> On 18. Feb 2023, at 23:34, Patrick Welche <prlw1%welche.eu@localhost> wrote: > > 12 hours after rebooting > > # npfctl rule blocklistd list > block in final family inet4 proto tcp from 61.177.173.35/32 to any port 22 # id="1" > # > > contains a single block, yet /var/log/messages is full: > > Feb 18 17:47:44 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds > Feb 18 18:18:00 mail blocklistd[596]: released 171.225.184.179/32:22 after 172800 seconds > Feb 18 18:18:07 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds > Feb 18 18:35:18 mail blocklistd[596]: blocked 31.41.244.124/32:22 for 172800 seconds > Feb 18 18:48:10 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds > Feb 18 19:18:02 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds > Feb 18 20:18:13 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds > Feb 18 20:47:46 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds > Feb 18 21:17:48 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds > Feb 18 21:47:55 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds > > > > If something were misconfigured, I would expect no hosts in the ruleset, > rather than some (or one). How can this work partially? > > extract of npf.conf: > > group "external" on $ext_if { > pass stateful out final all > > ruleset "blocklistd" > > ... Looks like your ruleset "blocklistd" never fires as the rule above is "final all". -- J. Hannken-Illjes - hannken%mailbox.org@localhost
Attachment:
signature.asc
Description: Message signed with OpenPGP