Request to change /etc/pf.conf default permissions from 755 to 600. This will prevent local user or webscript attacker to read PF ruleset. Note that at the moment this is the only way a normal user could gather information on PF ruleset, infact using pfctl need root permissions to open /dev/pf.
Ed
# RFC @ hacking.openbsd.it
