I guess you would need to be more specific on which service
i.e. ssh , http , etc..
So for an example for ssh
I block the script kiddies banging away on port 22 (ssh)
Code:
#Tables
table <scanners> persist
# stop the script kiddies
pass in quick on $ext_if proto tcp from !<scanners> to $ext_if port ssh flags S/SA \
synproxy state (max-src-conn-rate 2/60, overload <scanners> flush)
block in quick on $ext_if from <scanners> to any
This part of my rules captures the IP of the script kiddie if they try more than
2 times in 60 seconds.. (a bit restrictive yes.. and you can change the interval)
then dumps the offending IP to the table "
scanners"
Any subsequent connection from the offiending IP is then dropped..
The table is flushed upon reboot.
I "used" to have a script that would also dump the offending IP's to a permanent
table but that proved unnecessary to keep them.
I am assuming that there is also a solution for http.. but I have never found the need to
implement one..
One of the other "more learned" mods like
J65nko or a frequent pf master like s2Scott might provide you a much more
technical response... :-)
hth
rk