The "pass" rule is not the last that would apply. Unless you use quick, the last matching rule wins, which may be:
Code:
pass out on $ext_if proto {tcp, udp} all keep state
The best way to diagnose a PF rule set is by adding the log option to pass/block/match rules, then using tcpdump(8) with pflog(4).