Four words Peter..."dynamic IP address". I'm sure that there are folks that
ssh into machines that are on a dynamic IP address that don't have a modem
on a power backup, or even possibly on an ISP that may down, possibly when
they are out of town. I don't know if it is possible or already done, but
you could have a computer check into a target machine that often changes
the ip address or system while the firewall is locked down to only send
messages to that remote machine and if it is compromised, can't send it
anywhere else. Or you ssh into the machine and it only accepts incoming
port 22 requests from a machine that has a dynamic url and listed in your
pf.conf. maybe you could even signify in the pf.conf that the url will
often have a different ip address and it could request that ip address
every time it gets a hit on that rule or a maximum upperbound.
