# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)

IN the above rule ipaddress are stored in the bruteforce table.
If I stop pf i.e pfctl -d and than enable it pfctl -e will all the ipaddress stored in the bruteforce table be lost. As that is what happened.

You should really consider... condensing your PF troubles into a single topic, outlining what your "overall goal" is.

Posting in the OpenBSD section also might be worth while, PF after all is a OpenBSD subproject.

It might also be wise to get Peter N.M. Hansteen's The Book of PF (http://nostarch.com/pf.htm).

You should really consider... condensing your PF troubles into a single topic, outlining what your "overall goal" is.
I post the issues as they occur and this helps me best. But it may not be to your liking.

Posting in the OpenBSD section also might be worth while, PF after all is a OpenBSD subproject. ok


It might also be wise to get Peter N.M. Hansteen's The Book of PF.
Have already read it but implementing it is different. Have you Read it ? . Most chaps who ask questions here first google for answers than read books in the books reviews section here and visit other forums and when answers are not found post here.

http://www.daemonforums.org/showthread.php?t=596 also try my best to be an ideal newbie.

Why have you not answered the question ?

The values in tables are stored indefinately and that is why one uses a rule like this
pfctl -t bruteforce -T expire 86400 to expire entires.

But I did not run any such command above and on restarting pf I lost a long list of ipaddresses in the bruteforce table thus the question. So if you have any reasonable theories [and no there is no cron job runing which could do this] I would like to know thank you.


Far better than the book of pf is http://www.openbsd.org/faq/pf/ simple and easy to understand.

http://www.daemonforums.org/showthread.php?t=1375