And back for more info. Due to work and being sick, I could not find the courage to post more info...
The strange thing is that if I remove the 1337 port from the udp_services, the table works... I tried a somehow different approach by changing the rules specifically for ssh port
Code:
# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ 62222, www, 1337 }"
udp_services = "{ 62222, www }"
# tables
table <bruteforce> persist
# options
set loginterface $int_if
# disable filtering on loopback interface
set skip on lo0
# block rules
block log all
block quick from <bruteforce>
# pass rules for ssh
pass quick proto { tcp,udp } to port 1337 \
keep state (max-src-conn 10, max-src-conn-rate 2/60, \
overload <bruteforce> flush global)
pass inet proto tcp to $localnet port $tcp_services \
keep state (max-src-conn 50, max-src-conn-rate 3/60, \
overload <bruteforce> flush global)
pass out all
Why is 'overload table' works only when I remove the ssh port from udp_services?..