Um, maybe I'm missing something that has already been clarified, but:

from nmap's man:

<snip>
-s0 IP protocol scans: This method is used to determine
which IP protocols are supported on a host. The
technique is to send raw IP packets without any
further protocol header to each specified protocol
on the target machine. *If we receive an ICMP pro-
tocol unreachable message, then the protocol is not
in use. Otherwise we assume it is open*. Note that
some hosts (AIX, HP-UX, Digital UNIX) and firewalls
may not send protocol unreachable messages.* This
causes all of the protocols to appear "open".*
<snip>


You are blocking the unr replys with

block return-icmp(proto-unr) in inet all
block return-icmp(port-unr) in inet proto udp all
block return-rst in inet proto tcp all

Thus everything appears open to nmap.
This is not a problem with the behavior of pf. It is an artefact of nmap.

Hope this helps.



Alexei G. Malinin wrote:

>Hello!
>
>
>Recently I configured pf on my mail gateway (patched OpenBSD-3.3
>RELEASE) as follows:
>--------------
># pfctl -s all
>scrub in all fragment reassemble
>block drop all
>block return-icmp(proto-unr) in inet all
>block return-icmp(port-unr) in inet proto udp all
>block return-rst in inet proto tcp all
>pass in quick on lo0 inet all
>pass out quick on lo0 inet all
>block drop in quick inet from 224.0.0.0/4 to any
>block drop in quick inet from 240.0.0.0/4 to any
>block drop in quick inet from 0.0.0.0/8 to any
>block drop in quick inet from 192.0.2.0/24 to any
>block drop in quick inet from 169.254.0.0/16 to any
>block drop in quick inet from 198.18.0.0/15 to any
>block drop in quick inet from 127.0.0.0/8 to any
>block drop in quick inet from any to 224.0.0.0/4
>block drop in quick inet from any to 240.0.0.0/4
>block drop in quick inet from any to 0.0.0.0/8
>pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
>smtp flags S/SA keep state (max 4096)
>pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
>ssh flags S/SA keep state (max 17)
>pass in quick on fxp0 inet proto udp from any to 192.168.150.13 port
>33433 >< 33690 keep state (max 127)
>pass in quick on fxp0 inet proto icmp from any to 192.168.150.13
>icmp-type echoreq code 0 keep state (max 127)
>pass out quick on fxp0 inet proto tcp from 192.168.150.13 to any flags
>S/SA keep state
>pass out quick on fxp0 inet proto udp from 192.168.150.13 to any keep state
>pass out quick on fxp0 inet proto icmp from 192.168.150.13 to any
>icmp-type echoreq code 0 keep state
>icmp 192.168.150.13:63312 <- 192.168.150.254:63312 0:0
>[cut]
>Status: Enabled for 0 days 18:42:44 Debug: None
>
>State Table Total Rate
>current entries 197
>searches 9738453 144.6/s
>inserts 665295 9.9/s
>removals 665098 9.9/s
>Counters
>match 4421401 65.6/s
>bad-offset 0 0.0/s
>fragment 0 0.0/s
>short 426 0.0/s
>normalize 36 0.0/s
>memory 0 0.0/s
>tcp.first 3600s
>tcp.opening 900s
>tcp.established 432000s
>tcp.closing 3600s
>tcp.finwait 600s
>tcp.closed 180s
>udp.first 60s
>udp.single 30s
>udp.multiple 60s
>icmp.first 20s
>icmp.error 10s
>other.first 60s
>other.single 30s
>other.multiple 60s
>frag 30s
>interval 10s
>states hard limit 10000
>frags hard limit 5000
>---------------------
>
>After that I checked that smtp, ssh, ping, traceroute worked and
>scanned this host with nmap:
>-------------------------------
># nmap -sO -v -r 192.168.150.13
>-------------------------------
>
>nmap said that all protocols are open (??).
>I looked at tcpdump output made during the scan -
>there were no icmp "proto-unr" packets (??!).
>
>Can anybody explain me such behaviour of pf?
>I expected to find icmp "proto-unr" in the tcpdump output.