limit (integer,time,integer; Default: )

Matches packets until a given pps limit is exceeded. Parameters are written in following format: count[/time],burst.

count - maximum average packet rate measured in packets per time interval
time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
burst - number of packets which are not counted by packet rate

Try to play with limit option:

limit (integer,time,integer; Default: )

Matches packets until a given pps limit is exceeded. Parameters are written in following format: count[/time],burst.

count - maximum average packet rate measured in packets per time interval
time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
burst - number of packets which are not counted by packet rate

I would agree with sob, you want to limit folks heading towards your server.
In general folks use Destination based rule to capture and LOG it in the forward chain (capture the source IP) and drop it in raw is the usual process.

However you want to allow bonafide users and stop the rest??
Best if you can get a list of their public WANIPs and the only allow that grouping (firewall address list) on your destination nat rule.

Not having used these in anger, its hard to provide advice. I would try the first one and see how it works.......... Problem is I dont see where it defines the number of new connections PER UNIT OF TIME. For example is 5 connections or is it 5 connections (from an address or address block) over a minute, hour etc?????

Extra Tab
Connection Limit: Matches connections per address or address block after given value is reached. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive.

Limit: Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode.
count - packet or bit count per time interval to match
time - specifies the time interval in which the packet or bit count cannot be exceeded (optional, 1s will be used if not specified)
burst - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second
mode - packet or bit mode

Dst-Limit:
Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it's own limit. Flow is defined by mode parameter. Parameters are written in following format: count[/time],burst,mode[/expire].
count - packet count per time interval per flow to match
time - specifies the time interval in which the packet count per flow cannot be exceeded (optional, 1s will be used if not specified)
burst - initial number of packets per flow to match: this number gets recharged by one every time/count, up to this number
mode - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port)
expire - specifies interval after which flow with no packets will be allowed to be deleted (optional)

psd: Attempts to detect TCP and UDP scans. Parameters are in following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight

WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port