I hope this makes it to the list.  I just closed my work account until I 
can reopen it from my home email account.  I'm trying to open up my 
firewall to ssh clients on the public internet.  However, one of the 
following rules blocks ssh sessions:

block return-rst in on ep0 proto tcp from any to any flags S/SA
block return-rst in on ep0 proto tcp from any to any port=auth flags S/SA

Even adding these rules, it continues to drop ssh packets:

pass in on ep0 proto tcp from any to 0/32 port = ssh flags S/SA keep state
pass in on ep0 proto udp from any to 0/32 port = ssh

Admittedly, I based my firewall rules off of templates, but these 
filtering rules seem to be pretty important.  And, without them I don't 
get to see a lot of the scanning from public sources.

***

Question #2, what do other users do with the IPs you see in scans of 
your system?