Im running the latest version of apf, along with fedora core 2. Recently one person with the same ip address each time keeps trying to log into my box via ssh. I decided to block the ip in the /etc/apf/deny_hosts.rules file using the format:

tcp:in:s=ip.ip.ip.ip

which is what the docs seem to say is correct. However, I did this on the 29th december, and the same person has attempted to log in every day since, so is obviously not being blocked by that firewall rule. So, do I have the syntax incorrect? Or can I not block specific ip address's on open ports?

can you post the whole rules file

#
# deny_hosts
#
# Trust based rule file to define addresses that are denied all or specific
# traffic.
#
# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 24.202.16.11
# 24.202.11.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flow:port:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s - source , d - destination , flow - packet flow in/out
#
# Examples:
# outbound to destination port 23 to destination 0.0.0.0 (any)
# tcp:out:d=23:d=0.0.0.0
#
# inbound to destination port 80 from source 24.202.11.3
# in:d=80:s=24.202.11.3
#
# inbound to destination port 27015 from 24.202.11.0/24
# d=27015:s=24.202.11.0/24
#
## 2005 CLeanout ###
# 030105 dictionary attack (South Korea)
tcp:in:s=210.100.202.60