scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good.
There is no "pass out quick" or "pass out on" statement?
Sure, there is. pass out on $ext_if proto { tcp udp icmp } all modulate state
Remove 'pass' form 'nat pass' if the packet shall flow through the 'pass out' rule after 'nat'. Otherwise it will pass out without respect to any rule.
[] https:// www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5#end