14d7709ddSKristof Provosttable <bad> persist 24d7709ddSKristof Provostblock drop all 34d7709ddSKristof Provostblock drop quick from <bad> to any 44d7709ddSKristof Provostpass out proto tcp all flags S/SA keep state 54d7709ddSKristof Provostpass out proto icmp all keep state 64d7709ddSKristof Provostpass out proto udp all keep state 74d7709ddSKristof Provostpass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99) 84d7709ddSKristof Provostpass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10) 94d7709ddSKristof Provostpass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99) 104d7709ddSKristof Provostpass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5) 11*58de61b9SAlex Richardsonpass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http-alt flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5) 12