Filtering On Interface Groups

You can configure groups of interfaces, filter on them

# ifconfig sis2 group untrusted

(or hostname.sis2)

Use in your pf.conf

pass in on untrusted to any port $webports
pass out on egress to any port $webports

Allows you to create device independent rule sets