> > I'm thinking of blocking bad IPs using PF tables persisted to a file. I > > would like to use a cron job to periodically analyze access logs and > > update the PF table.
You might be better off leaving that to PF itself, using max-src-conn and max-src-conn-rate and the like on the connection level, as opposed to parsing at the protocol level.
