/etc/pf.conf fragment...
Code:
# -----
pass in log quick on outside inet proto tcp \
from !<BadSshVpn> to (outside:0) port 443 \
tag SSHVPN flags S/SFRA keep state \
queue(Q5VPN,Q7) \
(max-src-conn-rate 3/120, overload <BadSshVpn> flush global)
#
pass in log quick on tun inet \
from (tun:peer) to any \
tag TUNPKTS \
keep state
#
pass out log quick on inside inet \
tagged TUNPKTS keep state
# -----