default pf.conf (from openbsd 7.3)
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf table <sshbastion> { 46.23.90.11 } set skip on lo block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild block return in proto tcp to port 22 pass in quick proto tcp from <sshbastion> to port 22block ssh except for bastion
...[output omitted]... table <sshbastion> { <ip_address> } ...[output omitted]... block return in proto tcp to port 22 pass in quick proto tcp from <sshbastion> to port 22