Having a macro named
$ssh is unnecessary, service names listed in
/etc/services are perfectly acceptable substitutes for port numbers.
pass quick on lo0 all is redundant, you already tell pf to ignore local traffic.
I like keeping the block and pass rules separate... block rules first, pass rules after.
Code:
# internet connected interface
ext_if="gem0"
table <ssh-violations> persist file "/etc/ssh-violations"
table <martians> const persist { 127/8, 192.168/16, 172.16/12, 10/8, 0/8, \
169.254/16, 192.0.2/24, 240/4 }
# options
set block-policy drop
set loginterface $ext_if
set skip on lo0
# scrub
scrub in on $ext_if all
# antispoof
antispoof for $ext_if
# catch-all
block in log all
block out all
# block evil people
block in log quick from <ssh-violations> to any
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>
# allow ssh connections
pass in on $ext_if proto tcp from any to any port ssh
# AMule incoming
pass in on $ext_if proto tcp from any to any port 4662 user amule
pass in on $ext_if proto udp from any to any port 4665 user amule
pass in on $ext_if proto udp from any to any port 4672 user amule
# pass out all traffic
pass out on $ext_if inet all
Hope it helps, I do recommend reading the OpenBSD pf FAQ, and perhaps buying Peter NM Hansteen's new PF book.