[dbach]

Hello All:

I have the following rule in pf.conf:

# bruteforce blocking
block quick from <bruteforce>
pass inet proto tcp to $nic port ssh \
keep state (max-src-conn 10, max-src-conn-rate 5/5 \
overload <bruteforce> flush global)

Where should the bruteforce file be placed and with which permissions to have pf write out information for bruteforced attempts?

Thanks,
Darryl