Thanks John and Grant. "pf" and "pfctl" was what I was after - more so - some assurance that Apple hasn't locked down the OS so tight that that functionality was no longer available. It's been five years since I've had to re-visit this.
Grant - you probably know security behind the firewall has to be about as good as it needs to be from outside in some organizations. Thanks for the forum recommendation.
Trust me both - I have been through this PCI compliance level exercise with this Windows-centric security group and their, then, Nessus (now "http://www.tenable.com/") scanners which found tons of stuff. Here's scan results example scan from an old Lion server still in service. You have to justify or figure out a way to close off anything listed.
33929 (1) - PCI DSS compliance
17704 (1) - OpenSSH S/KEY Authentication Account Enumeration
17705 (1) - OPIE w/ OpenSSH Account Enumeration
17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
14272 (25) - netstat portscanner (SSH)
22964 (4) - Service Detection
10180 (1) - Ping the remote host
10267 (1) - SSH Server Type and Version Information
10287 (1) - Traceroute Information
11153 (1) - Service Detection (HELP Request)
11936 (1) - OS Identification
12264 (1) - Record Route
19506 (1) - Nessus Scan Information
21745 (1) - Authentication Failure - Local Checks Not Run
25220 (1) - TCP/IP Timestamps Supported
39520 (1) - Backported Security Patch Detection (SSH)
45590 (1) - Common Platform Enumeration (CPE)
54615 (1) - Device Type
56209 (1) - PCI DSS compliance : Remote Access Software Has Been Detected
58651 (1) - Netstat Active Connections
10.x.x.x (tcp/22)
Port 22/tcp was found to be open
10.x.x.x (udp/88)
Port 88/udp was found to be open
10.x.x.x (udp/123)
Port 123/udp was found to be open
10.x.x.x (udp/137)
Port 137/udp was found to be open
10.x.x.x (udp/138)
Port 138/udp was found to be open
10.x.x.x (tcp/443)
Port 443/tcp was found to be open
10.x.x.x (udp/464)
Port 464/udp was found to be open
10.x.x.x (tcp/625)
Port 625/tcp was found to be open
10.x.x.x (tcp/1640)
Port 1640/tcp was found to be open
10.x.x.x (udp/3283)
Port 3283/udp was found to be open
10.x.x.x (udp/3659)
Port 3659/udp was found to be open
10.x.x.x (tcp/5218)
Port 5218/tcp was found to be open
10.x.x.x (udp/5353)
Port 5353/udp was found to be open
10.x.x.x (udp/50007)
Port 50007/udp was found to be open
10.x.x.x (udp/53568)
Port 53568/udp was found to be open
10.x.x.x (udp/56064)
Port 56064/udp was found to be open
10.x.x.x (udp/58499)
Port 58499/udp was found to be open
10.x.x.x (udp/58872)
Port 58872/udp was found to be open
10.x.x.x (udp/61289)
Port 61289/udp was found to be open
10.x.x.x (udp/61389)
Port 61389/udp was found to be open
10.x.x.x (udp/61991)
Port 61991/udp was found to be open
10.x.x.x (udp/63693)
Port 63693/udp was found to be open
10.x.x.x (udp/64686)
Port 64686/udp was found to be open
10.x.x.x (udp/64921)
Port 64921/udp was found to be open
10.x.x.x (udp/65032)
Port 65032/udp was found to be open