Invert port alias in rule
I use a LAN rule to allow only specific outbound port requests (80, 443, 22, etc.). Occasionally someone decides to provide a service on a non-standard port. When a hapless local user can't get to such a site I would like to log the anomalous port request.
In short, I would like to match requests to destination ports not included in my allowOut alias.
How can I invert a port alias match?
You can just put a reject rule after that rule to TCP port any that logs. Only traffic that does not match the pass rule(s) above it will reach it and be logged. No reason to exclude the matching "good" traffic in that rule itself.