e.g. the DNS resolution might not happen with the effective user id of the user that opens the TCP connection using a symbolic host name, at least depending on how resolution is set up (local name server might use named user). ssh connections might cause various DNS lookups (forward, reverse) and other TCP daemons might try ident lookups (not necessarily with the uid of the same user), etc.
To test, I'd restrict the rule to TCP. Or add multiple rules for each user/protool, and use pfctl -vsr to check which are matched. Daniel
