[catiopatio]

pf’s `divert-to` can be used to divert packets to a local port; `getsockname()` will return the original destination address, so you can either close the connection, or proxy it in userspace.

Alternatively, you could possibly use a divert(4) socket — coupled with a targeted firewall rule — to divert only the initial SYN packet, and if the connection is to be permitted, re-inject it and allow connection to proceed normally.

OpenBSD supports using divert(4) sockets with pf; unfortunately, FreeBSD divert(4) sockets only work with the older ipfw firewall.