When I added the rule below it locked me out what is wrong with it


pass quick proto { tcp, udp } from any to any port $brute_block keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)


pf.conf

# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"
tcp_services = "{ domain, www, https, 10000 }"
udp_services = "{ domain }"
brute_block = "{ ssh, 10000 }"

# Tables
table <sshadmins> persist file "/etc/sshallow"
table <bruteforce> persist file "/etc/brufeforce"


# Set Optimizations:
set loginterface $ext_if

set skip on lo0

# Normalization / scrubbing
scrub in all

antispoof quick for { lo0 $ext_if }

block all
block quick from <bruteforce>

pass proto udp to any port $udp_services
pass proto tcp from any to self port $tcp_services
pass in on $ext_if inet proto icmp all icmp-type 8
# Allow access to sshd.
pass in on $ext_if proto tcp from <sshadmins> to self port ssh

# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)

You ended up in the bruteforce table.

What you should have is


...
block all
pass quick from <sshadmins>
block quick from <bruteforce>
...


This will allow the sshadmins in even if they end up in the bruteforce table.

Something else you should look into is expiretable (/usr/ports/security/expiretable) to clean out entries that are older than a specified amount of time. That way, if you do get banned you only have to wait so long before you can get in again. I have expiretable cleaning out entries after 30 minutes.

yes it must have been the case.
But I did not try to brute force my way in as I know the access passwords

Would this max-src-conn 15 and me trying to access webmin cause a lock out as it would have taken me only one attempt to log in.

How many max-src-conn [i.e connections] does a web page like webmin generate.

cheers

This may help, http://johan.fredin.info/openbsd/block_ssh_bruteforce.html

yes it must have been the case.
But I did not try to brute force my way in as I know the access passwords

Would this max-src-conn 15 and me trying to access webmin cause a lock out as it would have taken me only one attempt to log in.

How many max-src-conn [i.e connections] does a web page like webmin generate.

cheers

I don't know anything about webmin, however, my money is on the max-src-conn-rate that got you banned.

Say you have "max-src-conn-rate 3/5", that means that if there are 3 (or more) connections made over a 5 second period, that address gets put into the bruteforce table.

"pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)"

Someone correct me if I'm wrong on this. Doesn't the second "any" in the rule above include all ports?

Why not just change the ssh port and drop all attempts to connect to 22.

"pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)"

Someone correct me if I'm wrong on this. Doesn't the second "any" in the rule above include all ports?
No, it simply means "from any address to any address". Port is ssh, as mentioned in the rule. Check hosts part in GRAMMAR section of pf.conf:

http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html#GRAMMAR