You could try use some example rulesets that stops alot of scans:
# Block bad tcp flags from malicious people and nmap scans block in log quick on $ext_if proto tcp from any to any flags /S block in log quick on $ext_if proto tcp from any to any flags /SFRA block in log quick on $ext_if proto tcp from any to any flags /SFRAU block in log quick on $ext_if proto tcp from any to any flags A/A block in log quick on $ext_if proto tcp from any to any flags F/SFRA block in log quick on $ext_if proto tcp from any to any flags U/SFRAU block in log quick on $ext_if proto tcp from any to any flags SF/SF block in log quick on $ext_if proto tcp from any to any flags SF/SFRA block in log quick on $ext_if proto tcp from any to any flags SR/SR block in log quick on $ext_if proto tcp from any to any flags FUP/FUP block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP # Drop spoofed packets and block some nasty AD/Spyware programs IP blocks block return in log quick on $ext_if from any to <AdWare> block in log quick on $ext_if from { <RFC1918>, <AdWare> } to any block out log quick on $ext_if from any to { <RFC1918>, <AdWare> } This should keep you OK with scans, it could brake some non standard apps tought !