Pitfalls: in, out, on

If you write

pass in inet proto tcp on ep1 from ep1:network to ep0:network \
     port $ports keep state

then you also need

pass out inet proto tcp on ep0 from ep1:network to ep0:network \
     port $ports keep state

but do you actually mean

pass inet proto tcp from ep1:network to any port $ports keep state