scrub in all fragment reassemble
pass out all flags S/SA keep state
block drop in log all
pass in on vtnet0 inet proto tcp from X.X.X.X to any flags S/SA keep state
pass in on vtnet0 inet proto tcp from any to any port = ssh flags S/SA keep state
pass in on vtnet0 inet proto icmp from X.X.X.X to any keep state
12.0-RELEASE
Maybe the method described in this article is an option for blocking traffic with PF by country ip’s. Also take a look at the comments.Now I'm trying to block the ip address at the country level. Unfortunately we cannot use the geoip here.