Your right, I had a rule up top , when I was testing from home, it passed me in and ignored all other rules
which is exactly what I wanted. I tried from another IP on the internet and the rule did in fact log. 
Sorry for wasting time with this post.
This is excellent software, I've spent about 2 days now completely learning it. I;ve read all the man pages,
and different examples on the internet.
a) tcp.established definable on a per rule basis (why I say this is alot of times you want to have a global value for the established timeout state, but there are times that you;d like to say, not timeout your ssh session from home for a week/month period)
b) program interaction with a ruleset ( I beleive this one is what will make any firewall rule all the other ones, a way to execute a program if a ruleset returns TRUE.) Typical example, firewall matches one of your rules, rule returns true, executes a program where we can evaluate some conditions, passing variables such as IP and PORT, program then executes pfclt to add that IP to the table or anything else.
