I'm using FreeBSD 7 and the PF firewall. These are the issues I ran into. 1. I don't currently have an indication of which rule got an IP on the blacklist. They are PASSed until they exceed the limit, and blacklisted after that, so I have no record of what they were doing at the time. 2. When they do violate an STO rule, even if I know which rule it is, I don't know which part. Was it too many max-src-states? max-src-nodes?, or max-src-conn-rate? Thus I don't know what to adjust. 3. I don't find any organized method documented anywhere on how to collect the necessary information to establish what the limits of the STO rules should be. The example rules from the most popular tutorials blacklisted the users almost immediately. I found I was far better off making logical stabs at what they should be. Thanks!