blocklist puzzle

[Patrick Welche <prlw1%welche.eu@localhost>]

I see in /var/log/messages (NetBSD-10.99.2/XEN3_DOMU/amd64):


...
Feb 18 00:19:16 mail blocklistd[625]: blocked 195.226.194.142/32:22 for 172800 seconds
Feb 18 00:49:33 mail blocklistd[625]: blocked 195.226.194.142/32:22 for 172800 seconds
Feb 18 01:18:58 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 01:49:45 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 02:18:50 mail blocklistd[625]: blocked 195.226.194.142/32:22 for 172800 seconds
Feb 18 02:49:23 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 03:49:05 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 04:18:15 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 04:49:27 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 05:18:16 mail blocklistd[625]: blocked 195.226.194.142/32:22 for 172800 seconds
Feb 18 05:49:14 mail blocklistd[625]: blocked 195.226.194.242/32:22 for 172800 seconds
Feb 18 06:48:01 mail blocklistd[625]: blocked 195.226.194.142/32:22 fo

172800 seconds = 48 hours, so the hourly attempt shouldn't make it.

# npfctl rule blocklistd list | grep 195.226
# 

but npf doesn't appear to be blocking it, though some are blocked:

# npfctl rule blocklistd list 
block in final family inet4 proto tcp from 179.60.147.157/32 to any port 22 # id="d" 
block in final family inet4 proto tcp from 171.225.184.179/32 to any port 22 # id="f" 
block in final family inet4 proto tcp from 113.249.95.65/32 to any port 22 # id="10" 
...


(I noticed while wondering why mail to said domu stop being received, which
seems to happen every 4 days.)

Thoughts?


Cheers,

Patrick