1*4d7709ddSKristof Provost# TCP connection tracking 2*4d7709ddSKristof Provost 3*4d7709ddSKristof Provosttable <bad> persist 4*4d7709ddSKristof Provost 5*4d7709ddSKristof Provostblock all 6*4d7709ddSKristof Provostblock quick from <bad> 7*4d7709ddSKristof Provost 8*4d7709ddSKristof Provostpass out proto tcp flags S/SA keep state 9*4d7709ddSKristof Provostpass out proto { icmp, udp } keep state 10*4d7709ddSKristof Provost 11*4d7709ddSKristof Provostpass in on lo1000001 proto tcp to 10.0.0.1 port 22 flags S/SA \ 12*4d7709ddSKristof Provost keep state (max-src-conn 10, max-src-conn-rate 3/99) 13*4d7709ddSKristof Provost 14*4d7709ddSKristof Provostpass in on lo1000001 proto tcp to 10.0.0.2 port 22 flags S/SA keep state \ 15*4d7709ddSKristof Provost (max-src-conn 10) 16*4d7709ddSKristof Provost 17*4d7709ddSKristof Provostpass in on lo1000001 proto tcp to 10.0.0.3 port 22 flags S/SA keep state \ 18*4d7709ddSKristof Provost (max-src-conn-rate 3/99) 19*4d7709ddSKristof Provost 20*4d7709ddSKristof Provostpass in on lo1000000 proto tcp to 10.0.0.1 port 80 flags S/SA modulate state \ 21*4d7709ddSKristof Provost (max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush) 22*4d7709ddSKristof Provost 23*4d7709ddSKristof Provostpass in on lo1000000 proto tcp to 10.0.0.1 port 8080 flags S/SA synproxy state \ 24*4d7709ddSKristof Provost (max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> \ 25*4d7709ddSKristof Provost flush global) 26