Securing IPsec with keynote(5) and pf(4) We can use pf(4) to filter packets PF Syntax Note: OpenBSD 4.1 and later use keep state flags S/SA as default for all pass rules pass in on enc0 proto ipencap keep state (if-bound) pass in on enc0 proto tcp from any to 10.0.1.10 port = ssh keep state (if-bound)