or perhaps
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \
https, 446, cvspserver, 2628, 5999, 8000, 8080 }"
udp_services = "{ domain, ntp }"
pass quick inet proto { tcp, udp } to any port $udp_services keep state
pass inet proto tcp from $int_if:network to any port $client_out \
flags S/SA keep state
pass in inet proto tcp from any to any port sshRule evaluations is top to bottom, last matching rule wins.
The quick keyword exits rule evaluation when current rule matches (quick rule always wins)