Great work on adding Block Duration — it’s a very welcome improvement! When Block Duration is set, and rules/signatures triggers, they clearly end up in iptables drop rules, and for example consecutive curl calls to testmyids.org end up hanging there. Great! 
Here are a few suggestions that could further enhance usability and performance:
-
Rule comments
Add optional comments to IPS-inserted iptables rules (e.g., signature ID info) for easier troubleshooting. -
Use ipset for blocklists
Replace per-flow iptables rule pairs with ipset-based blocking for better performance and scalability. -
Include signature info in logs
When adding/removing IPS blocks, include signature ID/severity in /var/log/messages. -
Clarify bidirectional blocking
Add a short tooltip explaining that IPS blocks both directions by default. -
Configurable block direction & action
Allow choosing unidirectional vs bidirectional blocking, and drop vs reject. Ideally also per-signature and/or per-severity. -
Ignored-rule management
Provide a page to view/reset ignored rules without clearing all IPS state. -
Add IDS/IPS status counters, a few ideas:
• Total alerts & alerts by severity
• Number of Current blocked IP pairs & active ignored rules
• Top talkers/destinations triggering alerts
• IPS drops per minute & conntrack deletions
• Most-triggered signatures (noise detectors)
