You may use this patch to ipfw http://www.freebsd.org/cgi/query-pr.cgi?pr=103454 Or you may use ng_patch netgraph node (man ng_patch(4) should give you some examples) The simpliest way to do what you want is pf rule scrub in on em0 no-df performance of all those methods you should check by youre self.