Just letting everyone know about my cool tool for pf called dfd_keeper: http://www.lightconsulting.com/ ~travis/dfd/dfd_keeper/
The "DFD" stands for Dynamic Firewall Daemon. It manages your firewall rules. Basically dfd_keeper is a command shell for the firewall. You write a python script which calls my API and sets up your firewall rules. It takes care of things like getting the ordering right automagically. Then, your script defines allowable transformations to the firewall rules. For example, it can create a block rule that blocks some IP but expires in an hour. Finally, it binds to a socket and invokes an event loop. Then users may connect to it using netcat or telnet and invoke the aforementioned transformations. Integration with automated systems such as snort is designed to be trivial. It does not have any crypto or access control, so you are enjoined to create pf rules that only permit access to the DFD port from trusted machines. I make mine accessible only from localhost, and leave an ssh connection to my firewall with netcat running. Even though I'm on the firewall, invoking DFD commands is simpler and less error-prone than interactively editing /etc/pf.conf and reloading rules by hand. I am currently in the process of reviewing APIs for a pcap-based sniffer which will listen on your WAN interface, and: 1) Detect portscans, even if your pf rules block them. 2) Perform single-packet authentication (SPA), which is an improvement over port knocking. 3) Detect use of protocols which require listening sockets, such as bittorrent, SIP, edonkey, gnutella, active-mode FTP, IRC DCC operations, etc., and invoke DFD commands to set up rdr rules to point to the client that needs them, despite being behind NAT. Comments welcome. The code is browsable online, and very short (1k lines). -- http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B