Sometimes splitting a configuration file into multiple pieces simplifies your work. Do this with an include statement in pf.conf.

include "/etc/pf/management-addresses"

I do this when I need to manage several PF machines with unique configurations, but certain pieces are identical. The management-addresses file defines a table listing all hosts and networks that can connect via SSH, make SNMP queries, as so on. When one of those addresses change, I copy this file to all of my PF hosts and reload the packet-filtering rules.

PF processes packet-filtering rules in order, and the last matching rule wins, which can complicate designing a ruleset that supports exactly the access you desire. If you find yourself stuck, use the quick keyword to abort processing the rest of the rules for matching packets. Here’s an example:

…
pass in quick proto tcp from any to $sshserver port 22
…
block in proto tcp from any to any port 22
…

The first rule permits traffic to the host(s) in the macro $sshserver on port 22. The second rule drops all TCP port 22 traffic. The quick keyword in the first rule says, “When a packet matches this rule, follow this rule and do not process any more rules.” In this case, the SSH connection will be permitted.

The quick keyword is especially useful in anchors, where rules added for a special purpose by an automated process like ftp-proxy(8) might be overridden by later rules meant for unrelated purposes.

The purist in me wants to insist that all static rulesets be written without using quick. While strictly speaking that’s true, sometimes avoiding quick creates rulesets that are difficult to interpret. A ruleset you can easily understand is more secure than something baroque but syntactically pure.