Use anchors (http://www.openbsd.org/faq/pf/anchors.html). Ex do site: "ext_if = "fxp0" block on $ext_if all pass out on $ext_if all keep state anchor ssh in on $ext_if proto tcp from any to any port 22" # echo "pass in from 192.0.2.10 to any" | pfctl -a ssh -f - -- Aristeu Gil Alves Jr