Now, here is the question: does anyone know of a tool to
  automagically recognize this sequence of logs that temporarily adds
  the coresponding block rules to ipf and expires them after, say, 24
  hours?

  Is there anything wrong from a security point of view with this
  aproach?

An attacker could forge TCP connections from an address that you might
want to log in from and thus succeed at denying you access.  They'd
have to either see packets or guess sequence numbers (probably
actually get packets to be able to do DH to send the username
correctly, but I haven't really thought about it).  So if you exclude
addresses which have seen legitimate activity in the recent past, it
may be a good tradeoff.

-- 
        Greg Troxel <gdt@ir.bbn.com>