Given blocking an IP address using APF (apf -d option), am I correct that all incoming and outgoing communication from the IP address will be blocked?
CODE
iptables -vnL | grep 75.2.205.141
0 0 DROP all -- * * 75.2.205.141 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 75.2.205.141
0 0 DROP all -- * * 75.2.205.141 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 75.2.205.141
If the attacker was email harvesting, and the mail service shut down until "netstat -an | grep 75.2.205.141" shows no connections established, why would the IP still be in ip_conntrack?
CODE
grep '75.2.205.141' /proc/net/ip_conntrack
tcp 6 406783 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=57011 dport=110 packets=5 bytes=214 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=57011 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406187 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.52 sport=37048 dport=110 packets=4 bytes=174 src=xx.yy.zz.52 dst=75.2.205.141 sport=110 dport=37048 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407494 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.51 sport=38937 dport=110 packets=3 bytes=134 src=xx.yy.zz.51 dst=75.2.205.141 sport=110 dport=38937 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407452 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.53 sport=41219 dport=110 packets=4 bytes=176 src=xx.yy.zz.53 dst=75.2.205.141 sport=110 dport=41219 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407393 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.51 sport=33467 dport=110 packets=5 bytes=216 src=xx.yy.zz.51 dst=75.2.205.141 sport=110 dport=33467 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407189 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.54 sport=33040 dport=110 packets=6 bytes=264 src=xx.yy.zz.54 dst=75.2.205.141 sport=110 dport=33040 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407346 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=61222 dport=110 packets=5 bytes=216 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=61222 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406858 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.71 sport=36993 dport=110 packets=7 bytes=310 src=xx.yy.zz.71 dst=75.2.205.141 sport=110 dport=36993 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 414830 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.52 sport=46914 dport=110 packets=3 bytes=134 src=xx.yy.zz.52 dst=75.2.205.141 sport=110 dport=46914 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407236 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=62173 dport=110 packets=5 bytes=216 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=62173 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406631 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=32933 dport=110 packets=5 bytes=222 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=32933 packets=2 bytes=96 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407387 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.55 sport=41839 dport=110 packets=6 bytes=264 src=xx.yy.zz.55 dst=75.2.205.141 sport=110 dport=41839 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407435 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.53 sport=40040 dport=110 packets=5 bytes=216 src=xx.yy.zz.53 dst=75.2.205.141 sport=110 dport=40040 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407311 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.54 sport=36224 dport=110 packets=5 bytes=216 src=xx.yy.zz.54 dst=75.2.205.141 sport=110 dport=36224 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406783 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=57011 dport=110 packets=5 bytes=214 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=57011 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406187 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.52 sport=37048 dport=110 packets=4 bytes=174 src=xx.yy.zz.52 dst=75.2.205.141 sport=110 dport=37048 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407494 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.51 sport=38937 dport=110 packets=3 bytes=134 src=xx.yy.zz.51 dst=75.2.205.141 sport=110 dport=38937 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407452 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.53 sport=41219 dport=110 packets=4 bytes=176 src=xx.yy.zz.53 dst=75.2.205.141 sport=110 dport=41219 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407393 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.51 sport=33467 dport=110 packets=5 bytes=216 src=xx.yy.zz.51 dst=75.2.205.141 sport=110 dport=33467 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407189 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.54 sport=33040 dport=110 packets=6 bytes=264 src=xx.yy.zz.54 dst=75.2.205.141 sport=110 dport=33040 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407346 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=61222 dport=110 packets=5 bytes=216 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=61222 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406858 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.71 sport=36993 dport=110 packets=7 bytes=310 src=xx.yy.zz.71 dst=75.2.205.141 sport=110 dport=36993 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 414830 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.52 sport=46914 dport=110 packets=3 bytes=134 src=xx.yy.zz.52 dst=75.2.205.141 sport=110 dport=46914 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407236 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=62173 dport=110 packets=5 bytes=216 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=62173 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 406631 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.50 sport=32933 dport=110 packets=5 bytes=222 src=xx.yy.zz.50 dst=75.2.205.141 sport=110 dport=32933 packets=2 bytes=96 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407387 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.55 sport=41839 dport=110 packets=6 bytes=264 src=xx.yy.zz.55 dst=75.2.205.141 sport=110 dport=41839 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407435 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.53 sport=40040 dport=110 packets=5 bytes=216 src=xx.yy.zz.53 dst=75.2.205.141 sport=110 dport=40040 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
tcp 6 407311 ESTABLISHED src=75.2.205.141 dst=xx.yy.zz.54 sport=36224 dport=110 packets=5 bytes=216 src=xx.yy.zz.54 dst=75.2.205.141 sport=110 dport=36224 packets=1 bytes=48 [ASSURED] mark=0 secmark=0 use=1
Are there any reasons, after the IP was blocked, and connections from the mail server removed (i.e. shut down mail server until no established connections... ip is still in iptables per above), that one would see the following come in later in /var/log/maillog?
CODE
Sep 22 14:30:06 server02 vpopmail[10790]: vchkpw-pop3: vpopmail user not found california@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10833]: vchkpw-pop3: vpopmail user not found bunny@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10840]: vchkpw-pop3: vpopmail user not found butler@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10844]: vchkpw-pop3: vpopmail user not found carebear@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10867]: vchkpw-pop3: vpopmail user not found bugsy@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10921]: vchkpw-pop3: vpopmail user not found butch@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10833]: vchkpw-pop3: vpopmail user not found bunny@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10840]: vchkpw-pop3: vpopmail user not found butler@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10844]: vchkpw-pop3: vpopmail user not found carebear@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10867]: vchkpw-pop3: vpopmail user not found bugsy@:75.2.205.141
Sep 22 14:30:06 server02 vpopmail[10921]: vchkpw-pop3: vpopmail user not found butch@:75.2.205.141
Thank you.