The anchors are in the running rule set, per the man and faq examples,

right in the nat/rdr top-of-the-rule-set section, just not shown in the

(snip) included in the post. If they weren't there the "user proxy"

version of snip wouldn't be working.
Thanks for the link, it *may* be relevant; however, the fact that [pass

quick] "user proxy" works and [pass quick] "tagged " does not -- in

an otherwise IDENTICAL rule set -- suggests that order (placement with

regard to anchors) is NOT a factor (in my case).
If the anchor's "quick" was in play, then -I would think that- the "user

proxy" version rule would never be a positive factor AND the [pass

quick] "tagged  version would NOT be failing on the final BLOCK ALL

rule. The anchor-quick would have already happened. 
Additionally, the "pfctl -vvvs rules" counters are ZERO for the "tagged

" version and otherwise correct and incrementing for "user proxy"

version.
-----Original Message-----

From: Camiel Dobbelaar

To: S. Scott Sima, CISA, CISM

Cc: misc@openbsd.org

Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Date: Tue, 11 Dec 2007 07:31:01 +0100

Mailer: Thunderbird 2.0.0.9 (Windows/20071031)
I don't see the anchors, you need those with tagging too.  Other then

that, it may still not work as expected, see:

http://marc.info/?l=openbsd-misc&m=119729395125104&w=2
_________________________

The information contained in this email and attachments, in whole or in part,

termed "COVERED INFORMATION," is for the exclusive use of the adB-dressee and

contains confidential information requested and/or transmitted with an

expectation of privacy and confidentiality. If the recipient of COVERED INFORMATION

is not the addressee, such recipient is strictly prohibited from any use in any way

including but not limited to reading, copying, distribution or retention. Please notify

sender by reply of the error and destroy all instances of the COVERED INFORMATION

in your possession or control.