Solved Basic rules problem

[fullauto2012]

root@LR-Remote:~/firewall.d # uname -a
FreeBSD LR-Remote 10.3-STABLE FreeBSD 10.3-STABLE #0 r300092: Wed May 18 01:03:38 UTC 2016  root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

This machine is IP 1921.68.1.11, and all iNet traffic on port 22 is forwarded to it from the router... I am accessing it from 192.168.1.201 (a DHCP address) and when ever I turn on the firewall it locks me out. It's a headless system so I have taken to running a second terminal window with the following command to ensure the firewall turns off after 20 seconds just in case it doesn't work. But, for the life of me I cannot figure out what the problem is!


root@LR-Remote:~/firewall.d # sleep 20; pfctl -d

Any help would be greatly appreciated!
Here are the rules...

root@LR-Remote:~/firewall.d # cat /root/firewall.d/pf.conf
############ Global Options #######################
iface = "em0"
set block-policy return
set loginterface $iface
set skip on lo

services = "{ 22 }"
icmp_types = "echoreq"
localnet = "192.168.1.0/24"
static_ip = "192.168.1.11"

table <us.blocks> persist file  "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"

################ End Global Options ################

########### Traffic Normalization ##################

scrub in on $iface all fragment reassemble
scrub out on $iface all fragment reassemble

####################################################


####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######

#nat on $ext_if from $localnet to any -> ($ext_if)

####################################################


################## Filters #########################

block in all
block drop in quick from <bruteforce>
block drop in quick on $iface from ! <us.blocks> to { self }
pass proto icmp from $localnet to { self }
pass in log quick on $iface proto tcp from <us.blocks> to { self } port 22 \
  flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 3/9, \
  overload <bruteforce> flush global)
pass in on $iface proto { tcp, udp } to { self } port $services
pass in on $iface from $localnet to { self }
pass out on $iface from { self } to any


####################################################
################### <END OF FILE> ##################
####################################################

 

[SirDice]

This rule:

block drop in quick on $iface from ! <us.blocks> to { self }

Blocks everything incoming that's not in the us.blocks table. I'm guessing your local network isn't in that table.

pass in on $iface proto { tcp, udp } to { self } port $services

ssh(1) is a TCP protocol, there's no need to allow UDP.