How to use pf with vimage jails?

[Alan Somers]

Is there any documentation on how to run pf on a host, using it to control
access to vimage jails?  I see that only ipfw can be run from _inside_ of
the jail, but I'm interested in running pf _outside_ of the jail.  One
example application would be to use a jail as a honeypot.  In that case,
you wouldn't trust the jail to control its own firewall.  Another would be
to use jails as a poor man's DMZ.

-Alan