How can I open a specific port on OS X El Capitan on a tun device?

I am trying to open port 3389 on OS X El Capitan.

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.11.6
BuildVersion:   15G31


$ ifconfig
..snip..
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.X.X.XX --> 10.X.X.XX netmask 0xffff0000

How can I achieve this with pfctl? I found the man page rather difficult to digest.

Questions:

• How can I set up and test a rule that opens port 3389 on utun0?
• How can I make the above setting permanent?