Here's an example of a real rdr-to from one of my firewalls. There is a pass inbound, with redirection, and also an outbound pass. These are separate, because the rule matching the inbound traffic is not the same as the outbound traffic, so two rules are used.
I also include https (destination port 443) which you have not yet considered for your ruleset so far.
Code:
# redirect web and ident services to the MASTER server:
#
pass in log quick on $external_nic proto tcp from any to any \
port {www https ident} rdr-to $master
pass out log quick proto tcp from any to $master port {www https ident}
----
Edited to add: The rdr-to needs an "on <interface>", which is really why there are two rules -- the second rule permits the traffic to pass on other interfaces. The "in" and "out" are active, but are really there as documentation for me, more than for any effect.