Sending undesirables to a slow-moving queue

Going back to the scenario from Turning Away The Brutes, here is a variation with queues:

pass log quick on $ext_if proto tcp to port ssh flags S/SA \ 
    keep state (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global) queue (ssh_bulk, ssh_interactive) set prio (5,7)

Supplement this with a queue definition for 512 b/s:

queue smallpipe parent main bandwidth 512

And that's all the bruteforcers get, once caught:

pass inet proto tcp from <bruteforce> to port $tcp_services queue smallpipe

(In fact, queues that small may be unenforceable due to timing relative to available bandwidth)