>> http://www.openbsd.org/faq/pf/example1.html#allrules
>
> That rule set lets machines on the inside start any connection they
> desire to the outside world and receive return traffic (the main use of
> 'keep state').
>

Exactly. And this is where my understanding doesn't suffice. Wouldn't a
broadcast to 255.255.255.255 from a computer on the private net also create
a state in the firewall, effectlively accepting traffic from any outside
computer? Without the "static-port" argument on the NAT rule the mapped port
would of course be different so in the case of netbios it would be difficult
for an outsider to find the way in but _with_ "static-port" it would be
easier assuming a broadcast can create a state.
/PP