You may want to consider strengthening the following rule and its like, unless there's reasons not to.
Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp \
from any to (egress) port ssh \
synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
to
Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in log quick on egress inet proto tcp \
from !(egress:0) to (egress) port ssh \
synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
In one rule, it does all yours did PLUS prevents a type DoS attack.