If I understand your network, there is a single IP address exposed to the Internet.
If any system on your local network
originates traffic destined for the Internet, its state table entry will be used to redirect any return inbound packets back to that system.
But ... any network traffic that
originates on the Internet has no state table entry. The only way to reach a system behind the NAT firewall is via a redirection (rdr) rule.
Your last filter rule:
Code:
pass out on $dmz_if all keep state
will allow Internet originated traffic to transit onto the DMZ subnet, only if a rdr rule is defined that routes the traffic there.