That is for the power abusive user, if we got more then 10 connections from the same IP within 1 minute, they have to wait 24h. One IP parallel as well. That will prevent scans, internet scam, brute force on ssh as well abuse of our public feed services.
Here our block rule to be as transparent as possibe:
[..]
set denylist {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1d
elements = {
[..]
ip protocol tcp ct state new,untracked limit rate over 10/minute add @denylist { ip saddr }
ip saddr @denylist drop
tcp dport 873 meter rsync1 size 65535 { ip saddr & 255.255.255.0 ct count over 3 } counter packets 0 bytes 0 reject with tcp reset
tcp dport 873 meter rsync2 size 65535 { ip saddr ct count over 1 } counter packets 1 bytes 64 reject with tcp reset
tcp dport 873 tcp flags syn / fin,syn,rst,ack counter packets 2792 bytes 165204 accept