table <ddos> persist
# stop ddos
block in log quick on $ext_if proto tcp from <ddos> to $web_ip port { 80, 443 } label ddos-block
# http ddos prevention
# I would lower these limits as they are high
pass in quick on $ext_if proto tcp to $web_ip port { 80, 443 } flags S/SA label http keep state \
(max-src-conn 120, max-src-conn-rate 180/60, overload <ddos> flush global)