The power of tags

tag packets incoming, block or pass outgoing based on tags

eg in a net with several NATing access points

wifi = "{ 10.0.0.115, 10.0.0.125, 10.0.0.135, 10.0.0.145 }"
pass in on $int_if from $wifi to $wifi_allowed port \
     $wifi_ports tag wifigood
     ...
pass out on $ext_if tagged wifigood

NOTE: tags are sticky - all matching tag rules add their tag