[SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?

[<81...@2r...>]

How does the blacklist work exactly?  From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to reload it on start or restart.  But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them.

I have this in /etc/default/sshguard:

# See man page sshguard(8) for documentation of the command line options                                   
ENABLE_FIREWALL=1

# By default all units are monitored in SystemD                                                           
# list of log files to scan delimited by space (Kfreebsd only)                                            
LOGFILES="/var/log/auth.log"

# Whitelist configuration file                                                                            
WHITELIST="/etc/sshguard/whitelist"

# Other options                                                                                           
ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600"

When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses.  But with a firewall, do blocked ip's remain in the blacklist file?

Thanks!