You can configure groups of interfaces, filter on them
There are a few default groups: egress for if with the default route, wlan for wireless, enc for ipsec
# ifconfig sis2 group untrusted
(or hostname.sis2)
Use in your pf.conf
pass in on untrusted to any port $webports pass out on egress to any port $webports