Note to self next time I get bit by it:
When using the “Max. src. conn. Rate” advanced option in a pfSense firewall rule, if desirable traffic ends up exceeding that rate, it’s really really hard to let the traffic through again. PfSense adds a rule to a firewall table, “virusprot”, that’s not listed in the web UI. The rule blocks all traffic from the offending source address, and it hangs around for a really long time. So adjusting the rate limit, clearing the state table, etc. still won’t let the traffic through.
After ~30 minutes of reading, the following command at the shell is what does the trick:
pfctl -t virusprot -F rules…which translates to something like “packet filter control, operate on table virusprot and flush the rules in it.”