You caught me (It's "Taiwan", BTW.).
Yes, the rule (1.171.67.85/32) is clearly a subset of the earlier rule (1.171.0.0/16), a CIDR which I manually entered some time back. I had this happen with another IP recently. Apparently there is some kind of fluke going on with the firewall causing this. Most all other records show that IP are being dropped. Here are a few:
Code:
num pkts bytes target prot opt in out source destination
32 30 1326 DROP all -- * * 60.169.0.0/16 0.0.0.0/0 /* china */
33 2 147 DROP all -- * * 60.170.0.0/16 0.0.0.0/0 /* china */
34 3 218 DROP all -- * * 60.172.0.0/16 0.0.0.0/0 /* china */
35 185 8702 DROP all -- * * 60.173.0.0/16 0.0.0.0/0 /* china */
36 2 110 DROP all -- * * 60.174.0.0/16 0.0.0.0/0 /* china */
I was told that 'pkts' represents packets that have hit and been dropped.
Periodic IPs getting through like this isn't a big problem. I'll just live with it and let them stay as /32.
Thanks for you input.