yo trabajo con esto y me funciona bien
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=285w5d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=21 \
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=42w6d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="NMAP NULL scan" protocol=\
tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=input comment="dropping port scanners" src-address-list=\
"port scanners"
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 in-interface=ether4 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether4 protocol=tcp
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
10,32 in-interface=ether5 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=4h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether5 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether6 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether6 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether7 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether7 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether8 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether8 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether9 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether9 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether10 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether10 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=285w5d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=21 \
protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
address-list-timeout=28w4d chain=input connection-state=new dst-port=21 \
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=42w6d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=14w2d chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="NMAP NULL scan" protocol=\
tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=14w2d chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=input comment="dropping port scanners" src-address-list=\
"port scanners"
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 in-interface=ether4 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether4 protocol=tcp
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
10,32 in-interface=ether5 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=4h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether5 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether6 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether6 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether7 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether7 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether8 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether8 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether9 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether9 protocol=tcp
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 in-interface=ether10 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2h chain=input comment="detect DoS attack" \
connection-limit=10,32 in-interface=ether10 protocol=tcp