I don't see anything in particular that is wrong with your setup, but my two suggestions that I give all the time (their value is debatable):
* Have a default block/log rule, and see what pflog says * Keep state on TCP rules separately, and explicitly use flags (similar to how you are already doing this on rules for TCP to the firewall, but you are not doing for traffic passing from the LAN going out) -jon
