the following pf.conf fragment allows ssh connections from the outside world
to my firewall pass in on egress proto tcp from any to egress port ssh keep state \ (max-src-conn 10, max-src-conn-rate 4/20, overload <brutes> flush global) If I understand tables and pf properly, and I have a default block all in rule could I not change it to the following fragment and allow only those not already added to the <brutes> table in? pass in on egress proto tcp from ! <brutes> to egress port ssh keep state \ (max-src-conn 10, max-src-conn-rate 4/20, overload <brutes> flush global)