What PF Doesn't Do User-level access control Like application filtering, this should be handled in userland authpf authentication and session timeout handled by ssh modifies ruleset or table isakmpd filtering based on IKE phase1 ID