pass out all
last rule wins, and obviously if it is remote allow ssh port etc.
You can read more here: http://home.nuug.no/~peter/pf/en/long-firewall.html