I've recently had the Netfilter recent module brought to my attention, and man, is it neat! The final example on the website for it is a bunch of rules that temporarily open up a hole in the firewall to allow an ident request in when an outbound SMTP connection is seen. Very cool. I'm interested in doing something to mitigate SSH brute force login attempts.