Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done, but you could have a computer check into a target machine that often changes the ip address or system while the firewall is locked down to only send messages to that remote machine and if it is compromised, can't send it anywhere else.
On Wed, May 3, 2017 at 3:16 PM Luke Small <lukensm...@gmail.com> wrote: > Is it worthwhile to set up a hook for pf to load rules that have URLs > after the network services that can resolve them come into effect?