OKay, I've readjusted my rules and went with tagging like you suggested. A read up a little ont he OpenBSD's PF FAQ and came up with the following ruleset
Code:
#MACROS
_int = "re0"
_dmz = "fxp0"
_ext = "fxp1"
int_net = "192.168.200.0/24"
dmz_net = "192.168.100.0/24"
webserver = "192.168.100.53"
mailserver = "192.168.100.51"
int_tcp_services = "{ 80 25 53 3000 4567 }"
int_udp_services = "{ 53 }"
dmz_tcp_services = "{ 80 25 53 }"
dmz_udp_services = "{ 53 }"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
#TABLES
table <spamd> persist file "/etc/spammers"
table <bastards> persist file "/etc/bastards"
#OPTIONS
set skip on lo
set block-policy drop
#NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
# BLOCKING AND PACKET TAGGING
block log all
antispoof for { lo0 re0 fxp0 fxp1 }
block in on _ext from $RFC1918 to any
block out on _ext from any to $RFC1918
block in on _ext from <bastards>
pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext)
pass out on $_ext tag DMZ_NAT_TO_INET tagged DMZ_TO_INET nat-to ($_ext)
pass in on $_int from $int_net tag LAN_TO_INET
pass in on $_int from $int_net to $dmz_net tag LAN_TO_DMZ
pass in on $_dmz from $dmz_net port $dmz_tcp_services tag DMZ_TO_INET
pass in on $_dmz from $dmz_net port $dmz_udp_services tag DMZ_TO_INET
#SERVICES INBOUND
pass in on $_ext proto tcp to $wwwserver port { 80 3000 4567 } tag INET_TO_DMZ
pass in on $_ext proto tcp to $mailserver port {25 110 587 465 } tag INET_TO_DMZ
#SPAMD
pass in on $_ext proto tcp from <spamd> to port smtp tag SPAMD rdr-to 127.0.0.1 port 8025
# POLICY ENFORCEMENT
pass in quick on $_ext tagged SPAMD
pass out quick on $_ext tagged LAN_NAT_TO_INET
pass out quick on $_ext tagged DMZ_NAT_TO_INET
pass out quick on $_dmz tagged LAN_TO_DMZ
pass out quick on $_dmz tagged INET_TO_DMZ
My int is obviously 192.168.200.0/24 and need to be able to ssh/read ports 80,3000 on the dmz at 192.168.100./24 so this config should work. Do I ned to add a static route since the DMZ and int networks are different networks?