Snippet from your pf.conf
Code:
pass in on $ext_if inet proto tcp from any to $prod_update_ssh port $ssh_ports rdr-to 10.0.203.5 port 22 keep state
pass in on $int_if inet proto tcp from any to $prod_int port 22 rdr-to $vlan27_net port 22 keep state
"keep state flags S/SA" has already been the default for several releases. This creates state on the first packet of the 3-way TCP handshake. By omitting the "flags S/SA" part you allow states to be created on the intermediate packets too.
Unless you have a reason for doing this, you should drop all those "keep state"s
I notice you hardly use "quick", while at first glance your ruleset could benefit from it. See
http://www.openbsd.org/faq/pf/filter.html#quick and the pf.conf man page.