Where there are rules there are exceptions. The rules contained in the pf.conf file are prcoessed sequentially, and later matching rules have priority over earlier matching rules. Hence it is wise to declare the more general rules (blocking in our example) in the beginning and the more specific rules after.
For example, we blocked all SSH traffic earlier on but can make an exception for the host with IP address 1.2.3.4. Simply add this line after the previous (see 5.3.) block rule:
pass in on $ext_if proto tcp from any to 1.2.3.4 port 22