Holepunch project is a web-based firewall session manager which opens and closes "holes" in your firewall based on a username/password combination. Each user directs his browser to the port HolePunch is running on and enters their username and password.
Assuming correct authentication, certain services (configurable on a user-by-user basis) are then opened up for that person's IP address only. The user then mimimizes his browser window while it continues to refresh the session on an interval.
If the user closes that browser window, the refreshes stop happening, the session times out, and the "holes" are then closed off to that address. Currently HolePunch is made for OpenBSD and pf(4). It should be trivial to port it over to Linux and IP Chains or Linux and IP Tables. Since FreeBSD can use pf(4), it should compile and run on FreeBSD too, but this is currently untested.