You can configure groups of interfaces, filter on them
# ifconfig sis2 group untrusted
(or hostname.sis2)
Use in your pf.conf
pass in on untrusted to any port $webports pass out on egress to any port $webports