Some of your rules still could use
quick.
If you do not use IPv6, you could use
inet proto tcp in all rules. In some rules you already use it, so why not be consistent?
You still use
S/SA keep state in some tcp rules. This has been the default for quite some time. Do a verbose listing of your rules to see this
Code:
# pfctl -vvnf /etc/pf.conf