Thank you s2scott
!
The interface has a truly global IP, so yes, no need for NAT there.
About the sshbrutes table, sshguard program already creates a table, named sshguard, not by any overload command, but in the background (by polling the /var/log/authlog file).
So this command blocks any IP that exists in sshguard table:
Code:
block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce"
I wouldn't mind putting the offenders in a second table, but it seems rather excessive :P