Here is my current pf.conf - improvements?

# $OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.

ext_if="xl0"
int_if="rl0"
table <NoRouteIPs> const { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }
table <badguys> persist file "/etc/badguys"

set loginterface $ext_if
set optimization aggressive
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id

altq on $ext_if priq bandwidth 250Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

nat on $ext_if inet from 10.0.0.0/8 to any -> ###.###.###.###
rdr on $ext_if inet proto tcp from any to any port 80 -> 10.0.0.5 port 80
rdr on $ext_if inet proto tcp from any to any port 25 -> 10.0.0.5 port 25
rdr on $ext_if inet proto tcp from any to any port 110 -> 10.0.0.5 port 110
rdr on $ext_if inet proto tcp from any to any port 6699 -> 10.0.0.3 port 6699

antispoof quick for { $ext_if, $int_if }
block in log quick on $ext_if inet6
block in log quick on $ext_if inet from <badguys> to any
block in log quick on $ext_if inet from <NoRouteIPs> to any
block out log quick on $ext_if inet from any to <NoRouteIPs>

block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $ext_if inet proto tcp from any to any flags SF/SF
block in log quick on $ext_if inet proto tcp from any to any flags SR/SR

block out log on $ext_if all
pass out log quick on $ext_if inet proto tcp from $ext_if to any flags S/SA modulate state queue (q_def, q_pri)
pass out log quick on $ext_if inet proto { udp, icmp } from $ext_if to any keep state

block in log on $ext_if all
pass in log quick on $ext_if inet proto tcp from any to any port { 22, 25, 80, 110, 6699 } flags S/SA modulate state queue (q_def, q_pri)

Can't you rool all of this into one line:
[code:1:ee8f2bbe64]
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $ext_if inet proto tcp from any to any flags SF/SF
block in log quick on $ext_if inet proto tcp from any to any flags SR/SR
[/code:1:ee8f2bbe64]

?

Nope.

However, my understanding from reading FAQ's etc is that these nmap blocks are blocked by default in pf now anyway. But, I could be wrong :roll:

I believe they are blocked by default, but having each as a seperate log rule can help you see stats on how many times you have been scanned by that combination of flags.

The 'scrub' normalization method takes care of illegal TCP flag combinations without having to specify them in your rules. Like previously mentioned, if you want to keep stats, leave them in. I like a clean pf.conf and I don't care to dwell over what types of flag combinations people are using in their portscans.