persist.

        You can clear the table three ways: (1) when Snort is installed, go to the BLOCKS tab and click the button to remove all blocked hosts; (2) use the option under DIAGNOSTICS > TABLES in pfSense to display the snort2c table and remove any resident IP addresses; or (3) by rebooting the firewall. Rebooting clears the table of IP addresses because the table is purely a RAM construct.

        BUT, I don't think Snort is your problem here. Way back up you showed a screenshot of the BLOCKS tab from Snort, and there were zero blocked hosts displayed. That means Snort is not blocking anything. It reads the snort2c table contents directly and displays them on that tab, so if the tab shows no blocks then the table is empty.

        1 Reply Last reply Reply Quote 0
        • M Offline
          maddy_in65 @stephenw10
          last edited by

          @stephenw10
          There is no host entry in snort2c table.

          2f56b4eb-9359-4a3b-a292-3d22a16db004-image.png

          1 Reply Last reply Reply Quote 0
          • stephenw10S Online
            stephenw10 Netgate Administrator
            last edited by

            Mmm, not Snort then. It sure 'feels' like Snort though because it definitely blocks apt update traffic if you just enable all the signatures. I've seen that myself.

            Something else is preventing it on that VLAN then. Is there anything else the traffic passes through? Filtering on an access point or similar?

            Otherwise I would be looking at states and running packet captures to see what's actually happening.

            Steve

            1 Reply Last reply Reply Quote 1
            • demD Offline
              dem
              last edited by

              @maddy_in65 From what you've posted it seems like only outbound traffic to port 80 from the problem VLAN is failing. Maybe run grep ' 80 ' /tmp/rules.debug and look for something other than the standard "anti-lockout rule"?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.