> # START
> table bruteforce persist
> block in log quick from bruteforce
> pass in on $ext_if proto tcp \
> from any to $ext_if port $trusted_tcp_ports \
> flags S/SA keep state \
> (max-src-conn-rate 3/300, overload bruteforce flush global)
> # END
> AND CRON:
> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> What is the function "expire 604800" are they entries in the table?
> should it be -t bruteforce or -t ssh-bruteforce
It refers to entries in the table specified by the "-t" option and instructs pf to expire (remove from the table) all entries older than the specified time (in seconds). Basically, the value 604800 will expire entries older than 1 week.
For the above pf rules, the cron entry should be "-t bruteforce" (although in the pf rules you should be using "<bruteforce>").