A quick google on 'pf port knocking' turned up the following that might be of interest.
http://www.lazyscripter.com/2010/04/port-knocking-with-pf/ On Feb 28, 2011, at 10:17 AM, Johan Söderberg wrote: > A ridiculously simple idea. > Protect your port, say ssh, by adding a code to access it. > Ok, that's nothing new, but maybe how it's done. > > For a client to connect to a service, it need to unlock the port with a code. > The code is made of predefined blocked ports, that makes pf trigger. > If the first code port is triggered, IP address enters a state with timestamp. > If the next port that the address triggers, matches the next code port > within a timeframe, let it enter new state, else lose state. > When all code ports have been triggered in the right order, allow > address to pass. > > Sure it's not safe from MITM, but it protects from scans, and allows > you to connect from dynamic IP addresses. > There are 65536 ports, that gives you 65536^n possible combinations > where n is the number of ports in your code. > So you probably won't need more than 2-3 ports in your code. > > Say what you think! And if you like my brain fart, would you want to > implement it? > > Kind regards, Johan Söderberg