You should use pf. And also it seems to say
here that you can use deny hosts on FreeBSD. This is an application for protecting an ssh daemon that still has password authentication enabled(for some quirky reason, like logging in from an iphone?) . Better still you could just copy your ssh private key onto read-only media and then you could use it with all the hosts you connect from. Sorry if i'm totally off the mark; i didn't read the whole thread i just read the initial question
I hope the malness maelstrom doesn't get you