IP Filter (ipf) is a popular TCP/IP rule-based packet filter, written by Darren Reed (darren@pobox.com), that runs on most *nix systems.

it is installed by default on the FreeBSD, OpenBSD, and NetBSD operating systems.

one of IP Filter's most advanced features (of which there are many) is its ability to recognize the "state" of a packet and make filtering decisions based upon that information .. for example, if you have allowed TCP connections to port 22 in your ipf config file:

pass in on xl0 proto tcp from any to port = 22 flags S keep state
(xl0 is the network interface (the ethernet card) and is your ip)

this rule allows connection attempts (the flags S, which means a packet with the SYN flag set, denotes this) to port 22 from anywhere .. the keep state option tells ipf to remember this connection and any packets that are part of this connection will not be subjected to ipf's rulesets and the overhead that that can incur .. this is unlike ipfw, for example, which checks the rules for every packet coming through the system (although ipfw does have stateful checking now which may operate in a manner similar to ipf's).

IP Filter website: http://coombs.anu.edu.au/~avalon/ip-filter.html
IP Filter how-to: http://www.obfuscation.org/ipf