pf rules blocking rdr to tarpit

[Jay Moore <jaymo@cullmail.com>]

I wanted to harden my mailserver a bit by allowing only ssh, smtp and
ident connections only. I've concocted the following pf.conf file. It
seems to be blocking the redirects to my spamd tarpit, and of course I
don't want that to happen :)

I think the rule that's blocking connections to 127.0.0.1:8025 is:
block drop in  quick on $ExtIF from $NoRouteIPs to any

Commenting this rule out doesn't seem to do the job; all of the
connections to spamd dry up within a few minutes of swapping in this
config file. Where am I going wrong?

Any other analysis and comments re the utility of this particular config
file to harden a mail server would also be appreciated.

------ pf.conf --------
ExtIF="rl0"
LoopBk="lo0"
AllowTcpIn="{ 22, 25, 113 }"
AllowUdpIn="{ }"
AllowIcmpIn="echoreq"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

table <spamd> persist

# options
set block-policy return
set loginterface $ExtIF

# scrub
scrub in all

# directions to ye olde tarpit
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# filter rules - default deny everything
block all

# Allow loopback packets
pass quick on $LoopBk all

# block RFC 1918 addresses from entering or exiting ext_if
# "block drop" -> don't respond w/ TCP RST or ICMP Unreachable packet
block drop in  quick on $ExtIF from $NoRouteIPs to any
block drop out quick on $ExtIF from any to $NoRouteIPs

# open ports we want accessible from Internet
pass in on $ExtIF inet proto tcp from any to $ExtIF port \
     $AllowTcpIn flags S/SA keep state

# pass required ICMP traffic
pass in inet proto icmp all icmp-type $AllowIcmpIn keep state

# pass traffic out on the interface
pass out on $ExtIF proto tcp all modulate state flags S/SA
pass out on $ExtIF proto { udp, icmp } all keep state