Thank you for getting back to me. Your explanation makes sense and it is kind of how I was hoping the firewall would work.
I will do some more monitoring, but this is what I am seeing so far:
- Up to 5 requests for a given extension for one IP address
- Next request takes place a few minutes (5 - 10 minutes?) later and might be for the same extension or a different one, but it is using the same IP to connect
So, I guess the next question is what does a handful of connections mean? And, does the counter reset if the IP goes against a different extension? And, last but least, does the counter expire for a given IP?
In addition, it would be good to know how long the lockout period is and, most importantly, if these default values are configurable.