If you want layer 7 (application) packet inspection and would prefer to avoid installing a package like squid....
Henning Brauer (henning@) gave a talk over this past weekend at vBSDcon about PF. I happened to be looking through his
slides today.
Slide #43 reminded me that
relayd(8) can be configured to inspect and filter HTTP, and it integrates with PF. I've only used relayd to load balance a server farm; I've never used it as a filter. The relayd tool exploits PF's
divert-to which is more efficient than
rdr-to. If you're interested, the efficiencies are described in Henning's slides.