Suggestion: if not fortify, monitor changes to packet filter firewall.

I'd like to strongly suggest that the `pf` settings be verified for tampering. It is extremely easy (like, by using 17.0.0.0/8 signed software and exporting a variable) to modify it. The socket/application firewall is deprecated (and I believe can be bypassed?) since the introduction of the packet filter.