Yeah, I have a couple honeypot IPs that when hit, adds the IP to a drop rule, then a script that runs that expands the /32 to a larger block.. I needed something similar to handle multiple IPs from the same larger block.. For when asshats decide to use an entire /16 to do a port-scan of every port.. lol
That was interesting to watch.. haha
But yeah, I still have lots to learn, but I’m not sure how to get a better log for why both variations are failing.