You may want to allow only what's needed:
pass in on $ext_if proto { tcp, udp } from any to $nameservers \ port domain pass in on $int_if proto { tcp, udp } from $localnet to $nameservers \ port domain pass out on $dmz_if proto { tcp, udp } from any to $nameservers \ port domain pass in on $ext_if proto tcp from any to $webserver port $webports pass in on $int_if proto tcp from $localnet to $webserver \ port $webports pass out on $dmz_if proto tcp from any to $webserver port $webports pass in log on $ext_if proto tcp from any to $mailserver port smtp pass in log on $int_if proto tcp from $localnet to $mailserver \ port $email pass out log on $dmz_if proto tcp from any to $mailserver port smtp pass in on $dmz_if from $mailserver to any port smtp pass out log on $ext_if proto tcp from $mailserver to any port smtp