>At the end of a "pass" rule in pf.conf, the author adds: > > max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload <abusers> flush global > >which means: > > "any source can only have a total of three connections, > and they may not create them at a rate faster than two > every five minutes. If they do, they will be added to the > abusers table and every packet/session will be globally > dropped." > >I locked myself out of many boxes thanks to that.
As Peter pointed out it is best to set timeout/expiry date for IPs in blocklist. One can also create whitelist for you own IPs. Personally I had checked IP my ISP gave me, then checked by online services what AS number and CIDR this IP is contained in. Then added to whitelist table. It creates some hole in firewall, but proactive firewall based on blocklists in itself isn't strong protection. It is mostly useful for performance reasons.
