block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80
read also http://www.openbsd.org/faq/pf/tables.html another way to deal with negative in your pf.conf is to use tables... maybe try a table with safeip combinations like, but do test and read and try variations, this may be wrong also :) table <safeip> {192.168.1.0/24, !192.168.1.200} ... ... ...block in log quick on $ext_if proto {tcp,udp} from !<safeip> to any port 80
