PF can pf block in non-sync packet when tcp in listen state

[freyone]

such as fin packet.it seems bsd will response RST|ACK when recieve fin in listen state.

 

[VladiBG]

For TCP stateful connection default flags which are allowed are SYN / SYN-ACK
Check your default set block-policy how is set. If it is set to "return" then for blocked TCP session pf will send RST.

 

[dns.company]

You can handle flags like

pass in on $if_wan proto tcp to port domain flags S/UAPRSF modulate state
pass in on $if_wan proto tcp to port ssh    flags S/SA synproxy state

also -probably more important- mind scrub (the last alinea here):

OpenBSD PF: Packet Filtering

While this is practical and safe, it is also unnecessary to check the FIN and RST flags if traffic is also being scrubbed. The scrubbing process will cause PF to drop any incoming packets with illegal TCP flag combinations (such as SYN and RST) and to normalize potentially ambiguous combinations (such as SYN and FIN).

But I probably think VladiBG's answer may already solved your observations.